How Sophos can help achieve compliance

with Reliability Standards for the

Bulk Electric Systems of North America
NERC Reliability Standards define the requirements for planning and operating the North American bulk power
system and focuses on performance, risk management, and entity capabilities. Section 215 of the Federal Power
Act requires the Electric Reliability Organization (ERO) to develop mandatory and enforceable reliability standards,
which are subject to Commission review and approval. Sanctioning of confirmed violations is determined pursuant
to the NERC Sanction Guidelines and is based heavily upon the Violation Risk Factors and Violation Severity Levels
of the standards requirements violated and the violations duration. Entities found in violation of any standard
must submit a mitigation plan for approval by NERC and, once approved, must execute this plan as submitted.
In this report, we investigate the CIP Standards related to Critical Cyber Asset, Cyber Security and Information
Management and identify the key benefits of using Sophos to address each Standard.
Introduction and Organizational Benefits:

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and
data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and
use that deliver the industry's lowest total cost of ownership. Sophos offers award winning encryption, endpoint
security, web, email, mobile, server and network security backed by SophosLabsa global network of threat
intelligence centers.
Many state, provincial and municipal governments around the world turn to Sophos to provide them with highly
effective security solutions they can depend on. Sophos understands these needs are different from other
industries. Sophos products are simple & cost-effective, without sacrificing performance or functionality.

Sophos SafeGuard
Encryption

Sophos UTM
Essential next-generation firewall
protection for network, web, email,
applications, and users that is
unmatched in its deployment
flexibility: hardware, software, virtual
or cloud with options for highavailability, clustering, branch office
connectivity, wireless, and centralized
management and reporting.

The complete encryption and data

protection solution with simplified
central control.

Gartner Magic Quadrant LEADER

Gartner Magic Quadrant LEADER

Instant, detailed reports & audits

Role based management

Dual-officer authorization for

critical tasks

Sophos Endpoint
Protection
Next-generation endpoint protection
integrates innovative technology with
real-time threat intelligence to secure
Windows, Mac and Linux systems
against malware and advanced
threats.

Gartner Magic Quadrant LEADER

How Sophos Meets NERC Standards May 2015 (cont.)

CIP Standards (May 2015)

CIP Standard Critical Cyber
Asset Identification
(Standard 002-3b)
002-3b-R3: Critical Asset
Identification Method - Include

systems and facilities at master

and remote sites that provide
monitoring and control, automatic
generation control, realtime
power system modeling, and realtime inter-utility data exchange,
further qualified to be those
having at least one of the
following characteristics:
R3.1. The Cyber Asset uses a
routable protocol to communicate
outside the Electronic Security
Perimeter; or,
R3.2. The Cyber Asset uses a
routable protocol within a control
center; or,
R3.3. The Cyber Asset is dial-up
accessible.

How Sophos delivers:

002-3b-R3: The Sophos UTM network feature set provides

both static and dynamic routing options which when used

with the integrated security features provides
controlled connectivity between local and remote networks.
Routed traffic can be sent over encrypted VPN links using
either multiple UTMs at endpoints, or by using a combination
of a central UTM controller with remotely linked RED devices.
In both scenarios traffic can be controlled using the Next
Generation Firewall features, and scanned using both the
Inline Intrusion Protection System, and the Advanced Threat
Protection functions.

How Sophos Meets NERC Standards May 2015 (cont.)

CIP Standard Cyber Security
Electronic Security
Perimeter(s) (Standard 005-3a)
005-3: Summary - Requires the

identification and protection of

the Electronic Security
Perimeter(s) inside which all
Critical Cyber Assets reside, as well
as all access points on the
perimeter

005-5-R2-Part 2.2: Requirements

and Measurements - For all

Interactive Remote Access

sessions, utilize encryption that
terminates at an Intermediate
System. An example of evidence
may include, but is not limited to,
architecture documents detailing
where encryption initiates and
terminates.

005-5-R2-Part 2.3: Requirements

and Measurements - Require

multi-factor authentication for all

Interactive Remote Access
sessions.

Sophos delivers:
005-3: Summary: The Sophos UTM provides network perimeter

protection and control for both inbound and outbound access.

For outbound access the UTM provides layered protection,
control and visibility, in the form of integrated Firewall, IPS,
Application Control, and secure proxy features. These tools
provide granular policy control over what leaves the
network, and provide both real time and historical information.
For inbound access the UTM acts as a secure, controlled entry
point for any applications or users accessing internal network
resources. Site to site and remote VPN users options are available,
along with a fully featured Web Application Firewall which
provides SSL termination and scanning, protection, and controlled
user access.

005-5-R2-Part 2.2: The Sophos UTM provides IPSEC, SSL and RED

tunnels (proprietary Site to Site connection) that would terminate

each UTM on both ends of the tunnel, as well as allowing users to
gain remote access via client IPsec and SSL connections to the
UTM.

005-5-R2-Part 2.3: The Sophos UTM provides for two

factor authentication for SSL client connections using one

time password via tOTP (time-based OTP).

The Sophos UTM can also leverage Radius servers for

authentication for remote access users.

How Sophos Meets NERC Standards May 2015 (cont.)

CIP Standard Cyber Security Systems Security Management
(Standard 007-3a & Standard
007-5 Section 4 - Guidelines)
007-3a-R2: Ports and Services -

Ensure that only those ports and

services required for normal and
emergency operations are
enabled.

Sophos delivers:
007-3a-R2: The Sophos UTM provide a default deny all/log

setting which can then be modified to allow trusted inbound and

outbound access. UTM policies can be configured using a
combination of source/destination networks, service ports, time
of day and Layer 7 Application type.

007-3a-R3: Security Patch

Management - Implement a

007-3a-R3: The Sophos UTM uses a default auto-update feature

007-3a-R4: Malicious Software

Protection - Use anti-virus

007-3a-R4: The Sophos UTM uses Dual AV scan engines for Web

security patch management

program for tracking, evaluating,
testing, and installing applicable
cyber security software patches
for all Cyber Assets within the
Electronic Security Perimeter(s).

software and other malicious

software (malware) prevention
tools, where technically feasible,
to detect, prevent, deter, and
mitigate the introduction,
exposure, and propagation of
malware on all Cyber Assets
within the Electronic Security
Perimeter(s).

007-3a-R5: Account
Management - Enforce access

authentication of, and

accountability for, all user activity,
and that minimize the risk of
unauthorized system access. At a
minimum, password enforcement
is required.

to ensure that security patterns are current. Firmware updates can

also be default automatically downloaded, but not
applied automatically.

content scanning, Advanced Threat protection (ATP), Email

scanning, Intrusion Prevention, and Web Application firewall when
protecting the network.

007-3a-R5: The Sophos UTM is able to authenticate who

is accessing the UTM itself as well as internal resources.

The UTM provides information on anyone that accesses
the UTM itself along with any changes made.
The UTM can log and track the following:

Web browsing activity

Web Application Firewall activity
Firewall Activity
Remote VPN Access
Web Admin Usage
To prevent internal users accessing internal resources
Administrators would define vlans on the network and use
4

How Sophos Meets NERC Standards May 2015 (cont.)

switches to control that internal traffic. The UTM can also
leverage user based firewall policy rules through the use of
authentication agent that would need to be deployed to endpoints
007-3a-R6: Security Status
Monitoring - Ensure that all Cyber

Assets within the Electronic

Security Perimeter, as technically
feasible, implement automated
tools or organizational process
controls to monitor system events
that are related to cyber security.

007-3a (Other): Documentation

/ Data Retention (System Event
Logs) / Violation Security Levels
(CIP-007-5) / Alerts

007-3a-R6: The Sophos UTM provides alerting to events on

the device via Email notifications, SNMP, syslog

Integration, and IPFix. The solution provides network
perimeter protection and control for both inbound and outbound
access. For outbound access the UTM provides layered protection,
control and visibility, in the form of integrated Firewall, IPS,
Application Control, and secure proxy features. These tools provide
granular policy control over what leaves the network, and provide
both real time and historical information. For inbound access the
UTM acts as a secure, controlled entry point for any applications
or users accessing internal network resources. Site to site and
remote VPN users options are available, along with a fully
featured Web Application Firewall which provides SSL termination
and scanning, protection, and controlled user access.
007-3a: The Sophos UTM provides network perimeter protection

and control for both inbound and outbound access.

For outbound access the UTM provides layered protection, control
and visibility, in the form of integrated Firewall, IPS, Application
Control, and secure proxy features. These tools provide granular
policy control over what leaves the network, and provide both real
time and historical information. For inbound access the UTM acts
as a secure, controlled entry point for any applications or users
accessing internal network resources. Site to site and remote VPN
users options are available, along with a fully featured Web
Application Firewall which provides SSL termination and scanning,
protection, and controlled user access.

How Sophos Meets NERC Standards May 2015 (cont.)

CIP Standard Information
Protection (Standard 011-1)
011-1.2 - Procedures for

protecting and securely handling,

which include topics such as
storage, security during transit,
and use of BES Cyber System
Information

011-2.1 - Records tracking actions

such as encrypting

Sophos delivers:
011-1.2 : The Sophos UTM keeps track of logging information for a
features of the UTM as well as system monitoring logs.
We can log what user access what resources such as
Websites, VPN remote access and Firewall logs.
The UTM itself is a hardened OS where you are able to
control access via role based administration so
that users in a specific groups only have the ability to view
logs but not make any changes to settings.
The UTM contains various logs of interest that can be
streamed to a syslog server over a secure encrypted tunnel.

011-2.1 : The Sophos Safeguard Encryption offering provides

the ability to do Full disk encryption, file, file-share and

cloud encryption which all allow logging and auditing of
data as it moves from one location to another.

This solution also offers auditing of actions taken within

the Safeguard Management Console, and offers role based
Administration for different users to have different levels of access
rights.
The Sophos UTM has the ability to leverage the DLP feature
that can enforce encryption of data sent via email through
UTM email proxy.
011-2.2 - Records of actions taken

to prevent unauthorized retrieval

of BES Cyber System Information

011-2.2: The Sophos UTM is able to authenticate who is accessing

the UTM itself as well as internal resources. The UTM provides
information on anyone that accesses the UTM itself along with any
changes made. The UTM can log and track the following:

Web Application Firewall access

Remote VPN Access
Web Admin Access

Presented by:

Toll Free: (800) 509-5952

Email: sales@1totaltech.com
www.1totaltech.com