WE UNDERSTAND YOUR PAIN
NERC CIP Cybersecurity Compliance Is Required and Can Be Unwieldy
Compliance with NERC CIP Reliability Standards is required by law to ensure the security and reliability of the bulk electric system (BES). Thirteen active NERC CIP standards guide cybersecurity best practices for the North American BES. Achieving and maintaining compliance with these standards stretches staffing resources and pose cost challenges for Responsible Entities.
HERE'S WHAT NERC CIP COMPLIANCE STAKEHOLDERS TELL US
Our NERC CIP Cybersecurity Customers Reported Six Challenges Before Engaging Foxguard
COMPLIANCE WITH NERC CIP STANDARDS TIES UP RESOURCES
Adherence to NERC CIP cybersecurity requirements consumes significant internal IT/OT staff hours—time that could be devoted to special projects, programs, and day-to-day operations. That’s particularly true today, where cybersecurity compliance resources are stretched, and organizations must operate within limited budgets. You’re likely feeling the pinch already.
DISCOVERING ALL ORGANIZATIONAL ASSETS IS DIFFICULT
Asset discovery is a leading cause of long or incomplete remediation programs to meet NERC CIP cybersecurity compliance requirements (See sidebar). Asset Owners may need to identify, evaluate, and categorize 30,000 to 100,000 assets to create their master asset list of 200-500 unique items (Vendor, Product, Version, OS) requiring monitoring and patching on a 35-day cycle.
THE CYBERSECURITY THREAT IS REAL
In 2021, SecurityIntelligence reported that the average cost of a cybersecurity breach in the energy industry was $4.65 million. Similarly, IBM reported that the average cost of one incident was $4.72 million between March 2021 and March 2022. The number of cyber-attacks targeting critical infrastructure assets has intensified during the past five years. Between 2017 and 2022, the Energy Security Sentinel (S&P Global Commodity Insights) documented 49 cyber events impacting oil and energy organizations—primarily targeted at U.S.- based operations.
NERC CIP NON-COMPLIANCE CAN BE COSTLY
The Federal Energy Regulatory Commission (FERC), authorized by the Energy Policy Act of 2005 (following the 2003 Northeast blackout), designated NERC to develop and enforce mandatory reliability standards for the BES. NERC and its regional entities have issued fines as high as $10 million for compliance violations. NERC is empowered to levy fines as high as $1 million per day per violation.
NER CIP COMPLIANCE IS COMPLICATED
Asset Owners have multiple systems, spreadsheets, vendors, and personnel to manage and coordinate. Cyber Security and Compliance are two different things. Having one source of Patch Intelligence and Patches bridges Cyber Security and Compliance requirements.
NERC CIP STANDARDS ARE A MOVING TARGET
As cyber threats evolve with technology advancements, NERC revises compliance standards to ensure the reliability and security of the North American BES. With various revisions to NERC CIP standards planned or in process, power utility organizations must stay abreast and comply with evolving regulatory standards. You must continually assess your IT/OT security environment and be ever-vigilant.
FOXGUARD'S INTEGRATED NERC CIP PROGRAM
Foxguard’s Integrated NERC CIP Program Eases the Burden of Compliance
At Foxguard, we offer an integrated NERC CIP cybersecurity compliance program that protects your company and provides third-party documented compliance with NERC CIP regulations. Foxguard’s experience, expertise, flexibility, and our relentless drive toward your protection make us the perfect partner to manage your company’s NERC CIP cybersecurity compliance.
CIP COMPLIANCE
NERC CIP Cybersecurity With Foxguard
When it comes to CIP compliance, Foxguard enables you to:
Create a Master Asset List (CIP-002 and CIP-007)
Create a master asset list (MAL) to meet CIP-002 BES Cyber System Categorization and comply with CIP-007 Security Patch Management Requirements. Learn more about asset inventory management.
Comply with CIP Security Patch Management Requirements (CIP-007)
Comply with CIP-007 Security Patch Management requirements. Learn more about our patch management solutions.
Assess and Develop Your Program
Assess and develop your program via our Cyber Consulting Services (CIP-003, -004, -005, -007, -008, -010, -013). Learn more about our cybersecurity consulting.
BE PROACTIVE
Don’t wait until your organization experiences a cyberattack
Combat the constant threat to your IT/OT assets. Our program is designed for companies across the energy landscape:
- Power generation plants (coal, natural gas, and hydroelectric)
- Transmission and Distribution (microgrids and power grids)
- Renewables (solar and wind)
FOXGUARD PROTECTS YOU
Foxguard Takes the Necessary Steps to Protect You
Foxguard offers cybersecurity products and services that meet NERC CIP compliance requirements. These can be purchased in combination or as standalone products, services, and subscriptions. We can customize a solution to meet your organization’s needs and cybersecurity maturity level and, of course, be compliant with NERC CIP standards.
Asset Inventory Management
As part of our Patch Availability Reporting (PAR) subscription service, Foxguard generates and maintains a master asset list (MAL) of your critical cyber IT/OT Assets to help establish a baseline configuration.
- Perform Walkdowns
- Incorporate passive and active network analysis intelligence
- 3rd party asset management platform integrations
Learn how asset inventory management from Foxguard is a fundamental step in protecting Asset Owners from cyber threats.
After we generate your master asset list, we analyze your assets for risk and vulnerabilities.
Vulnerability Management
Patch Availability Reporting (PAR)
Our Patch Availability Reporting (PAR) service determines and documents if a security-related patch is available for each asset. The report documents and provides the following:
- Security vs. non-security patch designation.
- Patch notes.
- Common vulnerabilities and exposures (CVEs).
- Common vulnerability scoring system (CVSS) scores.
- End-of-support (EOS) notifications.
- Links to the patch source.
- Coverage for transient cyber assets (TCA).
Patch Binary Acquisition (PBA)
In addition to supporting patch management (CIP-007) and secure supply chain management (CIP-013), our Patch Binary Acquisition (PBA) service also supports software bill of materials (SBOM) vulnerability analysis. Foxguard offers Cyber Services to perform vulnerability assessments and develop mitigation plans, including cyber-informed engineering to define, source, and integrate the appropriate solutions for you. Learn more about NERC CIP cybersecurity vulnerability management from Foxguard and how we mitigate cybersecurity vulnerabilities.
Security Patch Management (NERC CIP-007)
Foxguard offers multiple security patch management solutions to support patching on a 35-day cycle according to CIP guidelines. Learn more about patch management solutions from Foxguard.
Cybersecurity Consulting Services (NERC CIP-003, 004, 005, 007, 008, 010, 011, 013)
Our Information Security Management and Cyber Engineering experts can consult with you at your facility.
Learn more about our onsite cybersecurity consulting.
SIX REASONS TO TRUST FOXGUARD
Trust Foxguard With Your NERC CIP Compliance
FOXGUARD EXTENDS THE CYBER CAPACITY OF YOUR TEAM
Whether you have robust IT/OT teams or have some holes in your starting lineup, Foxguard is here to help. We offer both Staff Augmentation and Managed Task services. Our interdisciplinary team members have decades of experience in:
Computer Science and Engineering
Industrial Control System (ICS) and Network Engineering
Information Security (IS)
Information and Operational Technology (IT/OT)
NERC CIP Standards
NIST Cybersecurity Framework.
Our robust team enables us to guide your organization through every step of NERC CIP cybersecurity compliance initiatives.
WE’RE COMPLIANCE LEADERS
We know compliance standards. In fact, we worked shoulder-to-shoulder with the Department of Energy (DOE) to help create NERC CIP’s cybersecurity compliance program.
We monitor real-time changes and have eminent industry experts to help companies get and stay compliant.
WE’RE CERTIFIED
Our team holds certifications:
Certified Information Systems Security Professionals (CISSPs)
Global Industrial Cyber Security Professionals (GICSPs)
Certified Ethical Hackers (CEHs)
Certified Hacking Forensics Investigators (CHFIs)
Foxguard is ISO 9001:2015 and ISO-27001 certified.
WE’RE FLEXIBLE AND RELENTLESS
We’re known for our readiness to develop solutions specific to your needs to meet challenges head-on. Cybersecurity is never a “one-and-done.” Hackers are relentless. So are we. The threats—both foreign and domestic—are continuous. That’s why we’re hypervigilant, relentless, and nimble.
OUR PEOPLE ARE THE BEST
We’ve been at the forefront of driving industry changes for 40+ years. But we never sit on our laurels. We work collaboratively with you, your teams, and your systems.
WE FREE UP YOUR RESOURCES
We assist with your compliance needs, so your team doesn’t have to. Foxguard offers Staff Augmentation and Managed Task services.
WHAT'S NERC CIP?
The North American Electric Reliability Corporation Critical Infrastructure Protection
NERC CIP is the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP). Referred to as NERC CIP, or sometimes NERC or CIP alone, the program began in 2008. The ever-growing compliance regulations include NERC-approved Reliability Standards that are mandatory in Canada and the United States.
OUR CLIENTS SAY IT THE BEST
NERC CIP Manager
Large IOU-NPCC/TRE- New Jersey | Texas
IT Manager
Large IOU-RF – Illinois
Supervisor EMS Maintenance
Mid-West Municipal- SPP – Kansas
EMS Programmer Analyst
Co-Operative - North Dakota
IT Manager
Aerospace and Defense Contractor