The North American Electric Reliability Corporation (NERC) standards provide a framework to identify and protect critical infrastructure assets. NERC has emphasized CIP-010 configuration change management as one of the most important CIPs that must be addressed. NERC has provided a separate standard of practice. This practice is much more rigorous than the traditional IT configuration change management, because the new standard requires extensive system integrity monitoring and change control process with impact analysis/affected requirement testing, change tracking, and documentation to name a few. In this blog, I will discuss the first two tasks: Managing the baseline configuration and change control process that is specific to the CIP-010 requirement.
Configuration change management is a common practice in some disciplines, including software development, system engineering, and IT systems operation. The purpose of configuration change management in electric systems is to minimize unauthorized access and changes that can impact the operation of Bulk Electric System (BES). Unlike in most other standard IT systems related configuration change management practice, an adverse impact on a Cyber Asset can have an adverse impact on the entire Bulk Electric System.
Configuration baseline management is the first task. Under NERC CIP, entities must perform configuration change management on their high and medium impact BES Cyber Systems (PACS) and Protected Cyber Assets (PCA). Configuration details that must be baselined include operating systems, firmware, application software, logical network ports, patches, software, etc. Unless an entity has a system in place, or has been doing this already, this process can be extremely labor intensive. Specialized tools like WizNucleus CWP can auto-discover configuration data from target devices and import other baseline data from other information silos within an enterprise, including from spreadsheet or EAM systems, and baseline that information in a relational database that is built for NERC CIP compliance management purpose.
Operationalizing the change control process is the next most important task in configuration change management. The NERC CIP-010 standard requires that any time a change is made to the baseline of a Cyber Asset, it must trigger a change management process to ensure that only authorized changes are made to the Cyber Assets. Additionally, every change must be documented to demonstrate that a proper authorization process was utilized. Using a generic ticketing system to accomplish this task is fraught with problems down the road. Additionally, the change control process must include the impact analysis to confirm that no adverse impact will be sustained by the BES Cyber Assets. This too, can be a complex and time-consuming effort without a specialized tool such as WizNucleus CWP which comes with preconfigured workflows and control testing functionality to streamline and automate the process.
Configuration monitoring, tracking, and documenting are the next biggest tasks required in CIP-010. In my next blog you can read about them and how WizNucleus CWP software can help you achieve CIP-010 configuration change management compliance and cost-effectively sustain the program.