If your organization is a bulk power system owner or operation in North America, then you probably already know that you need to be compliant with NERC CIP v5 by April 1, 2016.
For readers who are not familiar with the topic, North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system in North America. NERC develops and enforces Reliability Standards, including Critical Infrastructure Protection (CIP) standards to secure cyber assets essential to the reliable operation of the electric grid.
NERC CIP v5 covers a range of cyber security requirements, including the new CIP-011-1 standard for Information Protection. This CIP standard mandates the identification, protection, and secure handling of Bulk Electric System (BES) Cyber System Information.
CIP-011-1 allows Responsible Entities (i.e. bulk power organizations) to choose their preferred method for identifying BES Cyber System information. Options include classification, personnel training, and designated repositories for BES Cyber System Information.
If a Responsible Entity uses classification, they can mark or label documents. They can also use additional classification levels (e.g. Confidential, Public, Internal Use) that go above and beyond the requirement to identify BES Cyber System Information.
The organization’s Information Protection Program must also include procedures for protecting and securely handling BES Cyber System Information, including storage, transit, and use. Protection options include encrypting the information to prevent unauthorized disclosure during transmission. The organization must also specify the circumstances in which BES Cyber System Information can be shared with and used by third parties.
TITUS can help Responsible Entities meet CIP-011-1 Information Protection requirements. With TITUS Classification Suite, organizations can:
- Identify Cyber System Information: TITUS adds information indicators (classifications and labels) to email, documents, and files. With support for automated, system-suggested, or user-driven classification, Responsible Entities can easily identify information that is part of their information protection program.
- Protect Critical Data Assets: CIP-011-1 requires Responsible Entities to reduce the risk of cyber-attack by specifying the circumstances under which BES Cyber System Information can be shared with or used by third parties. TITUS adds visual markings and handling instructions to email and documents so that users can make informed decisions about information protection.
- Change User Behavior: Organizations can promote a culture of security by making users aware of their responsibilities when handling BES Cyber System Information. As users handle email and documents, TITUS enforces information protection policy and provides targeted, interactive education so that security becomes everyone’s responsibility.
- Protect Content with Encryption: Responsible Entities can apply persistent protection to email and documents with Microsoft Rights Management Services (RMS) and other encryption and rights management solutions. TITUS provides the ideal front-end to encryption solutions by automatically protecting information based on classification, content, recipients, and other attributes.
- Optimize Security Solutions: Organizations can enhance the ability of DLP and gateway encryption solutions to protect BES Cyber Security Information during transit. By applying persistent classification metadata to email and documents, TITUS empowers other security solutions to recognize and protect critical data assets for secure collaboration.
The NERC CIP v5 deadline is fast approaching. TITUS solutions help you meet the key requirements quickly – and with low operational impact to your technology infrastructure and IT team. Please contact us for more information on how we can help.