NERC Compliance Solutions
North American Electric Reliability Corporation (NERC) is a non-profit organization formed to promote reliability of power lines and transmissions in the U.S. NERC issues a number of regulations for power generators and suppliers regarding the security and reliability of critical infrastructure. To comply with these requirements, expensive dedicated security software is often needed. NERC IT compliance requirements cover the identification of critical assets followed by risk assessment and monitoring.
Ekran System® is a user activity monitoring and access management solution that can be effectively used as part of a NERC compliance software suite, providing you with the ability to continuously monitor, control, and audit actions performed on critical assets based on Windows, Linux / Unix, macOS, and Citrix platforms. Ekran System offers a number of NERC compliance solutions including multi-factor authentication, secondary authentication for shared accounts, PAM solutions, a detailed report generating tool and forensic export.
Ekran System uses a flexible licensing scheme which makes meeting NERC requirements cost-effective.
Requirement CIP-003: Security Management Controls
Complete requirement text:
Ekran System can help you ensure the protection of critical cyber assets. It records everything a user sees on the screen regardless of applications or services used. This includes mouse movements in an advanced video format indexed with text log data including application names, names of active windows, visited URLs, entered keystrokes, etc. Every instance of access to critical data and every change made can be clearly viewed and tied to the corresponding user.
Inbuilt set of tools for identity and access management helps build a reliable system of user identification, granular access permission management, temporary credential management, and emergency access to the critical digital assets.
Requirement CIP-004: Training and Personnel Security
Complete requirement text:
Secondary level of authentication will allow you to control access to critical cyber assets. Every video recording is clearly identified with a specific user even if they used a shared administrator account. Ekran System can also issue a variety of different reports, allowing you to audit the proper use of critical cyber assets.
Requirement 164.414 – Administrative Requirements and Burden of Proof
§ 164.414 Administrative requirements and burden of proof.
(a) Administrative requirements. A covered entity is required to comply with the administrative requirements of § 164.530(b), (d), (e), (g), (h), (i), and (j) with respect to the requirements of this subpart.
(b) Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at § 164.402.
Besides the broad set of user activity recording tools, Ekran System also includes the user messaging feature that allows to deliver custom messages to the users before the session start. Such messages may include notification about monitoring and a set of security policies and restrictions applicable in the current situation. When receiving such message, users have to explicitly confirm that they have read it to continue the session.
Moreover, the platform includes the feature of automatically invoked user notification about potentially dangerous actions they are performing. Such notifications also require user to acknowledge their actions.
The platform itself includes an internal activity log where all actions performed by specialists and administrators of Ekran System are recorded.
All session records in the platform can be exported in an independent forensic format for further investigations.
Ekran System is a reliable and flexible security solution that will help you meet NERC requirements at minimum cost.