Companies that fall under the NERC CIP V5 scope are starting to realize that using spreadsheets or SharePoint just aren’t enough when it comes to having a sustainable and repeatable compliance program. In addition, many companies are realizing that a generic GRC tool requires a lot of work to just configure the tool for CIP V5.
To help get you started in your quest for the solution that will optimize your CIP program and make you more efficient, we have compiled a list of 10 things to look for.
- Don’t start from scratch With a desire to serve a broad spectrum of target markets, many solutions have very generic workflows and business process definitions and provide a “blank sheet of paper”. What that means is the process definition for NERC CIP V5 has to be done by the client, or by paying a services company. The result is a lot of time and money spent on configuring the product instead of making progress on the CIP program. Choose a product that has templates and workflows built specifically for CIP V5 so you can focus on your program not on the tool.
- Play nicely with others Make sure you get a solution that adds value to what you have versus just adding another silo to your product suite. Security and compliance are made up of an ecosystem of products such as asset management, patch management, log management, and configuration integrity monitoring. Pick a product that integrates well within your existing and future ecosystem.
- Where were you born? When entering new markets, many vendors will take a product built for one market and try to make it fit in another market. Most of the time it becomes obvious that this approach adds frustration to clients as they try to make the product fit in an environment different from what the product was designed for. The energy market has unique requirements for things such as SCADA and Industrial Control Systems. It’s important that the vendor you choose has a proven track record and focuses on the energy market.
- It’s all about the assets All those assets and all those attributes – where are they? What are they? … software levels, patch levels, services running, ports open. Make sure all that information can be easily imported from wherever you have your data today. Can the tool automatically collect asset data? Make sure you can run reports and queries on the data. It’s best to choose a solution that uses a relational database so you have the most flexibility. It’s your data – put it to use.
- Where am I? Establish the baseline and keep it current. To do that, look for a solution that facilitates and automates as much as possible. It’s important that the tool monitors your assets, systems, services, ports, patches and users for changes and ensures that they are approved.
- Change is hard Clients need a lot of flexibility when it comes to a change management process. However, most want the ability to be flexible, but also want a pre-defined starting place. Choose a tool that has a full business process workflow engine with a set of pre-defined workflows engineered specifically for CIP V5. Just as important, choose a tool that has the flexibility to map the workflow to whatever change process you have or evolve to.
- Am I Vulnerable? Vulnerability assessments are required every year. Many companies use an outside firm to perform the assessments. What happens when they leave? You get a gaggle of spreadsheets, or a PDF with the information. Now you get to keep it safe for a year. Next year are you going to hire the same company to perform the assessments? Are they going to start from scratch? Choose a CIP V5 product that allows all that assessment data to be stored with the other CIP evidence and mapped to the assets in the relational database. Won’t it be fun to have your assets, attributes, change process trail, and assessment information all in the same database for reports and queries?
- Where did I put that thing? It’s time for an audit, where’s your evidence? Oh, the asset detail is here, the change process is over there, somebody has the backup process and incident response details, and the CVA data is with our consultant. At least I think it is. Why not have your CIP V5 product do all that for you. Choose a tool that allows you to centralize all the data needed for an audit, and have it readily and easily available.
- OT is not IT OT and ICS environments present a set of challenges that IT does not. Make sure you choose a vendor that knows the OT environment and has a solution that is built to solve unique OT challenges.
- Show me the money The solution should have an almost immediate return on the investment. For the cost of a SharePoint developer or two you should be able to get a perpetual license for a product tailored for CIP V5.