NERC-CIP Compliance with RedSeal

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining the reliability of the North American Bulk Electric System (BES) and protecting it from cyber-attacks.

RedSeal delivers simplified NERC CIP Version 6 compliance with:

  • Continuous validation of the Electronic Security Perimeter (ESP) for mixed vendor environments
  • Malicious code mitigation via least privilege network access
  • Vulnerability remediation prioritization based on actual risk
  • Change simulation

With RedSeal, NERC Registered Entities can significantly reduce the cost associated with enforcing compliance with NERC CIP by automating assessment of many of the NERC CIP controls. Certain controls have traditionally been very difficult to automate, and therefore resource intensive to maintain and audit. However, RedSeal’s unique technology can automate and prioritize these troublesome controls, greatly decreasing resource requirements while actually improving the quality of the control. For example:

  • Electronic Security Perimeter: Internal and external network isolation based on router ACLs and firewall rules is a fundamental control in NERC CIP and in many other compliance regimens. But testing the control at scale is a massive task, especially in multi-vendor environments. Many thousands of rules on hundreds of devices may be deployed to create just one isolated domain, and analyzing these against a security policy is a huge effort with lots of potential for error. RedSeal not only automates this analysis in preparation for an audit; it also continuously monitors the control and provides daily reporting on control integrity. This significantly improves threat defense posture while not requiring additional personnel or technical resources.
  • Configuration Management/Vulnerability Assessments: Comprehensive vulnerability and penetration testing involves a combination of automated and manual procedures. A typical pen testing control activity calls for re-testing when there is any change to the controls being tested (e.g. perimeter defenses). When this scales to a large environment where a large number of changes are taking place, blanket manual processes are no longer realistic. RedSeal lets you focus the pen testing on the boundaries most likely to be affected by a change and with the highest risk potential. With respect to Configuration Management, RedSeal automatically analyzes devices for compliance with baseline configurations. The system includes more than 100 out-of-the-box configuration checks for firewalls, routers, load balancers, and wireless controllers. Examples of configuration checks include password policies, services enabled, logical port configuration, and networking parameters. Custom checks are also easily defined. In addition to enforcing baseline configurations, the solution makes it easy to detect deviations from baseline that may be acceptable, but require authorization. It can also identify access (firewall and ACL) configuration changes that could impact the Electronic Security Perimeter.
  • Vulnerability Scanning: All vulnerability scanning control activities are implemented for the purpose of identifying and remediating vulnerabilities; identifying the vulnerabilities is just the start of the process. But like pen testing, vulnerability scanning doesn’t scale easily and can get expensive quickly. You need to determine where to launch scans and toward which targets. And when you find vulnerabilities by the hundreds, you need to determine risk-based vulnerability prioritization. RedSeal rationalizes vulnerability scanning by combining scan results with its analysis of exploitation potential. This has two benefits: the most dangerous vulnerabilities are identified and can be corrected first by prioritization, and the scanning effort can be tailored to focus in the areas where risk is highest.

For detail on how RedSeal can support your NERC-CIP compliance efforts, download our datasheet.


Customer Story: RedSeal at Work

A leading US integrated power company is required to meet the government standards set forth by NERC (North American Electric Reliability Corporation). The NERC CIP (Critical Infrastructure Protection) plan is a set of requirements designed to secure the assets required for operating North America’s bulk electric system. The plan consists of 9 standards and 129 requirements covering the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management and disaster recovery planning.

“Using RedSeal reduced the time it takes us to evaluate our systems for specific vulnerabilities from one person/month to 15 minutes.

We can spend our time on mitigation, rather than assessment.”

– Director, NERC CIP Operations, Cybersecurity

March 29 Webinar: Operationalizing RedSeal for Risk and Compliance -Register Now