Critical Infrastructure Industries

Protecting critical infrastructures is a matter of national security, as our way of life depends upon them functioning in a highly reliable and predictable fashion. One of the most fundamental of these is our power generation and distribution infrastructure. While physical security models are well understood and fully implemented, cybersecurity models are highly dynamic and require ongoing attention. This environment is characterized by an evolving cyber threat landscape and rapidly changing regulatory requirements further exacerbated by the introduction of new technologies, such as smart grid.

Critical Infrastructure Protection (CIP) standards managed by the North American Electric Reliability Corporation (NERC) and overseen by the Federal Energy Regulatory Commission, guidance developed by the National Institute of Standards of Technology (NIST), Nuclear Energy Institute (NEI) standards and many other regulations, standards and guidance have been published to provide a framework for cybersecurity risk management. However, Cybersecurity Assessment Team (CSAT) members and others responsible for protecting critical infrastructures are looking for guidance on how to effectively apply these frameworks in their environment. They need assurances that any information security controls implemented achieve their intended purpose and do not disrupt operations.

Solution

SecureInfo has extensive experience applying NIST guidance, CIP standards, NEI standards and others to a variety of information systems, including supervisory control and data acquisition (SCADA) systems, control room systems, RTUs, DCS LANS, and other control systems.

Cybersecurity Plan 5-Day Workshop
This workshop outlines Nuclear Regulatory requirements and NEI guidelines for developing, implementing, and maintaining a Cybersecurity Plan for licensee's operating a Nuclear Power Plant. The Workshop incorporates step-by-step procedures for CSAT members to utilize in developing, implementing, and maintaining their organizational Cybersecurity Plans. Attendees of this Workshop will develop a complete CSP Implementation Strategy, to include the identification of tasks, deliverables, and points of contact and associated priorities for the life cycle of a critical digital asset (CDA).

Cybersecurity Controls Assessment 5-Day Workshop
This intense workshop introduces attendees to the NIST guidance that NRC uses to develop the RG 5.71 Cybersecurity Controls and subsequently was incorporated into NEI 08-09, Rev 6. The roles and responsibilities of your CSAT members are covered in detail. Workshop attendees are then taught the NIST assessment philosophy, including activities/tasks required for pre-assessment, assessment, and post-assessment of the cyber security controls.

Click here for more information on SecureInfo’s Cybersecurity Training

Cybersecurity Assessment
SecureInfo’s Cybersecurity Assessment assesses an organization’s cybersecurity posture and determines how well its information and control systems meet relevant regulations, standards and guidance. More than just a checklist, we perform a detailed gap analysis and deliver a Findings and Recommendations Report, which identifies gaps and details a corrective actions roadmap. The result is an accurate view of the level of preparedness of your control systems and the steps required to manage and/or mitigate cybersecurity risks.  We support CIP, NIST, NRC, NEI and other regulations, standards and guidelines.

In addition to the gap analysis, the Cybersecurity Assessment includes a comprehensive risk assessment. 

Phase 1 - During phase one, SecureInfo’s cybersecurity professionals assess all assets either owned or operated by your organization to determine the level of potential risk. Based on our proprietary decision tree methodology, we identify each critical asset and apply a risk rating.  The risk rating includes a clear justification for the risk determination.

Phase 2 - Using the list of critical assets discovered in phase one, the SecureInfo asset assessment team develops a list of associated critical cyber assets essential to the operation of the critical asset. If the cyber asset meets one of the specified characteristics and supports a critical asset, then that cyber asset is considered a critical digital asset

Phase 3 - Once the list of critical assets and the list of associated critical cyber assets have been completed, SecureInfo can provide lifecycle maintenance – reviewing both lists annually, updating them as necessary.

Security Program Management

SecureInfo’s Security Program Management services enable your organization to build and operate a proactive cybersecurity program to mitigate information security risk, more effectively defend against cyber-terror and meet regulatory requirements.

SecureInfo brings the lessons-learned from hundreds of customer engagements to each new client. Our cybersecurity experts begin by working with you to understand your security strategy; establish overarching goals and review; and refine and close gaps in existing security plans and policies. Next, we design a continuous assessment and monitoring program aligned with your strategy and industry best practices. We then help you integrate these plans, policies and processes into your day-to-day operations. The end result is a robust, manageable and ongoing cybersecurity program tailored to your organization’s needs and demonstrating your commitment to improving your security posture.

Policies/Procedures Creation & Management

SecureInfo’s Policies/Procedures Creation & Management services enable you to align your security objectives with your organization’s mission by encapsulating your goals into policy. Our cybersecurity experts work as an extension of your security program management office to review existing policies, standards and procedures; identify gaps relative to your organization’s needs and applicable regulatory requirements; fill those gaps to ensure that documentation is relevant, understandable and aligned with organizational goals and regulatory coverage.

Our experts work with your organization to develop strategies for effectively communicating policies, standards and procedures used to maintain good security practices and compliance. Once complete, your organization can be assured that its security foundation is current, sound and compliant. Optionally, we can take over ongoing management responsibility for your policies, procedures and standards to ensure these documents are always current and relevant.

Benefits

• Improve compliance with CIP, NIST, NRC, NEI and other regulations, standards and guidelines.
• Reduce cost of compliance. Avoid costly penalties and negative publicity.
• Improve cybersecurity posture

Click here for more information.

---