Support for Streamlined, Continuous NERC CIP-006 Compliance with Low Operational Overhead
Emilia MalachowskiSep 16, 2022
The NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) standards define the mandatory minimum requirements that apply to entities that own or manage U.S. and Canadian electric power grid facilities. They are intended to maintain the reliability of the North American Bulk Electric System (BES), harden it against attacks, and mitigate risk.
Since 1996, the NERC CIP standards have evolved in response to the threat environment to focus on cybersecurity. However, compliance is about much more than network security, cloud environments, and malicious code threats. Entities may not fully understand compliance obligations outside of their traditional cybersecurity scope, which may result in fines, sanctions, or other actions, including penalties up to $1 million per day.
The standards, currently numbered CIP-002 through CIP-014, encompass a wide range of categories, including Policy and Governance, Control Center Communications, Supply Chain Security, et al. NERC CIP-006-6 Physical Security of Critical BES Cyber Assets is a standard that may be difficult for entities to achieve ongoing compliance for, which creates substantial business risk.
Verkada provides customized, AI-powered, hybrid-cloud, automation-based solutions that support streamlined and scalable NERC CIP-006-6 compliance, with low operational overhead. Here is what Verkada's solutions for simpler, more efficient, and more successful NERC CIP-006-6 compliance look like in practice.
How Verkada Can Help You Meet NERC CIP-006-6 Requirements
CIP-006-6 is intended to guide the implementation of a reliable and effective physical security program for the protection of critical BES cyber assets. Requirements are defined in three categories:
R1 Physical Security Plan
R2 Visitor Control Program
R3 Physical Access Control System Maintenance and Testing Program
Verkada's suite of hybrid-cloud physical security products enable power plants and other entities to efficiently meet each of these requirements. More specifically, here is how Verkada meets each CIP-006-6 standard and requirement.
R1 Physical Security Plan. This category defines 10 requirements that aim to restrict physical access to facilities through enforcement of documented operational and procedural controls.
Verkada Access Control solutions check all the boxes to support continuous compliance across all 10 requirements:
R1.1 requires “operational and procedural controls to restrict physical access”: Verkada's easy-to-use configuration management tools can be used to define and automate both operational and procedural controls, making compliance management easier and more reliable.
R1.2 and R1.3 require “at least one physical access control” and “two or more different physical access controls, if possible” respectively: Verkada's Touchless Bluetooth, digital keycards, and key fob systems can be deployed to allow access only to properly credentialed users.
R1.4 and R1.6 require entities to “monitor for unauthorized access through a physical access point” and “monitor each physical access control system for unauthorized physical access”: Verkada's hybrid-cloud Video Security tools provide real-time visibility of facilities and continuous monitoring capabilities.
R1.5 and R1.7 require “response to detected unauthorized access [...] within 15 minutes of detection” and “response to detected unauthorized access to a physical access control system […] within 15 minutes of detection”: Verkada's fully integrated Alarms & Professional Monitoring solutions can issue an alarm or alert to unauthorized access in real-time and help direct response immediately.
R1.8 and R1.9 require entities to “log entry of each individual […] with information to identify the individual and date and time of entry” and “retain […] logs of entry […] for at least ninety calendar days”: Verkada can generate detailed logging data per customizable configurations and retain it indefinitely, or for any other duration specified.
R1.10 requires entities to “restrict physical access to cabling and other nonprogrammable communication components”: Verkada Access Control is purpose-built to restrict access to only properly credentialed users.
R2 Visitor Control Program. This category defines three requirements that establish controls to manage visitors.
R2.1 requires that “continuous escorted access of visitors” be verified, monitored and recorded: Verkada's hybrid-cloud solutions provide robust support for security information retention, review, and auditing, including easy-to-use sharing features.
R2.2 and R2.3 require “manual or automated logging of visitor entry […] including date and time of the initial entry and last exit, the visitor's name” and retention of “visitor logs for at least ninety calendar days”: Verkada's solutions provide detailed logging with customized configurations, and data can be retained indefinitely, or for any other duration specified.
R3 Physical Access Control System Maintenance and Testing Program. This standard defines a single requirement to continuously maintain and regularly test and verify physical access control systems. These processes can be efficiently managed by Verkada's solutions:
R3.1 requires “maintenance and testing of PACS and locally mounted hardware or devices […] at least once every 24 calendar months”: Verkada systems can be configured to support alerts and reminders for system maintenance and testing, to ensure these requirements occur according to any programmed schedule.
NERC CIP-006-6 Compliance Integrated Solution
In addition to the above compliance standards, FERC Order 822 requires that NERC CIP standards are continually updated, to keep pace with changing technologies, systems, and threats.
Verkada's hybrid-cloud solution allows entities to stay ahead of the latest NERC CIP updates with purpose-built performance features designed to achieve the most comprehensive, modern approach to physical security, including:
Fully digital, real-time, AI-powered solutions
Simplified, automated compliance with NERC CIP-006 controls
Seamless integration with existing tools & systems
Data protection at every stage, from SSO, granular user permissions, encryption key management & more
Proven scalability that supports large deployments with low staff overhead
Single-pane interface provides simplified management across devices, with actionable insights that can be leveraged for better security decisions
Customizable configurations for precise performance
One point of contact for personalized, dedicated support
Verkada's solutions are versatile and also relevant for other NERC CIP categories, including CIP-013 Supply Chain Security and CIP-014 Physical Security of Key Substations. For more advanced applications, Verkada's AI-powered People Analytics is a powerful upgrade over simple detection technologies. Its features include Face Search, Occupancy Trends, Person of Interest search, and much more.
Verkada's unique capabilities across a spectrum of key access control and monitoring functions makes reaching NERC CIP-006 compliance goals much easier. We can help you replace labor intensive, unreliable manual processes with automation and AI-powered solutions, while protecting your facilities to a higher standard for safety. These other capabilities can help your organization become CIP-006 compliant on a continuous basis, while simultaneously improving security and lowering operational costs.
Ready to learn more? Let's begin a conversation about how Verkada can help you achieve ongoing, audit-ready NERC CIP compliance. Our solutions streamline compliance management and auditing with electronic monitoring, logging, and reporting of access to physical areas. It's a powerful platform that drives better, more confident risk decisions. Contact [email protected] today to learn more.
Emilia Malachowski is a Product Operations Manager at Verkada having previously worked in product compliance at Amazon.
Environmental Sensor Default Event Thresholds
Customers love staying on top of changes in their environment with Verkada's environmental sensor lineup. To enable this functionality, Verkada environmental sensor event thresholds allow customers to set and automatically create events when certain thresholds are exceeded for noise, high temperature, excess humidity, unsafe levels of particulates in the air, or even vape events.
4 Years and Counting: Verkada Named a LinkedIn Top Startup
We're proud to announce that for the fourth year in a row, Verkada has been named a LinkedIn Top Startup! This recognition is a testament not only to our exponential growth, but also to our incredible team and culture.