Bob Swanson
Compliance Engineer, Team Lead

Protect Your Grid

LogRhythm’s Launch of NERC-CIP v.5 Compliance Module Assisting Customers in the transition from v3 to v5

On February 12, 2013, the Obama administration recognized the growing cyber threat to various critical U.S. infrastructure. In response, Obama issued Executive Order 13636 to encourage industries to re-evaluate how they protect their systems supporting critical infrastructure.

This recognition led to the development of the NIST-CSF—a baseline cyber security framework (CSF) to be applied across all critical U.S. infrastructure.

Industry sectors have not only begun to implement components of the CSF, but they also have begun adapting their own industry-specific frameworks to reflect elements of the NIST-CSF.

In 2014, North American Electric Reliability Corporation (NERC), the nonprofit organization responsible for developing standards for the energy production sector, set out to update their critical infrastructure protection cyber security standards (CIP) framework. Specifically, version 5 of the CIP framework focuses on preventing misoperation or instability in the energy grid. LogRhythm released the NERC-CIP version 5 compliance module on August 18, 2015 to accompany the existing NERC-CIP version 3 compliance module.

Figure 1. NERC Logo

Here, we will take a quick look at key components of version 5 and how LogRhythm is helping customers manage the transition from version 3.

What Changed?

In NERC-CIP v5, energy production organizations are charged with performing a risk-based assessment against all bulk electric systems (BES) by dividing system components into High-, Medium- and Low-Impact categories.

The scope of v5 has also expanded to specifically include substations that interact with energy management systems (EMS).

Key Deadlines

Transitioning organizations must be aware of some key deadlines in relationship to cutover requirements:

  • April 1, 2016: Organizations must transition all High- and Medium-Impact BES over to the v5 control framework.
  • April 1, 2017: Organizations must transition all Low-Impact BES over to v5 control framework.

How We Can Help

Any NERC-CIP compliance effort requires the ability to identify and organize BES assets, apply security monitoring rules by risk level, capture cyber threats and malicious actions and notify security operations staff when necessary.

LogRhythm supports your compliance effort by providing a full-featured SIEM that helps you to organize assets so you can identify and respond to risks.

Knowledge Base

LogRhythm provides an entire Knowledge Base (KB) of monitoring rules and reports specific to NERC-CIP. Our industry-specific KB module reduces the time to meet compliance requirements and provides advanced features for long-term monitoring and security. Real-Time Analytics

Using LogRhythm, you can gain powerful analytics for identifying risks at high-, medium- and low-priority assets. These analytics feed in line response capabilities (SmartResponse™) that help reduce the mean-time-to-detection (MTTD) and mean-time-to-respond (MTTR). This improves security in addition to meeting compliance needs.

Risk-Based Prioritization

LogRhythm’s Risk-Based Prioritization (RBP) can be associated with the entity structure to help identify at-risk components of the BES. It also reduces noise by focusing on log messages that actually matter.

The RBP values can be directly derived from the risk-based assessment the organizations are performing against their environment. This allows you to quickly prioritize events, gather forensic data and begin implementing remediation efforts to prevent misoperation or instability.

Continuous Support

With the v5 release, LogRhythm now offers compliance modules that empower customers to adhere to both v3 and v5 of the NERC-CIP. We will continue to support compliance efforts in both versions all of the way up to April 1, 2017, the final deadline for organizations to fully cutover to v5.

Our Compliance Approach

LogRhythm works to directly support or augment NERC CIP compliance objectives by directly mapping objects and functionality of our product to specific controls. The NERC CIP compliance module includes:

  • Customized AI Engine rules to provide correlation and advanced alerts
  • Specialized reports and investigations to provide context around events within an environment so you can easily assess and determine your organization’s adherence to regulations

For more information about how LogRhythm supports NERC-CIP compliance, read our white paper on the topic.

Helpful Resources for Your Transition

Until next time,
Bob Swanson – LogRhythm Labs