NAES NERC Services offers a variety of Assessments that support and assist in evidencing compliance with NERC CIP Standards. The following offerings are applicable to High, Medium and Low Impact BES Cyber Systems.


NAES Corporation Michiko Sell Photo

Michiko Sell

Sr. NERC CIP Specialist

Contact Michiko

Services Offered

NAES NERC Services provides CIP Specialists to come to your site to identify, evaluate and classify your Cyber Assets to create an inventory of BES Cyber Systems (BCS) and their associated BES Cyber Assets (BCAs).

The NERC Cyber Security Experts will:

  • Conduct pre-planning meetings with your personnel to discuss the logistics, scope of work, and timing of deliverables
  • Perform plant walk-downs to produce an inventory of the plant's BCSs and BCAs
  • Evaluate necessary physical security contros of identified BCSs
  • Evaluate necessary electronic access controls for identified BCSs due to External Routable Connectivity and Dial-up accessible devices
  • Use Microsoft Visio to create a physical and network diagram of the plant
  • Provide a final written report of findings and recommendations at the conclusion of the engagement

The NAES NERC Team can assist power plant owners and operators in evaluating electronic access points at their facilities in order to show compliance with NERC standard  CIP-003-7.  Our NERC cyber security experts utilize the Network Security Management Software, NPView, to conduct the evaluation. NPView is the same tool used by all the NERC Regional Entities to evaluate system configurations and firewall rules during NERC audits. This service offering ensures that your facility will be made aware of potential security risks associated with your existing system configuration.

The NERC Cyber Security Experts will:

  • Evaluate firewall rules – including the level of risk associated with each rule
  • Populate an Access Control List
  • Develop a high level Network Topology Drawing, provided in Visio
  •  Conduct a Configuration Analysis of BCS connectivity to determine if the BCS is appropriately protected
  • Train all employees on controls and requirements

Optional Add-Ons:

  • Additional Firewall Evaluations
  • Inventory & Development of a BES Cyber Asset List

NAES NERC Services provides CIP Specialists to assess your state of programmatic compliance with all applicable CIP Standards. Pre-planning meeting(s) are conducted with your personnel to discuss the logistics, scope of work, and timing of deliverables. NAES will provide data requests for documentation that directly or indirectly supports programmatic compliance.  This would include,; policies, procedures, programs, forms, workflows and other internal documents that may support compliance and internal control activities. NAES evaluates these documents and identifies areas that can be strengthened. Every Standard Requirement and sub requirement is associated with existing documentation. A final written report of findings and recommendations is provided at the conclusion of the engagement.

The CIP-010-3 (Effective July 1st) Cyber Vulnerability Assessment is a critical component of the NERC CIP program.  This detailed review process validates the security configurations and security controls for BES Cyber Systems, Cyber Assets in the Electronic Security Perimeter (ESP), Access Points to the ESP, and devices that monitor or provide access control to the ESP or Physical Security Perimeter (PSP). NAES conducts paper vulnerability assessmens that include:

Network Discovery – a review of network connectivity to discover all active devices and electronic access points.

Network Ports and Services identification – a review to verify that all active and enabled ports and services have a justification.

Vulnerability Review – a review of security rule sets and configurations including controls for default accounts, passwords, and network management community strings.

Wireless Review – identification of wireless networks that are associated with  or have the ability to affect an BES Cyber System and the controls on any discovered systems.

NAES has established a program to support Security Patch evaluations to optimize entities' response to vulnerability mitigation and security patch implementation.
Security patches are researched, categorized as being critical, moderate and low risk, summarized in a report, and then working with the responsible entity, a schedule for implementation and any applicable mitigation plans are created.
NAES can support patch implementation remotely or on-site as desired.

Identify source(s) that track the release of cyber security patches for Cyber Assets contained in the BES Cyber System(s) and its associated Electronic Access Controls Monitoring systems, Physical Access Control Systems, and Protected Cyber Assets that are updateable and for which a patching source exists.

At an interval no greater than 35 calendar days, evaluate all security patches for applicability that have been released since the last evaluation of identified source(s).

Prepare and deliver a report of evaluated security patches ranked on their criticality to the function of the applicable assets.

Within 35 calendar days of the evaluation completion either:

Assist and record the installation of the patch (e.g., exports from automated patch management tools that provide installation date, verification of BES Cyber System Component software revision, or registry exports that show software has been installed); or

Create a dated mitigation plan showing when and how the vulnerability will be addressed, including documentation of the actions to be taken
to mitigate the vulnerabilities addressed by the security patch and a timeframe for the completion of these mitigations.

Security patch installation will be supported either remotely or via on-site visits.

For any mitigation plans created, documentation of the implementation of that mitigation plan shall be prepared and delivered to the Responsible Entity.
In the event, the mitigation plan must be altered, NAES shall append such plan to document new timelines or mitigating actions.

All mitigation plans shall be delivered to the CIP Sr. Manager for review and approval within the 35 calendar day implementation time frame after each security patch evaluation period.