Decades ago, SCADA (Supervisory Control and Data Acquisition) systems were implemented in public and private utilities with little thought to system security. With the rapid advancements in computer networks and the constant threat of terrorism, auditing those systems has become a vital part of national security.
Anitian has extensive experience in performing pre-accreditation audits and assessments for public utilities to become compliant with the North American Electric Reliability Council's (NERC) Critical Infrastructure Protection (CIP) standards.
Anitian's audit includes:
- NERC CIP Compliance Assessment
Analyze organization for compliance with the NERC CIP requirements (002-009). Report on gaps and offer recommendations for correcting deficiencies and achieving compliance.
- Network Architecture Analysis
Analyze network and SCADA systems and provide insights into securing those assets.
- SCADA Systems Assessment
Analyze SCADA systems for security compliance, isolation, and protection.
- Security Solutions
Install, configure and manage a wide array of best-in-class security solutions from top manufacturers such as RSA, Juniper, Fortinet and IBM-ISS.
- Security Policy Development
Write and manage security policies, procedures, guidelines and standards that cover NERC-CIP as well as other key requirements, such as PCI compliance.
- Managed Vulnerability Scanning
Scan internal and external systems for compliance. Automated reports and remediation tracking.
- Security Awareness Training
Train staff on good security practices.
- Monitoring
On-going monitoring and validation to ensure compliance.
How Anitian Can Help with NERC CIP Compliance
| Requirement | Description | Anitian's Services and Solutions |
| CIP 002 - Critical Cyber Asset Identification |
Identify critical assets. |
- Methodology analysis
- System inventory
|
| CIP 003 - Security Manage Controls |
Organizations must have effective and reliable security controls in place. |
- NERC CIP Readiness Assessment
- Security policy development services
|
| CIP 004 - Personnel and Training |
Organizations must have effective security practices and controls regarding the hiring, employment and contracting of staff. |
- NERC CIP Readiness Assessment
- Security awareness training
- Security policy development
|
| CIP 005 - Electronic Security Perimeter |
Organizations must have a strong and effective perimeter that separates critical assets from the Internet and other unsecured networks. |
- Firewall / UTM deployment
- Intrusion prevention systems
- SSL-VPN appliances
- Network Access Controls (NAC)
- Two-factor authentication
- Event logging, monitoring & alerting
- NERC-CIP Readiness Assessment
- Network architecture analysis
|
| CIP 006 - Physical Security |
Ensures the implementation of effective physical controls to protect cyber assets. |
- NERC CIP Readiness Assessment
- Policy and procedure development services
|
| CIP 007 - Systems Security Management |
A collection of requirements which includes security documentation, anti-virus, password management and many other security practices. |
- Intrusion detection / protection (host & network)
- Integrity monitoring
- Configuration management
- Antivirus / anti-malware
- Security policy development
- Managed vulnerability assessment services
- Patch management solutions
- Identity management solutions
- Security monitoring & alerting solutions
- NERC-CIP Readiness Assessment
|
| CIP 008 - Incident Response |
Requirement to have formal incident management and response procedures |
- Security monitoring and alerting solutions
- Managed security analysis services
- Security policy development
- NERC-CIP Readiness Assessment
|
| CIP 009 - Disaster Recovery |
Organizations must have a formal disaster recover procedures. |
- DR/BC planning
- Security policy development
- NERC-CIP Readiness Assessment
|
For more information, please call 888.ANITIAN, or email Anitian Enterprise Security.
