While speaking with a number of people at the recent NEI Cyber Security Implementation Workshop in Boston, I was reminded again how dim many participants view the “assessment tool” market. Many of you see cmplid:// as merely an alternative to your existing commercial or internally developed tools. It is not. cmplid:// is a security automation solution, that yes can be used to complete assessments, but that is not where the story ends. It is not an alternative to a word processor, spreadsheet, database, or MS Sharepoint Services. It is an upgrade. A significant one at that.
cmplid:// is a unique solution with intelligent capabilities, it provides automated analysis of:
- The site or fleet SCIS
- Relevant characteristics of your equipment and other resources
- NVD data including CVEs, based on the CPE Dictionary, and CVSS V2/V3 Environmental Scores
Further cmplid:// may be used to easily integrate security relevant design concerns throughout the plant modification process, from the earliest stages, and store security relevant configuration information regarding technical resources, including CDAs.
cmplid:// stores all relevant information in an integrated database and provides numerous functions that use the data to facilitate these and many other automation capabilities. Some of the functions that take advantage of the integrated data include:
Real time and near real time analysis of a resources status. Through this cmplid:// is able to determine:
- If the SCIS provides complete implementation mechanisms for all security standards (e.g. NEI 08-09 controls) for all CDAs
- The current status of all required controls for a CDA
- The applicability of common controls for all CDAs
- The Common Platform Enumeration dictionary entries applicable to a CDA
- The number and severity of CVEs applicable to a CDA
- Automated retrieval and analysis of CVEs, based on the CPE Dictionary entries applicable to CDAs
- Automated calculations of CVSS Environmental Scores based on user-defined rules
- Automated disposition of CVEs for CDAs where the CVSS Environmental Score is below user-defined thresholds
- Notification of CVEs that require manual disposition
The automation within cmplid:// is truly a new paradigm, instead of thinking that implementing cmplid:// provides you a better storage solution for the output of manual processes, you should be thinking that cmplid:// provides new processes that are better, more effective, and far more efficient than what you are doing now.
The best part of cmplid:// is that the cost, both financially and in man-power configuring and maintaining cmplid://, is relatively low. cmplid:// costs less than one full-time equivalent employee per plant annually and frees up those personnel dedicated to:
- Researching and analyzing vulnerabilities
- Characterizing CDAs and other resources for assessment logic and vulnerability mitigations
- Reconciling SCIS deficiencies and manually assessing CDAs
- Communicating security requirements throughout plant modifications
With its automation, cmplid:// allows those personnel to spend much of their time on more productive things. cmplid:// works for you, it doesn’t simply store the results of your work.
To learn more contact us at firstname.lastname@example.org