PSEG stays in compliance with NERC CIP standards

power lines going through pylons

PSEGstays in compliance with NERC CIP standards by leveraging Network Perception’s NP-View.

Situation

Public Service Enterprise Group Inc. (PSEG) is a diversified energy company headquartered in Newark, New Jersey. Established in 1903, the company has long had a key role in fueling New Jersey’s economy and supporting the state’s quality of life.PSEG’s principal operating subsidiaries are Public Service Electric and Gas Co. (PSE&G), PSEG Power, and PSEG Long Island.

Each of PSEG’s business units must stay in compliance with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)standards. NERC ensures the reliability of the nation’s Bulk Electric System and currently includes eleven CIP cybersecurity standards. These standards specify a minimum set of controls and processes that power generation and transmission companies must follow to ensure the reliability and security of the North American power grid.

Initially, PSEG would handle periodic NERC audits by way of a manual process.“We would generate a lot of spreadsheets and Visio diagrams to demonstrate that our networks were compliant,” said Lead Cybersecurity Analyst David Fletcher. “ButNetwork Perception’s NP-View is basically what’s used by the auditors, so we figured if that’s what they use, that’s what we wanted to use as well.”

“The progress made at PSEG in the growth ofour NERC CIP complianceprogram and thelevel of cybersecurityachieved is due in partto our collaboration withNetwork Perception andits compliance team.”

David Fletcher | Lead Cybersecurity Analyst, PSEG

Solution

PSEG now uses Network Perception’s NP-View and considers the platform to be the perfect comprehensive solution for audits and everyday monitoring.

The company relies on NP-View to comply with NERC audits. NP-View works offline and performs a comprehensive analysis of firewall, router, and switch configurations to determine connectivity. It also identifies any deviation from security policies, standards, and best practices. The network visualization enables anyone to understand issues instantly. The results of the automated analysis can be seamlessly exported into actionable security and compliance reports.

“Aside from the fact that NP-View is perfect for responding to the questions that auditors raise, I love that it’s an offline software,” said David. “That means that we don’t need to have it set up in our production environment. We can use it anywhere.”PSEG also uses NP-View Enterprise to help monitor and report on the state of the networks of its business units. This platform leverages automation and human-centered design to provide a continuous network monitoring solution that works in the background and automatically alerts users when a relevant compliance or security event occurs.

“NP-View is perfect forresponding to the questionsthat auditors raise.”

“The great thing about NP-View Enterprise is that even though it needs to operate in the production environment, we don’t have to go in and manually pull the data because NP-View Enterpriseautomatically grabs the data it needs,” said David. Network Perception also allows PSEG to effectively manage its both its information technology (IT) and operational technology(OT) networks.“The general rule of thumb for IT/OT security is that you want to have your networks separated. So, for instance, your OT network should not be able to talk to your email servers,” said David.“Network Perception allows us to create that separation and keep those controls in place. It is a solution that helps us discover which ports are open and automatically notifies us to traffic that it considers to be high-risk.”

Results

Saves Time “To prepare for an audit without the use of NP-View, staff would spend about 40 hours over the course of 12 months,” said David. “ If something changed in the spreadsheets we created, we would have to make adjustments manually. NP-View automatically keeps everything current.”

Improves Preparation for Audits“Through the combined use of NP-View and NP-View Enterprise, we are able to give auditors exactly what they need to assess our compliance,” said David. “We could provide simplified network diagrams and other information that made the audit go smoothly.”

Maintain Constant Compliance“Thanks to NP-View, during a recent audit, we received a low-impact evaluation,” said David.“That means our system was in compliance thanks to Network Perception.