Search

See Resources

NERC / CIP



Qualys Solutions for IT Security & Compliance

Qualys' on demand approach to IT security and compliance enables organizations of all sizes to successfully achieve both vulnerability management and policy compliance initiatives cohesively, while reducing costs and streamlining operations. Solutions include:



Related Links

NERC is the North American Electric Reliability Corporation. It was formed in 1968 to develop security standards to ensure that the bulk electric system in North America is reliable. More than 334 million people rely on 1,865 Registered Entities that produce electricity and serve it over 211,000 miles of high-voltage transmission line. NERC's Critical Infrastructure Protection (CIP) Reliability Standards provide Registered Entities with requirements for compliance. This page provides background information about CIP and describes how solutions from Qualys help Registered Entities to be compliant.



About NERC / CIP

NERC introduced its Critical Infrastructure Protection (CIP) Reliability Standards in 2006 and continues to enhance and audit registered entities to for compliance to CIP standards. All Registered Entities must comply with these eleven categories of controls for securing critical cyber assets used to protect the bulk electric system. They include: Cyber System Classification, Security Management Controls, Personnel & Training, Electronic Security Perimeter(s), Physical Security, Systems Security Management, Incident Reporting and Response, Recovery Plans for Cyber Systems, Configuration Change Management, Information Protection, and Physical Security. Verification of compliance with CIP shows that a Registered Entity is providing optimal protection for the bulk electric system.



Why NERC / CIP Matters to Your Organization

Registered Entities are familiar with threats to critical cyber infrastructure, which may range from sovereign states, terrorists, criminals, and even lone hackers. A successful exploit would be disastrous if it stopped delivery of electric power. NERC provided CIP controls to strengthen security of the bulk electric system, and after years of preparation, Registered Entities must now prove they are compliant. As of 2010, all Registered Entities must prove "auditable compliance" on a semi-annual basis or be subject to penalties, which could be substantial depending on risk and severity. Other breach-related costs will be incurred for discovery and containment, investigation of the incident, remediation expenses, attorney and legal fees, loss of customer confidence, lost sales and revenue, brand degradation, and so on. Compliance is a serious responsibility on many levels.



Considerations for a NERC / CIP Security Compliance Program

Registered Entities have had several years to implement CIP standards and should have, by now, deployed most of their controls. NERC is now engaged in three kinds of compliance activities. These include compliance monitoring, compliance enforcement, and managing a due process for contestations by Responsible Entities who receive audit violation findings. NERC relies on Regional Entities to enforce CIP standards with bulk power system owners, operators, and users. General guidelines for CIP compliance and other resources are in the CIP Transition Program. NERC expects all Responsible Entities to be subject to self-certifications on CIP requirements for the past year. As noted, inability of passing an audit (including remediation of outstanding critical issues) can result in substantial financial penalties to each Registered Entity, depending on severity level.



How Qualys Solutions Help Responsible Entities Meet NERC / CIP Requirements

Qualys solutions in the Qualys AssetView, Vulnerability Management, Policy Compliance and Security Assessment Questionnaire modules directly fulfill CIP requirements for scanning of vulnerabilities in critical cyber assets. These Qualys solutions also serve as a "control of controls," which means they are the crucial means for auditing a multitude of other security controls to ensure that those are operational and properly configured.


Qualys solutions touch the following CIP reliability standards. The following is a summary of how these requirements are met by solutions in the Qualys AssetView, Vulnerability Management, Policy Compliance, and Security Assessment Questionnaire.


NERC RequirementsQualys Capabilities
CIP-002 Cyber Security – BES Cyber System Categorization

The fundamental requirement of this CIP standard is to identify and categorize the systems and associated assets.

Qualys AssetView, Vulnerability Management, Continuous Monitoring and Policy Compliance fulfill the Cyber System Categorization requirement of NERC. The Qualys suite, will discover all assets, assign criticality, set posture, and identify any other systems that meet the requirements of related systems and assets.

CIP-003 Cyber Security - Security Management Controls

The entity is responsible for establishing security management controls that demonstrate responsibility and accountability to protect systems against compromise or instability in the environment.

  • Qualys provides technical controls for the cyber systems, along with policy settings for those systems, and management's ability to add their own company or technical policies. In addition, the suite allows for management to audit their organization to policies and procedures.
  • Documents exceptions, approvals and denials.
CIP-005 Cyber Security - Electronic Security Perimeter(s)

Requires the identification and protection of the Electronic Security Perimeter(s) and Access Points and vulnerabilities where Cyber Assets reside.

  • Automatically fulfills the requirement to identify by discovery and protect the Cyber Assets and Electronic Security devices, including Access Points.
  • Uses the largest database of vulnerability tests and intelligent scanning technology to ensure comprehensiveness and accuracy.
CIP-007 Cyber Security - Cyber Systems Security Management

Implement methods, processes and procedures for securing those systems determined to be Critical Cyber Assets.

  • Automated, comprehensive reports provide instant assessment of risks, priorities and tips for vulnerability remediation.
  • Includes the guidelines provided by vendors and best practice or adopted frameworks.
  • Security patch management information is passed on to the user/assessor.
  • Includes controls for authentication and account management.
  • Qualys becomes the third party annual reviewer.
CIP-008 Cyber Security - Incident Reporting and Response Planning

An entity is required to implement a documented Incident Response Plan related to Cyber Security.

  • Automatically documents all security incidents and subsequent effects of vulnerability remediation.
  • Security audit assessments provide hard data for conceiving, implementing and managing security incidents.
CIP-009 Cyber Security - Recovery Plans for Critical Cyber Systems

An entity is required to demonstrate recovery plans to support the stability, reliability and operability of the system.

Provides the entity with the ability to customize data retention for monitoring and retention as required by the Responsible Entity.

CIP-010 Cyber Security – Configuration Change Management and Vulnerability Assessment

An entity is required to prevent and detect unauthorized changes to systems by implementing change management and vulnerability assessment processes.

Provides for the ability to identify, manage, mitigate and harden vulnerabilities and configuration settings for assets within the organization as required by the Responsible Entity.

CIP-011 Cyber Security – Information Protection

Information regarding Cyber Systems are required to be documented and maintained in a repository.

Provides the entity with the ability to maintain electronic asset management records as required by the Responsible Entity.

Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics