The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Standards are a cybersecurity compliance framework designed to protect utility organizations. Adhering to these guidelines is essential—falling short will leave your environment vulnerable to malicious actors and can result in some hefty fines. NERC CIP is a burdensome set of standards, so when it comes to strategizing how you will bring your organization into compliance, it can be difficult to know where to even start.

Through collaborating with Tripwire utility customers that have successfully brought their organization into NERC CIP compliance, I’ve developed a maturity model that will help you outline your strategy for tackling NERC CIP yourself.

It’s important to realize that you will not be able to achieve NERC CIP compliance overnight. Tripwire offers solutions that can help you in nearly every element of NERC CIP that involves technical controls. However, your keys to success are the people and processes that work with these technical components. These take longer to develop and adjust. The best course of action is to implement a bit of technology at a time and then let your people and processes adapt before moving on. This will allow you to ultimately scale your implementation across your entire organization.

There are four phases to the NERC Maturity Model.

Phase 1: Implement Tripwire Enterprise

Tripwire® Enterprise is the first core tool that you will use for addressing NERC CIP compliance. Therefore, implementing it should be your first course of action. Tripwire Enterprise is a powerful tool with broad capabilities—it can collect a great deal of information from a wide variety of asset types.

You will use Tripwire Enterprise for many functions that will help you tackle NERC CIP standards. It will monitor the system state of your assets and will note if there have (Read more...)

DevOps Unbound Podcast