Energy

Protect energy generation and distribution infrastructure from attacks.

Nearly 350 million people rely on the North American bulk electric grid. Disruptions to the electric grid from even short, minor outages can be disruptive. The prospect of a coordinated attack on the bulk electric system, and the potential impact such an attack could have on the economy, have raised fears in both the Department of Homeland Security and the White House. News reports on alleged intrusions into sensitive U.S. energy facilities by suspected hackers, and stories on military actions on energy grids overseas have led to a heighted sense of urgency to address the vulnerability of energy and utility providers throughout North America to attacks by hackers, terrorists and organized crime. Confronted by new regulatory compliance requirements, energy and utility providers are now looking for ways to get through the process as quickly and efficiently as possible, without putting their bottom-line at risk from taking on costly new security overhead that misses the mark.

Security standards for Energy and Utility Entities

Reported vulnerabilities in the control systems used within the bulk electricity grid have led the U.S. government to introduce new legislation to safeguard the cyber security assets used throughout energy and utility critical infrastructures. The growing reliance of utilities on Internet-based communication has further increased the vulnerability of control systems to spies and hackers, according to government reports.

The North American Electric Reliability Corporation (NERC) introduced Critical Infrastructure Protections (CIPs), as mandatory cyber security regulations intended to protect the bulk electric grid. The bulk electric grid contains infrastructure that has been classified as critical. The term critical infrastructure applies to any assets that, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System. The Federal Energy Regulatory Commission (FERC) made the Cyber Security Standards detailed in the NERC CIPs mandatory and enforceable across all users, owners and operators of the bulk-power system. To meet NERC compliance, covered entities must demonstrate adherence to NERC CIP-001 through to NERC CIP-009.

In addition, the 2009 Federal Cybersecurity Act introduced new powers for the President of United States to use for protecting critical infrastructure in both the public and private sectors. These new powers enable the President to coordinate monitoring and enforcement operations carried out by the Department of Homeland Security, FERC and NERC. This renewed interest in securing the bulk electric system has made energy and utility operators take notice of the need to become compliant with the NERC Cyber Security Standards.

How Rapid7 Helps

Rapid7 has extensive experience partnering with energy and utility entities nationwide such as Sempra Energy, Pedernales Electric Company, and Southern Company, to help them with the unique requirements of the controlled systems found within the energy sector. Rapid7’s solutions for energy and utility entities meet the Cyber Security Standards required to achieve NERC CIP compliance by not only getting you ready for a NERC audit, but by also providing sound vulnerability management practices that ensure your critical infrastructures are protected from intruders.

Rapid7 can help energy and utility operators achieve NERC because:

• Rapid7 has extensive experience working with utilities nationwide to develop vulnerability management techniques for using NeXpose to harden critical infrastructures from cyber attacks by performing safe network audits on Supervisory Control And Data Acquisition (SCADA) industrial control systems (ICS) systems, including related protocols such as Modbus and DNP3, without jeopardizing reliability
• NeXpose delivers executive summary reports and detailed remediation plan reports to automate audit requirements for NERC CIP Standards, including policy monitoring, to meet requirements of NERC CIP Cyber Security Standards in one unified solution
• NeXpose enables vulnerability assessment scanning and monitoring both inside and outside your perimeter defenses by using either distributed engines, or Rapid7 Managed Services
• NeXpose uses safe scan settings to generate a comprehensive map of all asset, and monitors SCADA systems through standardized monitoring options that may be customized to fit the tolerances and thresholds of your facility so that utilities can get broad and deep coverage to discover vulnerabilities other scanners miss, all without service disruptions
• NeXpose flexibly deploys as either an appliance, software, or a Managed Service for internal and external vulnerability scanning

With Rapid7 NeXpose, our Professional Services security experts can perform network scans and manual policy audits required to comply with the NERC Cyber Security standard.

These services include:

• Performing audits of your IT systems using a risk-based methodology aligned with NERC CIP requirements for identifying critical cyber assets
• Ensuring your utility meets the Cyber Security Standards outlined in the NERC CIPs by providing vulnerability scanning, penetration testing and a detailed audit of your networked environment that ensure you detect deficiencies more quickly and get recommendations for fixes to prevent attacks
• Auditing your physical security controls, training polices, and personnel policies as required by NERC, including gap analysis, and social engineering to validate adherence to security policies in practice
• Conducting penetration testing, including the annual vulnerability assessment required by NERC to test your systems security management processes and procedures
• Providing a Rapid7 Remediation Plan and Report with detailed step-by-step instructions for vulnerability remediation to address any deficiencies, along with specific recommendations for security controls requiring improvement to be NERC compliant

To learn more about how NeXpose capabilities meet the requirements to comply with the NERC CIPs, refer to the Rapid7 NERC Compliance Guide.

Protect your utility and your customers from being compromised by intruders, and secure the reliability of the bulk electric system. Contact us to find out how Rapid7 can help you meet NERC compliance.