NERC CIP Compliance

1.2.1 Notification/Recognition of Cyber Security Incidents

Vendors need to be able to identify when an incident occurred to ensure that the vendor can notify the entity in the case of such an incident.

1.2.2 Coordination of Responses to Cyber Security Incidents

Vendors should coordinate with the entity their responses to incidents related to the products or services provided to the entity that pose cyber security risk to the entity.

1.2.3 Notification when Remote or Onsite Access is No Longer Needed or Should No Longer be Available to Vendor Representatives

Vendors should respond accordingly to personnel changes. A vendor should be able to tell the entity when a personnel change occurs that could impact whether or not remote access should still be available to vendor representatives.

1.2.4 Vulnerability Identification Vendors are to notify an entity when a vulnerability related to a product or service is identified.

In order to meet this obligation, a vendor needs to know when a vulnerability exists in their environment.

1.2.5. Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System

1.2.6 Coordination of Controls for Vendor-Initiated Interactive Remote Access and System-to-System Remote Access with a Vendor

Vendors must coordinate with entities to control vendor-initiated interactive remote access and ensure system-to-system remote access with a vendor is appropriately managed.

Asset, Change, & Configuration Management Inventory of Authorized & Unauthorized Devices

• Physical devices and systems within the organization are inventoried
• Software platforms and applications within the organization are inventoried
• Organizational communication and data flows are mapped
• External information systems are catalogued

Change Control and Configuration Management Considerations

• Uses a recognized framework for its information technology processes (e.g., ITIL)
• Includes security in its system development life cycle
• Has a mature change-control process
• Maintains separate development and production environments
• Maintains separate environments for different customers
• Has mechanism for software integrity (e.g., PKI with encryption, digital signature)
• Product allows for hardening to minimize attack surface
• Processes to identify, discover, inventory, classify, and manage information assets (hardware and software
• Processes to detect unauthorized changes to software and configuration parameters
• Able to identify whether hardware, software, or components are U.S. and/or internationally sourced

Establish and Implement Security Awareness Program

• Documented and implemented security policy and procedures
• All users are informed and trained on cybersecurity policies and procedures
• Third-party stakeholders understand roles and responsibilities and are accountable to same requirements
• Senior executives understand roles and responsibilities
• Physical and information security personnel understand roles and responsibilities
• Ability to provide ongoing support for software and hardware
• Personnel background checks
• Ability to retain data for events such as litigation holds, cyber security incidents
• Presence of trained, knowledgeable, and sufficient cyber security resources
• Supplier has certifications for manufacturing process (e.g., ISO)

Logging and Monitoring Considerations

• Maintains a program to perform continuous logging, monitoring, and analysis of its systems to identify events of significance
• Has sufficient segregation of duties to ensure logging and monitoring are effective to detect anomalies

Information Protection Considerations

• Uses appropriate controls to manage data at rest (vendor or entity data)
• Ability to provide additional hardware for failures • Encrypts credentials in transit, internal and externally
• Encrypts credentials at rest
• Uses strongest standard encryption algorithms (e.g., AES or SHA-2)
• Supplier physical access controls to hardware, software, and manufacturing centers
• Physical devices and systems within the organization are inventoried
• Supplier location of data centers (U.S./Canada-based vs international)