As NERC CIP v6 got approved by FERC’s Order 822 earlier this year, the burden of meeting compliance requirements and ensuring the protection of BES Cyber Assets is only increasing. The Critical Infrastructure Protection (CIP) standards are designed to provide the minimum requirements that an enterprise will require to prevent faults and cyber-attacks, and ensure that the Bulk Electrical System (BES) is protected. The standards range from CIP-002 to CIP-011.
Some new facilities that have come under these requirements may find it hard to figure out how to go about meeting them. It is important to consider the changing requirements and put in place the right mechanisms to sustain your NERC CIP compliance program. In this blog, we discuss three things that are important for developing and maintaining a CIP v6 compliance program.
Assuming that you have identified your BES Cyber assets and systems and understand the applicability as a Low, Medium or High categorization, the first step you must consider is reviewing the documentation that guide your compliance efforts. Start with a review of your current activities from the CIP compliance standpoint. You may need some trained resources with a good understanding of NERC CIP standards and the applicable requirements, to help you identify the gaps. Based on this exercise, there are a few additional activities that must be addressed, including the identification, or review, of your BES Cyber Assets and Systems, review of ESP and PSP which may result in redesign considerations.
Next, you need to start training your people on cyber security. Getting them trained on interpretations of the NERC CIP requirements and their applicability to your environment is as important as any other activities identified during the gap analysis phase. The training topics should include compliance related tasks, roles, responsibilities, and processes that are necessary to meet the compliance objectives. Also, there are NERC mandated training topics you must address such as the, CIP 004 requirement.
However, the biggest and more expensive burden will arise from CIP-010. These requirements can be complicated to implement. This CIP standard requires you operationalize the security tasks and to implement and manage individual processes that are aligned with well-defined policy and procedures that support compliance to this CIP standard.
Challenging tasks include the need to baseline the configuration data by capturing device details, including ports, services, users, patches, etc. And, you are required to manage the changes and document evidence. Attempting to do this manually can be expensive and error-prone.
Of course, the scope of overall compliance management of v5/6 is more complex and not limited to these three things, however they are important first considerations.