BES Cyber Systems
CIP v5 Complaince
WITH THE INTRODUCTION OF NERC CIP v5, THE MAJOR OBJECTIVES WERE AS FOLLOWS:
- Address NERC CIP v5 compliance requirements for over 250 BES Cyber Systems and BES Cyber Assets;
- Reduce operational risks to the environment;
- Reduce reliance on manual processes for access governance and access administration;
- Improve role management capability for the BES Cyber Systems.
KeyData assisted the client to achieve NERC CIP v5 compliance. Achievements included the following:
- Conducted an in-depth gap analysis and control risk assessment of the current state of Identity and Access Management (IAM) and Privileged Account Management (PAM), measured against industry-leading best practices and NERC CIP v5 requirements.
- Recommended comprehensive operational improvements focused on governance, people, processes, and technology.
- Developed an access management policy, target state remediated access management processes and baseline control standards for NERC CIP compliance.
- Developed an IAM architecture and multi-phase IAM roadmap to achieve target state.
- Defined a strategy and approach to collect application data and entitlements through common integration patterns.
- Developed and implemented a role-based access control strategy, by analyzing business and application roles for departments.
- On-boarded 250+ BES Cyber Systems and BES Cyber Assets into a commercial IAM system.
- Integrated IAM with IT Operations monitoring (SCOM) to support the operations of the IAM solution.
Implemented the following CIP v5 compliant improvements:
- Onboarding (birthright) process to ensure security training and background checks are valid prior to provisioning;
- Cross-boarding process requiring managers to review BES access to ensure access is still appropriate after department transfers;
- Termination process to automatically disable network, remote and physical access within 24 hours of termination;
- Quarterly access certification process where managers would review access based on business roles for ease of use;
- Access request process to enable the organization to easily report on access and the authorization of that access;
- Issued reminders and automatic disablement of access when security training and security background checks expire.
AT A GLANCE
Large Electricity System Operator
The challenge faced by the client was reliance on excessive manual processes for NERC CIP compliance. The processes were complex, inefficient, prone to error, lacked consistent audit trails and were not well understood.
SERVICES PROVIDED BY KEYDATA:
- Conducted IAM and PAM current state assessment against best practices and NERC CIP v5 requirements
- Developed IAM target-state architecture, strategy, roadmap and implementation plan