North American Electric Reliability Corporation (NERC) Compliance

NERC is a not-for-profit organization whose mission is "to ensure the reliability of the bulk power system in North America." All bulk power systems must comply with approved NERC standards. NERC has approved numerous standards, including the Critical Infrastructure Protection (CIP) Cyber Security Standards.

View Sample NERC ReportContact SAINT Sales

SAINT has extensive experience helping organizations assess, improve, and document the security posture of their infrastructure. The table below indentifies NERC CIP standards and describes how SAINT can help achieve NERC compliance.

NERC CIP Standards How SAINT can help achieve NERC compliance

Critical Cyber Asset Identification
Identify and document a risk-based assessment method that will be used to identify critical assets. R2 requires an identifiable list and annual asset list review to update all critical cyber assets. Management will approve the list of critical cyber assets. A third-party, without vested interest, shall monitor the compliance to CIP002 outcome of NERC.

  • The SAINT scanner can assess your network to identify all assets and services running.
  • The SAINT team can regularly audit your IT systems to identify assets.
  • On demand risk assessment automatically fulfills the Cyber Asset Identification requirement of NERC. SAINT provides the capability to perform a host Discovery and identify all active assets on the critical network and report security vulnerabilities for remediation (R2 and R3)
  • SAINT provides a pre-defined NERC scanning policy and pre-canned NERC CIP report that facilitates management review of the assets and assessments (R4)
  • SAINT is your third party with no vested interest

Security Management Controls
Policies with adherence monitoring and change control must be documented and in place. Change control policies and processes must be adhered to. Definitions and documentation on access control levels for critical assets such as Internet facing systems and critical backend solutions. Solutions should be in place to mitigate risks. These requirements mandate having minimum security management controls in place to protect Critical Cyber Assets.

  • The SAINT team can evaluate your security management controls and security policies to identify gaps and recommend changes.

Personnel and Training
Employees should be trained on policies, access controls and general awareness issues around Social Engineering. Background checks should be performed on all users with access to computer assets.

  • SAINTexploit includes social engineering and phishing assessment functionality.
  • The SAINT team provides security awareness training.
  • The SAINT team can review your Personnel and Training policies to identify weaknesses and recommend corrective actions.
  • The SAINT team can provide social engineering assessments as part of your personnel security training.

Electronic Security Perimeter(s)
Requires the identification and protection of the Electronic Security Perimeter(s) and Access Points where Cyber Assets reside (R1 and R4).

  • SAINT provides support for control CIP-0005 by identifying hosts based on Discovery or user-entered Cyber Assets and Electronic Security devices, including Access Points.
  • SAINT is an industry leader in Discovery and Vulnerability assessment of both IPv4 and IPv6 host environments.
  • SAINT’s vulnerability R&D efforts ensure continuous support for the latest vulnerabilities and provides updates multiple times per week to ensure customers remain up-to-date on the latest threats to protecting critical resources.

Physical Security
Physical Security controls should be documented and implemented that provide perimeter monitoring and logging along with robust access controls. All cyber assets used for Physical Security are considered Critical and should be treated as such.

  • The SAINT team can assess and document your physical security controls; identify weaknesses and recommend corrective action.

Systems Security Management
Define methods, processes and procedures for securing those systems determined to be Critical Cyber Assets (R1 and R3). "Document technical and procedural controls to enforce authentication, accountability and user activity (R5)". Finally, a third party annual review is required of the perimeter (R8).

  • SAINT provides ‘scan now’ execution as well as scheduled/continuous investigation and reporting processes.
  • SAINT provides automated scan, notification and reporting workflows to ensure key personnel are notified of scan results, with detailed tutorials to facilitate assessment, remediation and risk reduction.
  • SAINT also provides platform-specific security configuration auditing capabilities based on configuration benchmarks maintained by the National Institutes of Standards and Technologies (NIST).
  • SAINT also provides an integrated exploit capability and social engineering exploit tools (e.g., phishing assessments) to facilitate penetration testing and investigation of vulnerability risks, as well as risk due to weaknesses in employee security awareness and activity.
  • SAINT is your third party to execute vulnerability scanning, reporting and reviews.

Incident Reporting and Response Planning
All cyber security incidents should be addressed by an internal computer incident response team (CIRT) and reported to the Electricity Sector Information Sharing and Analysis Center (ES ISAC).

  • The SAINT team can work with you to develop your Incident Response Plan and ensure that it exceeds minimum CIP requirements.

Recovery Plans for Critical Cyber Assets
A disaster recovery plan should be created and tested with annual drills.

  • The SAINT team can develop your Disaster Recovery Plan.
  • The SAINT team can assist you with annual drills.