NERC CIP Regulations For July 2020 – How Prepared Are Energy Utilities?

S DigitalOcean.com – cloud hosting, built for champions: sign up and receive $10 in hosting credit immediately!

Below is our recent interview with Trace Bellassai, Cyber Security Solutions Engineer at FoxGuard Solutions:

Q: Could you provide our readers with a brief introduction to FoxGuard Solutions?

A: Founded in 1981, FoxGuard Solutions’ team of engineers and developers design, manufacture, and integrate innovative cybersecurity, computing, simulation, and regulatory compliance solutions used in critical infrastructure markets. FoxGuard is an ISO 9001:2015 and ISO 27001:2013 certified business. Our solutions are customizable with selections from our Cyber Security and Industrial Computing offerings.

CYBERSECURITY AND COMPLIANCE

We provide a complete Patch & Update Management Program, which includes asset analysis, monthly patch reporting, acquisition, validation, and deployment. FoxGuard also offers custom Security Services, integrated Hardware/Software Solutions, and Field Services.

INDUSTRIAL COMPUTING

We develop turnkey computer solutions for critical infrastructure and control system vendors, including configuration, sourcing, imaging, integration, documentation, and life cycle management. Products are built in our secure, ISO certified facility and can be shipped worldwide.

Q: How is FoxGuard Solutions prepared for the new Regulations?

A: As an active member of the NERC CIPC Supply Chain Working Group, FoxGuard Solutions is deeply familiar with the upcoming NERC CIP-010 and CIP-013 regulations that become enforceable this year. On July 1, 2020, there will be a heavy focus on supply chain risk management – NERC CIP 013-1. Additionally, NERC CIP 010-4 (R1.6) will be adopting new requirements, which require verifying the authenticity and integrity of the vendor or third party software. NERC CIP 013-1 also involves verification of software authenticity and integrity (R1.2.5), a plan to deal with vendor vulnerability and incident disclosures (R1.2.1, 1.2.2, and R1.2.4), and procedures in place for when a vendor notifies you that they no longer need remote or on-site access (R1.2.3).

FoxGuard is an ISO 9001:2015 and ISO 27001:2013 certified business that has been providing products and services to the electric utility market for nearly 30 years and has always focused on ensuring security measures are in place to protect our customers. We’ve been planning and preparing for more rigorous Supply Chain Requirements for years. Some examples of product line controls are already in place on our Patch Availability Reporting (PAR), and Patch Binary Acquisition (PBA) service offerings include:

• Documentation of hash values for patch files when provided by your vendor (PAR)
• Verification that downloaded patch binaries match the vendor-provided hash value (PBA)
• Integrated authenticity and integrity verification capabilities provided with digital deliverables to our customers using signed hash digests (PAR, PBA)
• Patch evidence (screenshots, logs) of patch data captured (PAR)
• Secure transfer of patch binary files using AES-256 encrypted removable media
devices (PBA)
• Tamper evident packaging for physical shipments (PBA)

Q: Will there be any additional or NEW features be added to your products?

A: Yes, we are also working on a few NEW features to our Patch Availability Reporting and Patch Binary Acquisition service offerings, which will specifically address the new NERC CIP requirements.

These new features will be available to customers as part of the monthly PAR / PBA deliverable. Supporting evidence of the authenticity and integrity verification process will also be captured each month and can be made available to customers as requested to support regulatory audit needs.

Q: What Industries does FoxGuard support?

A: With 36+ years of experience in designing and manufacturing PC-based HMIs for industrial control systems, FoxGuard Solutions is well-versed in the needs of the energy industry (including electricity, fossils, renewables, and nuclear). FoxGuard can minimize vulnerabilities and downtime, as well as aid in maintaining compliance with NERC CIP standards. If needed, FoxGuard can also design solutions integrated with supervisory control and data acquisition (SCADA) software.

We are taking our lessons learned and experience to solve the cyber challenges in other industries such as Building Automation Systems, Oil and Gas, and Manufacturing. We were recently awarded a grant from the Department of Defense to develop a cybersecurity platform for energy management and control systems. The program targeted at protecting military installations across the world from cyber-attack.

We are a global provider of turnkey solutions. With our experience in configuring computer solutions, integrating racks, developing images, securing licenses, and ensuring hardware, software, and OS compatibility, we have been able to serve the Energy, Simulation & Training, Independent Software Vendors, Marine, Oil & Gas, and Manufacturing Industries.

Q: What are your plans for the future

A: Cybersecurity is a matter of national security, and that won’t change anytime soon, considering the growing number of connected devices. We are continuing to work closely with businesses in critical infrastructure to develop products and services to aid with securing their assets and assisting with relevant compliance requirements.

,