Understanding NERC IT Requirements

How to bring your network and data into compliance with the North America Electric Reliability Corporation regulations.


In January 2008, the Federal Energy Regulatory Commission (FERC) issued Order 706, approving the first set of eight cyber-security rules for power utilities. Order 706 also asked the North America Electric Reliability Corporation (NERC), a non-profit entity under FERC, to continue to revise and strengthen these eight parts of the Critical Infrastructure Standard (CIP), CIP-002 through CIP-009, which are collectively referred to as NERC CIP.

The utility industry is currently subject to CIP version 3 and is expected to be under CIP version 4 by 2014. But in early 2013, NERC submitted a version 5 iteration of CIP, which will likely leapfrog version 4. CIP 5 is currently in a regulatory review process, but it is expected to receive final approval by FERC before the CIP 4 compliance deadline date. Overall, CIP is very much a standard in flux. CIP 5 introduces two new rules, CIP-010 and CIP-011. CIP is also a complex standard with each of these broader rules broken into many sub-sections, for a total of well over a 1000 requirements.

Key IT Requirements

The following table describes how Varonis can help energy companies meet relevant CIP 5 rules and sub-sections. In reviewing the CIP requirements below, it’s helpful to keep in mind that BES (Bulk Electric System) Cyber Assets and Systems are only those computers and networking equipment that, if unavailable or degraded, would “within 15 minutes” affect the electric system – i.e., the BES.

Requirement Description Varonis Product/Feature
CIP-004 Personnel and Training R4 (Access Management Program)Part 4.3 – “verify at least once every 15 calendar months that all user accounts, user account groups, or user role categories, and their specific, associated privileges are correct.” Varonis DatAdvantage maintains a current listing of all users and user groups and matches identities to data (i.e. folders, files, mailboxes, etc.) to which they have access in the environment. It further maintains a record of all access activity types on this data and this includes user inactivity. Built-in reports highlighting privilege revocation recommendations, inactive groups and users, broken ACLs, and other access control issues are be delivered directly to data owners on a schedule. Automated entitlement reviews ensure that data owners periodically review access as required.
CIP-005 Electronic Security Perimeter R1 (Electronic Security Perimeter)Part 1.2 “Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default” Varonis DataPrivilege provides a system for approving and revoking access to resources within the environment. Requests for access must be approved by a valid authorizer, along with a reason and an optional expiration date.
CIP-007 Systems Security Management R3 (Malicious Code)Part 3.1 – “Deploy method(s)to deter, detect, or prevent malicious code R4 (Security Event Monitor) Part 4.1 – “Log events at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level(per Asset capability) …” Varonis DatAdvantage baselines every users’ activity and sends an alert when anomalous access activity occurs, which is critical to detecting malware. Varonis DatAdvantage can alert on a variety of security events in real-time. These events can be customized by the user. For example IT directors may receive an alert on privilege escalations, configuration file changes, GPO changes, or excessive “access denied” events on sensitive resources.
CIP-008 R1 (Incident Reporting and Response Planning) Part 1.1 – “One or more processes to identify, classify, and respond to Cyber Security Incidents” Because Varonis maintains a detailed history of user activity to data, the DatAdvantage application can flag suspicious activity. Users can also configure customized alerts on a wide variety of access events and output alerts via email, SNMP, and more.
CIP-009 Recovery Plans R1 (Recovery Plans) Part 1.3 – “One or more processes for the backup and storage of information required to recover BES Cyber System functionality” Varonis DatAdvantage has a historical record of your environment’s permissions structure. Should a mishap occur, DatAdvantage can help reconstruct access controls.
CIP-011 Information Protection R1 (Information Protection) Part 1.2 – “Procedure(s) for protecting and securely handling BES Cyber System Information, including storage, transit, and use.” Varonis DatAdvantage provides data protection and security by providing: A complete bi-directional map of permissions (know who has access to data at all times) A continuous audit trail of all access activity (know who is doing what with data) and alerting capabilities when anomalous activity occurs Automated recommendations for where access can be revoked without impacting business Data owner identification – so you can ensure the right people are reviewing access Content classification – so you know where your sensitive data resides and who can, and is, accessing it Varonis Data Transport Engine allows for the secure migration and archival of information. When migrating data across platforms or domains, DTE ensures that only the right people can access data

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767