HCLT Brochure: NERC Cyber Security Consulting Services


Published on

http://hclte.ch/If33g9 - IT Management Tools

http://www.hcltech.com/ - More on HCL Technologies

Power and utility executives today are faced with many challenges as they work to meet their compliance requirements. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, which help ensure the protection of critical cyber assets that control or effect the reliability of North America's bulk electric systems. HCL Governance, Risk and Compliance Consulting Practice offers market-leading services to organizations seeking NERC compliance by improving their security and governance posture in a cost-effective and timely manner.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HCLT Brochure: NERC Cyber Security Consulting Services

  1. 1. NERC Cyber SecurityCompliance ConsultingServicesHCL Governance, Risk & Compliance Practice
  2. 2. OverviewThe North American Electric Reliability electrical utilities and the newness of theCorporation (NERC) is a nonprofit corporation standards. Certainly, the remoteness of powerdesigned to ensure that the bulk electric system generation and the wide coverage of electricin North America is reliable, adequate and transmission greatly complicate the job ofsecure.” As the federally designated Electric securing these assets from direct attack.Reliability Organization (ERO) in North America,NERC maintains comprehensive reliability HCL Governance, Risk & Compliance (GRC)standards that define requirements for planning consulting practice offers market leading servicesand operating the collective bulk power system. to organization seeking compliance support for NERC CIP standards by improving their security &Among these are the Critical Infrastructure governance posture while reducing cost. Many ofProtection (CIP) Cyber Security Standards, which our Managed Security Services and Professionalare intended to ensure the protection of the Critical services align NERC CIP Cyber SecurityCyber Assets that control or effect the reliability of Standards, allowing organizations to easily meetNorth America’s bulk electric systems. and exceed the requirements they set forth. Starting from compliance health-check HCL canNERC CIP Standards seek to address the question work with your organization to implement the“How well protected is this critical infrastructure?” recommendations by providing technical,Compliance with these standards can be both risky documentation and project management.and complicated given the differences betweenChallenges Addressed Lack of confidence in organizational Lack of basic security mechanism in security posture and siloed approach for SCADA/EMS and DCS design when compared engineering, operations and IT department to standard business information system Real-time systems make patch High cost of audit and compliance sustenance application, validation, and user authentication difficult HCL GRC focus is to offer end to end “Advisory” & Cyber Security requires a toolset and “Implementation” service to enable an organization knowledge base that is traditionally not located in meeting the business objectives of their NERC within the same experience pool that Cyber Security Compliance initiative understands and manages the day-to-day operations of a power grid. Diversified risk-assessment approach 2
  3. 3. Approach – NERC Cyber Security complianceHCL GRC team can assist Responsible Entities by offering a comprehensive program of capabilities that enable theachievement of NERC standards compliance in a cost effective and timely manner. The spectrum of HCL servicescovers the complete gamut of standards CIP-002 through CIP-009 providing a robust solution to support robust andreliable operations of bulk electric systems. The approach and key activities are detailed as below:NERC Requirement HCL GRC Capability DeliverablesCIP-002-1 – Critical Cyber Asset Automated Enterprise discovery of Inventory of Critical CyberIdentification Critical Assets Assets Risk library pertaining Identification of critical assets by to cyber asset operations client and HCL SMEs who have Annual Reviews qualified experience in Grid Analysis Risk based assessment, analysis & prioritization by applicationCIP-003-1 – Management Control – Policy evaluation & analysis Enhanced Cyber SecurityCyber Security Policy Policy Documentation Policy for NERC ComplianceCIP-003-1 – Management Control – Establishing of Security Program Established governance forLeadership & Exceptions Management Office for NERC compliance management Compliance & reportingCIP-003-1 – Management Control – Catalogued information Information classificationInformation Protection classification for Critical Cyber procedures Assets Data security reference Defining access controls, architecture encryption & procedures for System Security & disaster 3
  4. 4. disposal, printing and other tasks recovery planCIP-003-1 – Management Control – Modeling for role based access Access control policiesAccess Controls control for internet facing systems & procedures and critical backend solutionsCIP-003-1 – Management Control – Establishing change management Change Management &Change Management procedures Control Process Conducting impact analysis of Back-out procedures changes (includes configuration) Security Enforcement Policy Enabling functional testing for changes Review of corporate & process control networks (SCADA)CIP-004-1 – Personnel & Training – Conduct security awareness Security awareness reportAwareness evaluations & employee assertion Training roadmap program Security awareness training plan developmentCIP-004-1 – Personnel & Training – Identification & deployment of Specific procedural trainingTraining role based trainings modulesCIP-004-1 – Personnel & Training – Development of personal Background check policyPersonnel Risk Assessment background check policies & proceduresCIP-005-1- Electronic Security Identification of control points, Vulnerability & PenetrationParameter(s) – Electronic Security ports and services assessment reportParameter Conduct vulnerability assessments Remediation report & penetration testing Firewall implementation proceduresCIP-005-1- Electronic Security Development of authentication Authentication proceduresParameter(s) – Electronic Access procedures Audit ReportsControls Firewall audits Log review & reporting Log management & review Threat analysis report Real time threat analysis through SOC (includes NIPS & HIPS)CIP-005-1- Electronic Security Documentation of all systems in Documentation of networkParameter(s) – Documentation electronic security parameters changesReview & Maintenance Quarterly review of all documentationCIP-006-1- Physical Security Assessment of facilities physical Physical security assessmentProgram security report Assessment of organization Log retention & governance physical security plan policies Development of log & DVR retention policies Physical security auditsCIP-007-1 – System Security Test procedures evaluation for Malicious software preventionManagement patch management, device policy management, anti-virus policies Test procedures and controls Documentation for non-critical for device management cyber asset policy Password policy Creating inventory of non-critical Asset disposal policy cyber assets Identity management process 4
  5. 5. Policy documentation for malware Security incident management and malicious software prevention process Documentation and enforcement Documentation lifecycle process of password management policy Policy creation for disposal & redeployment of cyber assets Establishing governance and org. structure for documentation & policy reviewCIP-008-1 – Incident Reporting & Assessment of Incident Incident management proceduresResponse Planning – Cyber Security management procedures Business Continuity PlanIncident Response plan Documentation of business Business Continuity Test continuity plan Procedures Testing of business continuity plan Process for retention of incident logsCIP-008-1 – Incident Reporting & Process for retention of incident Log retention policyResponse Planning – Cyber Security logsIncident DocumentationCIP-009-1 – Disaster Recovery – Identification & definition of Disaster Recovery PlanRecovery Plan, Backup & restore, action triggers, acceptable Back-up proceduresTesting Media downtime service levels and Test plan for backup storage acceptable data loss Development of verification criteria & proceduresCIP-009-1 – Disaster Recovery – Conducting DR drills DR test reportExercisesAutomated NERC Compliance Management – GRC ManagerPower and utility executives today are faced with In order to mitigate these challenges & offer amany challenges as they work to meet their streamlined sustenance for compliance, HCL hascompliance requirements. Some of the most partners with various GRC platform vendors and helppervasive and difficult of these obstacles include: Energy & Utilities organizations establish an automated solution for optimal blend of centralization,• Multiple regulatory bodies and requirements monitoring & reporting for effective oversight. The• High cost of defining controls GRC platform can also be used for implementing• High cost of demonstrating compliance governance initiatives, such as programs for• Budget impacts of NERC and other regulatory Standards of Conduct and Environmental Health andefforts on the business Safety (EH&S) through document control, compliance• Allocation of resources away from key training and ongoing auditing, as well as recordingbusiness initiatives and reporting of Federal Energy Regulatory• Difficulty with ongoing sustainability of ad-hoc Commission (FERC)-related violations or processcompliance projects nonconformance and the resulting corrective actions. 5
  6. 6. Some of the basic features of the automated Integrated Program Resource ManagementGRC platform are as under: capabilities to manage Control Remediation. Capturing, Compiling & Reporting Compliance Integration with Enterprise business systems Information for audit evidence collection Dynamic Real time analysis of Risk & Controls Single Global Repository for Risk & Controls A sample snapshot from automated GRC Integrated Industry Standard Framework for Control Optimization platform is shown below Role based dashboards that streamline decision making Figure 1. Governance Risk and Compliance Platform • Expertise across all micro verticals in Electric, Gas distribution, Water & Water Waste/Why choose HCL • Recycling Utilities. First in APAC and amongst only 9 companies in the world to receive Cisco’s Master Security• One stop shop for all your information security & compliance needs Certification.• Matured consulting framework with • Accredited by Govt. of India CERT as providers of Information Security Assessment Services. integrated solution implementation methodology to reduce compliance cost • Recognized by Gartner & NASSCOM for its Information Security Strengths.• Strong engineering with R&D practice with • First Indian Company to provide PCI ASV focus on Energy & Utilities vertical Vulnerability Management Services. 6
  7. 7. •    HCL is ranked as the No. 1 Security Services • Technology labs in Identity and Access provider by Dataquest, V&D and Frost & Sullivan Management, Software Security, Security • Experienced consultants with certifications Testing, Networks and Systems. like CEH, GWAS, CISSP, CISA, CBCP, BS 25999 and ISO27001 • Partnership with leading security product and service vendorsFor further information on HCL GRC Consulting Services or to have a HCL representative contact you, mailat CFS- GRC-PMG@hcl.in or visit http://www.hclisd.com/Governance-Risk-Compliance-Consulting.aspx 7