NERC Cyber Security Compliance for Utility and Energy Firms
Energy producers and distributors that make up the bulk electric system for North America have multiple IT security and compliance challenges, which range from protecting consumers' payment card data and complying with the Payment Card Industry Data Security Standard, to adhering to the general internal audit control and disclosure requirements under Sarbanes-Oxley. In addition, utilities and firms that fall under the authority of the Federal Energy Regulatory Commission (FERC) must meet the cyber security standards of the FERC's certified Electric Reliability Operator (ERO), the North American Electric Reliability Corporation (NERC).
Just as physical surveillance tools such as video cameras are a critical part of physical security controls under NERC, the core technical requirements for cyber security as outlined in NERC CIP Standards 002-009 and other associated guidance from NERC require accountability throughout the authentication, access control, delegation, separation of duties, continuous monitoring and reporting of electronic access to critical infrastructure. And specific requirements from NERC CIP 005, 004, 007 and 008 taken together establish a clear obligation that all electronic access be audited, monitored and archived in such a way that an organization can reproduce detailed privileged user sessions 24 hours per day, 7 days per week. This continuous monitoring requirement would be difficult to achieve with a combination of manual processes and system-level logs, which often do not tie actions to a unique identity.
Centrify Server Suite is an integrated suite of solutions that ensures every user has a unique credential and enforces authentication for access so that all their actions can be tracked, monitored and reported on. By simplifying the effort for complying with NERC standards, operators and firms can ensure secure electronic access and smooth responses to all related audits. Centrify Identity Service ensures that users are individually identifiable and accountable when accessing critical cyber-security and sensitive applications.
- Eliminate troublesome shared accounts and root password vault approaches with strong authentication and single sign-on to privileged accounts through users' unique Active Directory credential.
- Quickly establish role-based granular access to systems based on business need-to-know using a dynamic rights model to secure privileged access and command execution.
- Enforce delegated administration and separation of duties so only authorized users are granting secured access to critical systems and applications.
- Generate detailed reports for NERC compliance showing who has access to what resources, commands and applications.
- Spot suspicious activity or improper procedures through continuous monitoring of privileged user access to critical cyber-security assets and sensitive application.