To address and manage the increasing and evolving threats to the bulk power system NERC regularly updates the CIP standards and requirements. . Registered Entities need to demonstrate auditable compliance on a semi-annual basis or they will have to face penalties, which could be substantial - up to $1 million per day depending on the risk and its severity. Other breach-related costs will also be potentially incurred for discovery and containment of compliance gaps, investigation of any incidents, and expenses for remediation, which may lead to potential loss of customer confidence, revenue, brand degradation, and other business related losses for the entity.
MetricStream offers industry’s most advanced and comprehensive NERC compliance management solution that empowers Energy & Utility organizations with technology and best practices to ensures compliance with NERC Standards for Critical Infrastructure Protection (CIP-002 through CIP-009), while lowering the associated costs that can otherwise be substantial. The system clearly delineates roles and responsibilities between corporate unit and business units, implements broad corporate policy aligned with key objectives and milestones, set tasks and establishes metrics to monitor the status of these tasks. It allows automation of each step of a required NERC quarterly report so that no steps are missed and the report is submitted accurately and on time.
CIP- 001 Sabotage Reporting
Standard CIP - 001 requires the entity to report to the appropriate systems, governmental agencies, and regulatory bodies any disturbances or unusual occurrences, suspected or expected caused by sabotage. |
- The MetricStream solution has a built-in comprehensive reporting engine that generates reports and self-certification required for reporting to the regulatory agencies, using the specified templates and formats.
|
 |
CIP-002 Critical Cyber Asset Identification
Under the Standard CIP-002, entities need to identify and document their Critical Cyber Assets that support the reliable operation of the Bulk Electric System. These Critical Assets are to be identified through the application of a risk-based assessment. |
- The MetricStream solution provides a comprehensive Asset Management capability with configurable risk methodologies to manage risk-based assessments and bright-line based criteria requirement (for version 4.0). This in-built capability helps to identify and rate the assets, manage vulnerabilities and risks and, classify them as critical or non-critical and document security vulnerabilities for remediation (R2 and R3).
- The solution is also integrated with a role-based best practice workflows and templates for various users including Senior Management, Subject Matter Experts and the Compliance team to review and approve the assets and assessments, potential risks, , action plans, remediation tasks, self-certification etc., (R4)
- The Solution’s centralized security model provides role-based access controls for any third-party without any vested interests to monitor the compliance.
|
|
CIP-003 Cyber Security Management Controls
Standard CIP-003 requires that Entities have a minimum security management control in place to protect Critical Cyber Assets. |
- The MetricStream solution’s Policy and Compliance Management capability helps to create and review policies and controls, map policies to regulations, distribute and accept policies, track policy exceptions and also, to train and bring awareness of the policies to the authorized personnel. The Solution also creates and manages policies and technical controls for the cyber assets, The MetricStream solution has a full-fledged content / document management solution for storing and documenting evidence, proofs, attachments, certifications, document exceptions, approvals and denials (R3)
|
|
CIP-004 Personnel & Training
Standard CIP-004 requires authorized personnel with cyber or physical access to Critical Cyber Assets to maintain an appropriate level of personnel risk assessment, training, and security awareness. |
- The MetricStream solution is integrated with a Training Management software module that supports creation of training courses for various roles and users and their responsibilities. This module also enables the effective management of the overall training process by maintaining course offerings and course descriptions for easy review by employees and managers, scheduling classes, maintaining training records, providing feedback on the trainers and the effectiveness of the course material, and conducting gap analysis to ensure regulatory compliance.
|
|
CIP-005 Cyber Electronic Security Perimeter(s)
Standard CIP-005 requires the identification and protection of the Electronic Security Perimeter(s) inside all Critical Cyber Asset locations, and access points on the perimeter.
|
- The MetricStream solution has built-in data integration engine that can integrate with any third-party solution that will identify and protect the Cyber Assets and Electronic Security devices, including Access Points. The solution will automatically import all asset details including access points, violations, and vulnerabilities into the system and, highlight any policy violations, compliance gaps and risks. These details are stored in the central repository and can be accessed for any type of compliance assessments, audits and reporting
- The solution can import data from any solution including Qualys, Nessus, any other third-party solution which has the database of vulnerability tests and intelligent scanning technologies.
|
|
CIP 006 Physical Security
Standard CIP-006 is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets.
|
- MetricStream solution has built-in capabilities to document, communicate, implement and maintain physical security plans, policies and controls. The best practice role-based workflow helps to collaborate with multiple departments, create and manage policies as well as review and approve the policies when required. The solution supports recording and monitoring of physical access points, processes, tools and maintains physical access controls, logs, security design documents, effective dates, versions and, support the annual review of security plan.
|
|
CIP-007 Cyber Systems Security Management
Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the other (non-critical) Cyber Assets within the Electronic Security Perimeter(s).
|
- The MetricStream policy and compliance management solution provides comprehensive capabilities to define and manage methods, processes, tasks, procedures and controls for securing critical cyber assets. The built-in central repository allows creation of controls, associate controls to requirements, policies, cyber assets, vulnerabilities and issues.
- Built-in role-based best practice workflows ensure user accountability, allocation of tasks to the respective users to help them plan, execute, review or approve the tasks.
- Automated, comprehensive reports provide instant assessment of risks, priorities and tips for vulnerability remediation
|
|
CIP-008 Cyber Security Incident Reporting and Response Planning
Standard CIP-008 ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets.
|
- The MetricStream solution has an in-built Incident and Remediation Management capability to automatically identify, classify, prioritize and document security incidents, plan and execute remediation / response and , report internally or externally (external agencies) using a specified template
- The Remediation Management capability allows for response / action planning, comprehensive compliance audit assessments, provides data for implementing controls and managing security incidents
|
|
CIP-009 Cyber Security Recovery Plans for Critical Cyber Assets
Standard CIP-009 ensures that recovery plan(s) are in place for Critical Cyber Assets and that these plans follow the standard business continuity and disaster recovery techniques and practices.
|
- The MetricStream solution provides comprehensive Business Continuity and Disaster Recovery Management module to create and manage recovery plans for critical cyber assets and helps follow standard frameworks, terminologies, techniques and practices.
|
