Customer Story: RedSeal for NERC-CIP Compliance

A leading US integrated power company implemented RedSeal in 2015 as part of a NERC-CIP version 5 program implementation. The company’s initial uses for RedSeal were firewall rule evaluation and proving logical segmentation. The uses expanded as the company gained experience with the platform, and RedSeal is now a key part of their daily security, risk management, and compliance processes. Some of the ways RedSeal helps the company with its NERC-CIP compliance are:

Firewall Rule Business Justification

NERC-CIP requires a business justification for every firewall rule. RedSeal simplifies the evaluation of firewall rules and allows a business justification for each rule to be documented.

Logical Segmentation for Compliance Risk Management

Allowing connections between different systems raises their NERC-CIP risk ratings, because a compromise in one could spread to others. The risk management solution is logical segmentation. RedSeal helps ensure and prove that logical segmentation remains in place, reducing and maintaining lower NERC-CIP risk ratings. Reducing NERC-CIP risk ratings from Medium to Low reduces the number of applicable compliance risk requirements from 129 to just four.

Firewall Rule Change Monitoring

RedSeal imports all firewall rules daily, and highlights the status of any firewall changes on a dashboard. This simplifies the process of ensuring that business justifications for new firewall rules have been completed. RedSeal also compares the changes to the company’s logical segmentation policies, alerting the NERC-CIP team to any issues.

Vulnerability Evaluation

Many security vulnerabilities can’t be exploited unless certain ports or communication paths are open. RedSeal’s network modeling evaluates the actual risk level of vulnerabilities—based on the location of assets within the network and the firewall rules in place. The company has been able to reduce the time required to evaluate the impact of vulnerabilities and now has a more methodical approach to mitigation based on true risk rather than responding to every vulnerability as an emergency.

NERC-CIP Audit Readiness

CIP audits require entities to show the business justification for all firewall rules and configurations. RedSeal’s reporting capability significantly reduces the time required to build reports for NERC-CIP compliance. Additionally, the automation it provides in monitoring firewall rule changes and logical segmentation policies demonstrates a strong control over those processes. Automation and strong controls factor into the depth and frequency of CIP audits.

Threat Modeling and Mitigation

NERC Alerts require companies to evaluate their systems for specific vulnerabilities. This risk evaluation frequently requires reviewing firewall rules at all plants. The task was taking the company the equivalent of one full-time person a month to complete—with possible exposure from the threat the entire time.

When the WannaCry ransomware attack was released in May 2017, the company had to find sites with port 445 open to assess possible vulnerabilities. Using RedSeal, the task took one person 15 minutes— rather than one month. The team can now spend time on mitigation efforts rather than risk assessment.

RedSeal has improved threat response capabilities, automated manual processes, and allowed the organization to be ready for a NERC-CIP audit at any time.