Energy and Grid

The Energy Policy Act of 2005 (Energy Policy Act) gave the Federal Energy Regulatory Commission (Commission or FERC) authority to oversee the reliability of the bulk power system, commonly referred to as the bulk electric system or the power grid. This includes authority to approve mandatory cybersecurity reliability standards.

The North American Electric Reliability Corporation (NERC), which FERC has certified as the nation’s Electric Reliability Organization, developed Critical Infrastructure Protection (CIP) cyber security reliability standards. On January 18, 2008, the Commission issued Order No. 706, the Final Rule approving the CIP reliability standards, while concurrently directing NERC to develop significant modifications addressing specific concerns.

Additionally, the electric industry is incorporating information technology (IT) systems into its operations – commonly referred to as smart grid – as part of nationwide efforts to improve reliability and efficiency. There is concern that if these efforts are not implemented securely, the electric grid could become more vulnerable to attacks and loss of service. To address this concern, the Energy Independence and Security Act of 2007 (EISA) gave FERC and the National Institute of Standards and Technology (NIST) responsibilities related to coordinating the development and adoption of smart grid guidelines and standards.

The Endpoint NERC and FERC Cyber Security Standards solution enables businesses to:

  • Identify over- or under-privileged cyber assets, to help organizations tighten security over critical functions or data.
  • Protect information, policies and procedures associated with critical cyber assets, by identifying and implementing electronic access controls.
  • Continuously monitor electronic access to critical cyber assets.
  • Automate information-handling procedures to protect information assets by reducing user errors and compliance violations.
  • Create an information security barrier around critical cyber assets with broad communication control across e-mail, voice, and video communications.

Identify, Control and Audit the Flow of
Critical Cyber Assets

The NERC (North American Electric Reliability Corporation) is a self-regulatory body responsible for ensuring energy industry compliance with Critical Infrastructure Protection (CIP) standards. These rules require organizations that deliver bulk electricity to the North American electrical power grid to identify and protect critical cyber assets. FERC (Federal Energy Regulatory Commission) oversees the power industry, but gives NERC the responsibility for maintaining and complying with CIP standards.
Bulk power suppliers must define methods, processes, and procedures for securing critical cyber assets, as well as the non-critical cyber assets within the electronic security perimeter. “Cyber assets” are loosely defined as all “programmable electronic devices and communication networks including hardware, software, and data.”

NERC and FERC Compliance Applications
Endpoint’ solution is a set of applications, which include a comprehensive set of best practice policy libraries and reports required to support NERC and FERC requirements. Policy sets can be easily customized to the environment or used as templates to create new policies. The Endpoint NERC and FERC Compliance solution can:

  • Help analyze information risk based on industry best practices, regulatory requirements, and analysis of access and activity data, and help organizations identify the areas of greatest risk to prioritize and focus remediation projects.
  • Identify over- or under-privileged cyber assets, to help organizations tighten security over critical functions or data.
  • Protect information, policies and procedures associated with critical cyber assets, by identifying and implementing electronic access controls to critical cyber assets within the electronic security perimeter. Denying unauthorized access is the most effective data loss prevention; a single policy set can now bring all file servers and document repositories into compliance.
  • Continuously monitor electronic access to critical cyber assets.
  • Automate information-handling procedures to protect information assets by reducing user errors and compliance violations
  • Prevent insider data loss in real time on endpoints, servers and mobile devices, to help end users protect data and eliminate manual remediation. This simplifies data security for end users, enabling rapid adoption of information risk controls.
  • Protect information, policies and procedures associated with critical cyber assets by controlling who can communicate with whom and what data can be sent to which partner or customer, thereby creating an information security barrier around critical cyber assets with broad communication control across e-mail, voice, and video communications.
  • Centralize management of fine-grained role- or rule-based authorization policies across multiple application data and cyber assets.
  • Report on remediation of policy violations in the access or use of cyber assets, to support documentation of incidents.
  • Audit who is authorized to access applications and data across critical cyber assets. Centralized entitlement management simplifies the process of auditing data and application authorization for governance or compliance audits.
  • Analyze access and usage of data and applications across systems, simplify incident investigation and legal discovery, and support the documentation of information policies and procedures.

NERC CIP Requirements Mapping

The Endpoint NERC and FERC Compliance solution brings the following features that contribute to key NERC Critical Infrastructure Protection (CIP) Requirements:

NERC CIP Requirements Mapping

Security Management Controls (CIP-003-1)

R4. Information Protection

  • Classification
  • Risk Assessment

R5. Access Control

  • Entitlement Management
  • Information Rights Management
  • Access Audit

Personnel & Training (CIP-004-1)

R1. Awareness

  • Real-Time Policy Education

R2. Training

  • Real-Time Policy Education

Electronic Security Perimeter(s) (CIP-005-1)

R2. Electronic Access Controls

  • Host Access Control
  • Application Control
  • Device Control
  • Remote/Connection/Location Based Access Control

R3. Monitoring Electronic Access

  • Activity Monitoring

Systems Security Management (CIP-007-1)

R4. Malicious Software Prevention

  • Application and Device Control

R5. Account Management

  • Entitlement Management
  • Information Rights Management