A Systrends Cyber Security audit can provide a systems security baseline. The baseline (i.e., your current cyber security status) serves as the starting point for developing your cyber security strategy and for compliance with FERC CIP standards.
A comprehensive Systrends Cyber Security audit will help your organization answer the following questions:
- What is the security risk category of the systems that make up your infrastructure—High, Medium, or Low?
- What are the current security controls for these systems?
- Who are the people managing and operating these systems?
- Who uses these systems (internal, external) and how do they use them? What information access does each group/subgroup have?
- Are your system controls documented? Are your controls and procedures current and able to be understood and implemented?
A comprehensive Systrends Cyber Security audit will:
- Ensure your compliance with the FERC CIP standards.
- Take the cyber security evaluation and audit burden off your staff and internal security personnel.
- Manage the project and make sure all systems and people are identified and evaluated.
- Document, update, and organize your cyber security policy and procedures.
- Train your designated staff to keep your cyber security controls and policies current.
- Protect your organization and infrastructure from cyber threats and confirm that the right physical, administrative, and technological security controls are in place.
Systrends CEO David Darnell certified by ISACA as a CISA and CISM, and (ISC)2 as a CISSP.
Based on changing security needs in the energy industry, requests from existing customers, and evidence on ongoing security challenges for energy entities, Systrends CEO David Darnell became a member of ISACA (formerly the Information Systems Audit and Control Association) in 2015. By taking various classes and stringent examinations, David has become certified as a CISA—Certified Information Systems Auditor and as a CISM – Certified Information Security Manager (passing in the top 10% in both certification tests). In addition, David has recently become certified as a CISSP (Certified Information Systems Security Professional) by (ISC)².
Current FERC/NERC CIP System Security Standards
With changes over the last few years in the energy business, energy and utility system infrastructure has evolved to open network architecture.
- Internal users send information out of the secure environment.
- Users outside the network have access to data and internal applications.
- Systems and subsystems use open architecture to communicate across wide area networks.
- Smart meters allow access to meter data across a wide range via smart grid technology.
These changes to the power infrastructure have made cyber security threats more likely and more dangerous. Energy industry entities must make sure the right physical, administrative, and technological security safeguards and controls are in place.
How has FERC responded to changes in energy system security requirements?
- In 2008, FERC wrote and approved eight mandatory critical infrastructure protection (CIP) reliability standards to protect critical assets in our greater power system from cyber security violations. FERC designated the North American Electric Reliability Corporation (NERC) as the ERO (Electric Reliability Organization) to execute and enforce compliance to the CIP standards.
- Congress has mandated that the FERC CIP standards are to be reviewed and measured against the current National Institute of Standards and Technology (NIST) cyber security standards. This subjects the current standards to stringent review and revisions.
- Auditable compliance was mandated in for all energy entities in 2010.
- All energy systems are categorized for security purposes with a CIP level of security exposure of High, Medium, or Low. All such systems are subject to CIP standards.
The eight Critical Infrastructure Protection (CIP) standards cover:
- Critical cyber asset identification.
- Security management controls.
- Personnel and training.
- Electronic security perimeters.
- Physical security of critical cyber assets.
- Systems security management.
- Incident reporting and response planning.
- Recovery plans for critical cyber assets.