NERC Compliance

If you generate or transmit electricity for the North American bulk power system, then you need to be NERC Compliant.

What is NERC?

Now more than ever, energy and utility entities must rise to the challenge presented by growing threats to the electric grid. Electricity is the cornerstone of North America’s economy, touching every part of our society, from powering consumer entertainment devices to fueling military defense facilities. The North American Electric Reliability Corporation (NERC) introduced Critical Infrastructure Protections (CIPs) as mandatory cyber security regulations, intended to protect the bulk electric grid.

The bulk electric grid contains infrastructure classified as critical. Critical infrastructures or critical assets are any assets that, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the bulk power system. The goal of NERC CIPs is to ensure that the bulk electric system in North America is reliable, adequate and secure. All energy and utility entities have been advised by NERC to list all of their assets as critical for NERC audit purposes and subject to NERC compliance requirements until they can document otherwise. This new NERC audit approach reflects the threat faced by energy and utility operations, especially now that most have systems accessible via the Internet.

Who needs to be NERC compliant?

All energy and utility organizations involved in electricity generation and transmission must make their facilities NERC compliant. The U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada made the Cyber Security Standards detailed in the NERC CIPs mandatory and enforceable across all private and public users, owners, and operators of the bulk power system (primarily the bulk electricity system).

This includes all private and public Responsible Entities (REs) within the bulk-power system, including investor-owned utilities, most generation and transmission (G&T) cooperatives, as well as owners or operators of electrical power generation, transmission or balancing facilities in North America. NERC announced it will work in cooperation with Regional Reliability Organizations (RROs) to increase scrutiny during audits in order to ensure facilities are properly classifying critical assets and applying appropriate Cyber Security Standards in order to protect those assets from threats as required under NERC regulations.

Penalties for non-compliance

NERC regulations required utilities be "compliant" by July 1st 2009, but as of July 1st 2010 utilities must be "auditably compliant" or else be subject to fines. Starting July 1st 2009, entities that fail to comply with the NERC standards can be fined up to $1 million per day, per violation. The high fines levied on NERC violators reflect the importance of safeguarding the reliability of the North American electric system. Faced with the looming threat of steep fines from failing a NERC audit, energy and utility entities are now scrambling to become NERC compliant.

How Rapid7 Helps

Rapid7 has extensive experience partnering with energy and utility entities nationwide such as Sempra Energy, Pedernales Electric Company, and Southern Company, to help them with the unique requirements of the controlled systems found within the energy sector. Rapid7’s solutions for energy and utility entities meet the Cyber Security Standards required to achieve NERC CIP compliance by not only getting you ready for a NERC audit, but also providing sound vulnerability management practices that ensure your critical infrastructures are protected from intruders.

Rapid7 can help energy and utility operators achieve NERC compliance because:

• Rapid7 has extensive experience working with utilities nationwide to develop vulnerability management techniques for using Nexpose to harden critical infrastructures from cyber attacks by performing safe network audits on Supervisory Control And Data Acquisition (SCADA) industrial control systems (ICS) systems, including related protocols such as Modbus and DNP3, without jeopardizing reliability
• Nexpose delivers executive summary reports and detailed remediation plan reports to automate audit requirements for NERC CIP Standards, including policy monitoring, to meet requirements of NERC CIP Cyber Security Standards in one unified solution
• Nexpose enables vulnerability assessment scanning and monitoring both inside and outside your perimeter defenses by using either distributed engines, or Rapid7 Managed Services
• Nexpose uses safe scan settings to generate a comprehensive map of all asset, and by monitoring SCADA systems through standardized monitoring options that may be customized to fit the tolerances and thresholds of your facility so that utilities can get broad and deep coverage to discover vulnerabilities other scanners miss, all without service disruptions
• Nexpose flexibly deploys as either an appliance, software, or a Managed Service for internal and external vulnerability scanning

These services include:

• Performing audits of your IT systems using a risk-based methodology aligned with NERC CIP requirements for identifying critical cyber assets
• Ensuring your utility meets the Cyber Security Standards outlined in the NERC CIPs by providing vulnerability scanning, penetration testing and a detailed audit of your networked environment that ensure you detect deficiencies more quickly and get recommendations for fixes to prevent attacks
• Auditing your physical security controls, training polices, and personnel policies as required by NERC, including gap analysis, and social engineering to validate adherence to security policies in practice
• Conducting penetration testing, including the annual vulnerability assessment required by NERC to test your systems security management processes and procedures
• Providing a Rapid7 Remediation Plan and Report with detailed step-by-step instructions for vulnerability remediation to address any deficiencies, along with specific recommendations for security controls requiring improvement to be NERC compliant
• Protecting your utility and your customers from being compromised by intruders, and secure the reliability of the bulk electric system. Contact us to find out how Rapid7 can help you meet NERC compliance.

To learn more about how Nexpose capabilities meet the requirements to comply with the NERC CIPs, refer to the Rapid7 NERC Compliance Guide.

Contact us to find out more about how Rapid7 can help you achieve NERC compliance.