This document summarizes key considerations for cybersecurity vendors regarding NERC CIP compliance standards. It discusses how vendor products and services may need to address requirements around customer information protection, training, access management, electronic access controls, security status monitoring, and technical exceptions. It also covers vendor issues such as maintaining compliance documentation, system cleansing, security testing, patch management, vulnerability response, supply chain risks, and procurement language. The presentation aims to inform vendors about NERC CIP requirements and compliance challenges faced by asset owners.

1. Cybersecurity Vendor
Considerations
SEL University Security Solutions Summit
November 1-5 2010 | SEL Event Center
Patrick C Miller, EnergySec

2. Introduction
Patrick C Miller
President and CEO, EnergySec
Former WECC Manager, CIP Audits &
Investigations
Worked for several asset owners in Western
US
13 years of energy industry experience
CRISC CISA CISSP-ISSAP SSCP CEH CVI
NSA-IAM
2

3. CIP-003-x.R4
Customer information protection policies and
practices may be onerous
Customer may inadvertently violate if...
Ship device back to vendor for repair
Share configuration or sensitive information in
email or other company documents
Support and procurement areas are most
common
Maintenance and storage of compliance
documents
3

4. CIP-004-x
Entity specific training is required
Company training is not fully sufficient
Background screening is required for
unescorted access to Critical Assets
Access Lists, including vendors
Escorted physical access is recommended
Escorted electronic access is not an option
Escort means 100% accountability for actions
4

5. CIP-005-x
Electronic Access Controls
Ports and Services
Secure Dial-up
Logon Banner
Monitoring Electronic Access
Cyber Vulnerability Assessment
5

6. CIP-007-x
Test Procedures
Ports and Services
Patch Management
Anti-x (malware prevention)
Account Management (shared accounts)
Security Status Monitoring
Disposal and Redeployment
Cyber Vulnerability Assessment
6

7. Technical Feasibility
Exceptions
Inquiries about how the product line meets or
doesn’t meet strict compliance to the standard
Strong authentication (CIP-005.R2.4)
Appropriate use banner (CIP-005.R2.6)
Monitoring for dial-up CCAs (CIP-005.R3.1)
Detection and alerting, 90 days of logs (CIP-
005.R3.2)
Alternative measures to 6-walls (CIP-006.R1.1)
Cannot disable ports and services (CIP-
007.R2.3)
7

8. Technical Feasibility
Exceptions
Anti-x; malware protection (CIP-007.R4, R4.1)
Passwords (CIP-007.R5.3 and all
subrequirements)
Security status monitoring (CIP-007.R6)
Security logging (CIP-007.R6.3)
Significant burden on asset owner to provide
proof through vendor documentation
Product vendors may be asked to provide
documentation, statements or product
roadmaps
8

9. Vendor Issues
Maintaining regulatory documentation for entity
System cleansing
After diagnostic efforts
Before re-issue to new client
Security testing in FAT and SAT
Patch management
Vulnerability research and response
Scanning vs. manual
9

10. Vendor Issues
Supply chain
Code validation, escrow
Embedded systems validation
ICSA Labs, UL, Achilles
WIB Vendor Security Certification Process
SCADA procurement language
Rate cases
10

11. Questions?
Patrick C Miller
patrick@energysec.org
503.446.1212
11