Support for Streamlined, Continuous NERC CIP-006 Compliance with Low Operational Overhead

The NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) standards define the mandatory minimum requirements that apply to entities that own or manage U.S. and Canadian electric power grid facilities. They are intended to maintain the reliability of the North American Bulk Electric System (BES), harden it against attacks, and mitigate risk.

Since 1996, the NERC CIP standards have evolved in response to the threat environment to focus on cybersecurity. However, compliance is about much more than network security, cloud environments, and malicious code threats. Entities may not fully understand compliance obligations outside of their traditional cybersecurity scope, which may result in fines, sanctions, or other actions, including penalties up to $1 million per day. 

The standards, currently numbered CIP-002 through CIP-014, encompass a wide range of categories, including Policy and Governance, Control Center Communications, Supply Chain Security, et al. NERC CIP-006-6 Physical Security of Critical BES Cyber Assets is a standard that may be difficult for entities to achieve ongoing compliance for, which creates substantial business risk.

Verkada provides customized, AI-powered, hybrid-cloud, automation-based solutions that support streamlined and scalable NERC CIP-006-6 compliance, with low operational overhead. Here is what Verkada's solutions for simpler, more efficient, and more successful NERC CIP-006-6 compliance look like in practice. 

How Verkada Can Help You Meet NERC CIP-006-6 Requirements

CIP-006-6 is intended to guide the implementation of a reliable and effective physical security program for the protection of critical BES cyber assets. Requirements are defined in three categories:

1. R1 Physical Security Plan

2. R2 Visitor Control Program

3. R3 Physical Access Control System Maintenance and Testing Program

Verkada's suite of hybrid-cloud physical security products enable power plants and other entities to efficiently meet each of these requirements. More specifically, here is how Verkada meets each CIP-006-6 standard and requirement. 

R1 Physical Security Plan. This category defines 10 requirements that aim to restrict physical access to facilities through enforcement of documented operational and procedural controls.

Verkada Access Control solutions check all the boxes to support continuous compliance across all 10 requirements:

• R1.1 requires “operational and procedural controls to restrict physical access”: Verkada's easy-to-use configuration management tools can be used to define and automate both operational and procedural controls, making compliance management easier and more reliable.

• R1.2 and R1.3 require “at least one physical access control” and “two or more different physical access controls, if possible” respectively: Verkada's Touchless Bluetooth, digital keycards, and key fob systems can be deployed to allow access only to properly credentialed users.

• R1.4 and R1.6 require entities to “monitor for unauthorized access through a physical access point” and “monitor each physical access control system for unauthorized physical access”: Verkada's hybrid-cloud Video Security tools provide real-time visibility of facilities and continuous monitoring capabilities.

• R1.5 and R1.7 require “response to detected unauthorized access [...] within 15 minutes of detection” and “response to detected unauthorized access to a physical access control system […] within 15 minutes of detection”: Verkada's fully integrated Alarms & Professional Monitoring solutions can issue an alarm or alert to unauthorized access in real-time and help direct response immediately.

• R1.8 and R1.9 require entities to “log entry of each individual […] with information to identify the individual and date and time of entry” and “retain […] logs of entry […] for at least ninety calendar days”: Verkada can generate detailed logging data per customizable configurations and retain it indefinitely, or for any other duration specified.

• R1.10 requires entities to “restrict physical access to cabling and other nonprogrammable communication components”: Verkada Access Control is purpose-built to restrict access to only properly credentialed users.

R2 Visitor Control Program. This category defines three requirements that establish controls to manage visitors.

Verkada Guest Management solutions support continuous compliance for all three requirements:

• R2.1 requires that “continuous escorted access of visitors” be verified, monitored and recorded: Verkada's hybrid-cloud solutions provide robust support for security information retention, review, and auditing, including easy-to-use sharing features.

• R2.2 and R2.3 require “manual or automated logging of visitor entry […] including date and time of the initial entry and last exit, the visitor's name” and retention of “visitor logs for at least ninety calendar days”: Verkada's solutions provide detailed logging with customized configurations, and data can be retained indefinitely, or for any other duration specified.

R3 Physical Access Control System Maintenance and Testing Program. This standard defines a single requirement to continuously maintain and regularly test and verify physical access control systems. These processes can be efficiently managed by Verkada's solutions:

• R3.1  requires “maintenance and testing of PACS and locally mounted hardware or devices […] at least once every 24 calendar months”: Verkada systems can be configured to support alerts and reminders for system maintenance and testing, to ensure these requirements occur according to any programmed schedule.

NERC CIP-006-6 Compliance Integrated Solution

In addition to the above compliance standards, FERC Order 822 requires that NERC CIP standards are continually updated, to keep pace with changing technologies, systems, and threats. 

Verkada's hybrid-cloud solution allows entities to stay ahead of the latest NERC CIP updates with purpose-built performance features designed to achieve the most comprehensive, modern approach to physical security, including:

• Fully digital, real-time, AI-powered solutions

• Simplified, automated compliance with NERC CIP-006 controls

• Seamless integration with existing tools & systems

• Data protection at every stage, from SSO, granular user permissions, encryption key management & more

• Proven scalability that supports large deployments with low staff overhead

• Single-pane interface provides simplified management across devices, with actionable insights that can be leveraged for better security decisions

• Customizable configurations for precise performance

• One point of contact for personalized, dedicated support

Verkada's solutions are versatile and also relevant for other NERC CIP categories, including CIP-013 Supply Chain Security and CIP-014 Physical Security of Key Substations. For more advanced applications, Verkada's AI-powered People Analytics is a powerful upgrade over simple detection technologies. Its features include Face Search, Occupancy Trends, Person of Interest search, and much more.

Verkada's unique capabilities across a spectrum of key access control and monitoring functions makes reaching NERC CIP-006 compliance goals much easier. We can help you replace labor intensive, unreliable manual processes with automation and AI-powered solutions, while protecting your facilities to a higher standard for safety. These other capabilities can help your organization become CIP-006 compliant on a continuous basis, while simultaneously improving security and lowering operational costs.

Ready to learn more? Let's begin a conversation about how Verkada can help you achieve ongoing, audit-ready NERC CIP compliance. Our solutions streamline compliance management and auditing with electronic monitoring, logging, and reporting of access to physical areas. It's a powerful platform that drives better, more confident risk decisions. Contact [email protected] today to learn more.