Being compliant with the NERC CIP standards is vital for a secure and reliable electric grid. A critical component of performing a compliance audit is the gathering of evidence to support audit findings. The six regions, as delegates of NERC, perform compliance audits and exercise a degree of independence; historically, this meant each region issued a request for information prior to the audit and the Responsible Entity provided the requested information.
In the course of developing the reliability standard audit worksheets (RSAWs), the RSAW Development Team met with industry representatives to develop a better set of RSAWs. Part of that discussion centered on what types of evidence would be requested to demonstrate compliance with the CIP Standards. Since the RSAWs could not provide that level of detail, the industry representatives sought more transparency in the evidence requests that the regions send to Responsible Entities as part of the audit process. Additionally, there was a request from the industry representatives to standardize the evidence requests across the Electric Reliability Organization (ERO) – this was especially important to Responsible Entities operating in multiple regions.
The CIP Evidence Request Tool (ERT) is a common request for information that will be available for use by all regions. The tool will help the ERO Enterprise be more consistent and transparent in its audit approach. It will also help Responsible Entities (especially those that operate in multiple regions) fulfill these requests more efficiently by understanding what types of evidence are useful in preparation for an audit.
Figure 1: Evidence Request Flow. Source: NERC CIP Evidence Request Tool User Guide v4.0
Figure 1 above shows a summary of the evidence request flow. The ERT contains a Level 1 tab with the initial evidence needed to begin the evidence submission process. Level 1, in general, asks for two different types of evidence. The first type is the programs, processes, and procedures that an audit team will need to review to determine compliance. The second type is the detail tabs used to form populations for sample selection which will feed into Level 2. Level 2 asks for detailed information about individual items selected by the audit team.
Each line of the Level 1 and Level 2 tabs contains a “Request ID,” which uniquely identifies each request. These Request IDs follow the format CIP-sss-Rr-Lm-nn, where:
- sss is the three-digit CIP Reliability Standard number
- r is the Requirement number within the Standard
- m is the level of the evidence request, either “1” for Level 1 or “2” for Level 2 corresponding to Level 1, etc.
- nn is a two-digit request number within the Standard, Requirement, and Level
For example, CIP-003-R3-L1-03 is the third Level 1 evidence request for CIP-003, R3.
On the 10th of February, 2020, NERC released the fourth version of the ERT spreadsheet, which is available here. The guide to the ERT tool v4.0 is available here.
So, what is new in the latest version of the ERT tool? We will try to highlight the most important changes. For a complete list of the changes from the previous version, you may click here. The changes discussed will be grouped by CIP standard.
Besides providing the “the process that was implemented to identify each of the high impact and medium impact BES Cyber Systems” described in R1, responsible entities are now requested to “provide evidence of the implementation of that process.”
In request R1-L1-03, questions 4, 5, 6, 9, 10, and 11 have been removed and replaced by new evidence requirements (questions 6 – 12) which are related with the possibility of Cyber Assets being misused or degraded and their impact on generation systems.
Request R1-L1-04 now refers only to Transmission systems, while the new request R1-L1-05 refers to Generation assets. The “old” requests 05 and 06 have now been renumbered to 06 and 07 respectively.
Request R1-L1-01 has been modified to read “Provide evidence that the cyber security policies that address compliance with CIP-003 R1 were approved by a CIP Senior Manager,” instead of “Provide the cyber security policies that address compliance with CIP-003 R1.” In addition, request R1-L1-09 is now applicable to Removable Media “used” and not “authorized.”
Requirement R2 has now two new evidence requests: Request L1-02 has been added to “Provide detailed explanation on the use of remote access for third-parties”, while request L1-03 asks responsible entities to provide evidence on “what electronic access controls (multi-factor, encryption, etc.) and Cyber Asset(s) are used to authenticate individuals for remote access.”
Request R3-L1-02 has been removed and consolidated into request R2-L2-01.
A new request has been added to requirement R3. Request R3-L1-02 asks the responsible entities to provide evidence supporting what the entity has considered to be “technology determined to impact the ability to execute the plan.” In addition, the entity must provide evidence if they “had any changes to such technology during the audit period.”
Request R2-L1-02 has been modified to address requirement R2 Part 2.2. According to the revised request, responsible entities must provide evidence “of each test of a representative sample of information used to recover BES Cyber System functionality and that the information is useable and compatible with current configurations during the audit period.”
In addition, a new request with ID R2-L1-03 has been added, which addresses requirement R2 Part 2.3, stating that “For each recovery plan provided in the response to CIP-009-R1-L1-01, provide evidence of each operational exercise of the recovery plan in an environment representative of the production environment during the audit period.”
Further, two new requests were added to provide evidence for the implementation of requirement 3. Request R3-L1-02 asks the entities to show evidence “for any change to roles and responsibilities, responders, or technology determined to impact the ability to execute the recovery plan.” Finally, request R3-L1-03 is meant to provide evidence on what the entity has considered to be “technology determined to impact the ability to execute the plan.”
Request R1-L1-02 has been modified to address requirement R2 and has been renamed to R2-L1-01. The request asks to “provide a listing of each procurement of vendor products or services… for high and/or medium impact BES Cyber Systems” by using the Procurement tab in the ERT spreadsheet. In addition, request ID R1-L1-03 has been deleted as it is no longer applicable.
Request R1-L1-01 has been modified and now entities must “provide dated results of assessment of substations for applicability under CIP-014-2.” The assessment results must include “planned and existing Transmission stations/substations.” In addition, the entities must provide a “list of planned and existing Transmission stations/substations that, if rendered inoperable or damaged, could result in instability, uncontrolled separation, or Cascading within an Interconnection.”
Further, request ID R2-L1-01 has also been modified to ask for “dated results of the third party review of the results of the assessment of substations”, including “documented qualifications of the verifying third party, recommendations related to the risk assessments, evidence of modifications pursuant to recommendations, and evidence of procedures implemented to protect sensitive and confidential information.”
The ERT is a very handy tool for NERC responsible entities that are preparing evidence ahead of the audit period. The latest version 4.0 introduces many changes in Level 1 evidence requests, which entities must take note of while preparing for their next audit. Entities are highly encouraged to review both the new ERT user guide and the complete list of changes from version 3.0. ITEGRITI has the knowledge and the experience to help entities navigate through the changes in the ERT tool and provide the evidence appropriate for the audit. Contact the experts to learn more.