Meeting NERC (North American Electric Reliability Corporation) Critical Infrastructure Protection (CIP) compliance is a challenge that keeps industrial controls systems (ICS) operators up at night. The way NERC enforces CIP compliance is through auditing. If organizations perform poorly in their audits, NERC may levy large fines and require extensive remediation to be done in order to bring these systems back into compliance – which can also lead to lost productivity and revenue.
Because of this, it’s no surprise that a NERC CIP audit generates plenty of anxiety in the weeks leading up to one. Not to fear however. There is a preparation strategy that will allow you to get those emotions under control.
Auditors focus on the 11 standards set forth in the NERC CIP guidelines:
- CIP-002-5.1a: Cyber Security – Bulk Electric System (BES) Cyber System Categorization
- CIP-003-7: Cyber Security – Security Management Controls
- CIP-004-6: Cyber Security – Personnel & Training
- CIP-005-5: Cyber Security – Electronic Security Perimeters
- CIP-006-6: Cyber Security – Physical Security of BES Cyber Systems
- CIP-007-6: Cyber Security – System Security Management
- CIP-008-5: Cyber Security – Incident Reporting and Response Planning
- CIP-009-6: Cyber Security – Recovery Plans for BES Cyber Systems
- CIP-010-2: Cyber Security – Configuration Change Management and Vulnerability Assessments
- CIP-011-2: Cyber Security – Information Protection
- CIP-014-2: Physical Security
For a detailed description of every CIP standard, you can visit the respective NERC site at: https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
The NERC CIP audit environment is changing. Regional Entities (REs) – essentially any company that generates or manages power flow on a transmission and distribution network – are doing more work upfront and less on-site. If the Entity submits a clear Reliability Standard Audit Worksheet (RSAW) with solid supporting evidence, most of the hard work can be done before the Regional Auditors (RA) even arrive at the Entity’s site. Every requirement the RAs are able to check off before arriving on-site means one less activity that you need to interrupt your subject matter expert’s (SME’s) schedule for, which is always a good thing.
1) Understand the Requirements
The NERC CIP Reliability Standards were written by a committee and are regarded as unclear and confusing. Therefore, understanding each requirement is vital. The key section in each of the CIP Standards is the one entitled Requirements and Measures. The Requirements describe what the Entity needs to do, and the Measures describe what evidence the auditors will be checking, although the section is written at a summary level.
The first step in understanding the Requirements within any of the CIP Standards is to review the language. Because of the vaguery that is present in the Requirements section, these requirements need to be interpreted.
One area that requires interpretation involves the use of ”technical and/or procedural” controls. When this verbiage is present, documentation is required either way. For instance, if you have technical controls in place, be sure to document the process in a procedure. If you are unable to deploy technical controls (due to asset limitations, etc), the “and/or” verbiage allows you to document procedural controls in lieu of the technical ones. To add even more confusion – in some instances, Entities are required to file Technical Feasibility Exceptions (TFEs) when technical control enforcement is not possible. These requirements are few and far between, however, and do not include the “and/or” language; they are typically denoted with the verbiage, “Where technically feasible.” One way to play it safe is to make sure you have documentation of all your controls (regardless of the type) and their associated processes.
Another area that warrants interpretation concerns the different terms that indicate when documentation is required. The following words listed throughout the Requirements mandate the Entity to provide a document of some sort as evidence. The laundry list of words includes: policy, methods, processes, procedures, identify, maintain, document, list, approve, develop, review, implement, assign, assess, establish, controls, perform, update, retain, create, deploy, exercise, use, and test. Every one of these words indicates that a document or task is required by the standards. Essentially, you need some type of evidence (documentation) every time one of these words appears.
A good rule of thumb is to go through the Requirements one by one and read them carefully. Make a note of anything that you don’t understand. Create an outline for anyambigous statements or start a spreadsheet to track your information.
2) Prioritize Your Reliability Standard Audit Worksheets (RSAWs)
Auditors are looking for just one thing – the opportunity to verify that you are compliant with the CIP Standards. The auditors look for documentation in the form of procedures, policies, and the like.They also look to verify that you are executing the processes prescribed in these documents. An RSAW is used to capture your process at a high level and in narrative form; it helps u prove to your auditor that you’re compliant with a requirement in question. Part of this is saying how you’ve gathered the evidence of compliance.
Evidence may be generated by taking screenshots of systems and adding them into a text document with a brief description. Another common practice involves writing scripts to pull evidence information into a manually-maintained spreadsheet. Unfortunately, manual processes such as these can quickly lead to outdated information, in addition to being both time consuming and error prone. Thus, it is advised to use automated methodologies and tools to help gather your evidence, whenever possible.
Because the entire audit period is in scope, evidence can be requested for a full three-year span. The best way to ensure ongoing compliance is to ensure that RSAWs are completed thoroughly and reviewed for accuracy by independent parties. The benefits of prioritizing RSAWs are two-fold. First, you can identify shortcomings in your evidence or program and recognize any potential non-compliances early, which may help you avoid costly fines. Second, the evidence and narratives generated for your RSAWS may be used extensively in Pre-Audit Data Requests, thereby significantly reducing the amount of work required to respond to them.
Compiling RSAWs can be a burden, but if subject matter experts (SMEs) remain diligent in their updates, you’ll never have to complete one from scratch ever again.
3) Prepare and Present your Evidence
The goal of the auditor is to help your Entity demonstrate compliance to the NERC CIP standards, not to find areas of non-compliance. You can help him by preparing your evidence in a meaningful way. What better way to do that than by using an automated enterprise-wide solution that allows you to create graphs, interactive charts and tables. An automated tool can also help you analyze all required evidence and map your procedural and technical documentation to each specific CIP Requirement.
When preparing the evidence, carefully consider the verbiage that is used in your documentation. Words like “should,” “generally,” and “typically” should be avoided. Use “must” or “shall” instead. Look for clear instructions and positive statements in your documents. During the audit drill, see if independent reviewers can understand the document or if they require an explanation, especially for a process or procedure. If they need an explanation, then this is a good time to revise the document and provide clarity to the areas that may seem amibigous. Conducting this type of review exercise sooner rather than later will give you time to update the document well before your audit.
After you have completed the evidence preparation, devote some time the packaging of it. Use a format that makes it easy for the auditor to verify compliance. In most cases, the auditor will only want to see a sample of your evidence, so make sure you have internal procedures defined for extracting those samples. Again, the use of automation tools can help present your evidence in the form of clear charts rather than scouring through manual spreadsheets to find the data your auditor requests. Comprehensive documentation and consistency across your environments helps paint a picture of a well-organized and proactive security posture for your entire organization.
Adequate preparation and clear presentation of evidence can be of great assistance to the auditors and may even help expedite the audit itself. Remember – if the auditors cannot find the evidence they are looking for, they have the right to expand the scope of the audit, which often creates a starting point for more questions. Help the auditors by making the evidence easily accessible and drawing their attention to useful information.
4) Practice the Audit
Audit interviews play a significant role in the outcome of your audit. They are typically used as an opportunity for auditors to ask clarifying questions, test SME knowledge, and obtain a high-level understanding of the environment in question. During an audit interview, you may be asked to demonstrate how you meet compliance with certain requirements.
Practicing or rehearsing the audit will help identify any gaps or shortfalls and hone the SMEs’ presentation skills. It will give you the opportunity to effectively demonstrate how you meet compliance with the CIP requirements. This practice is highly advisable as it will ultimately help your team operate smoothly and more effectively when the actual on-site audit begins. Remember – practice makes perfect.
5) Show Your Work
During interviews, being prepared to answer open-ended questions is imperative. It is important to answer the questions succinctly and not stray from the topic. It’s possible to showcase the strongest parts of your security strategy in your answers so that your auditor knows you’ve done your homework.
For example, you may be asked to describe the methods and tools that you used to develop a baseline configuration for CIP-010-2 R1.1. While explaining how your solution achieves this, take the liberty to also describe any way in which the solutions you use go above and beyond to automate your processes. By steering your answer, you can show off some of the great work you’re doing.
6) Be Polite, Assistive and Patient
When an auditor asks for information, they are usually trying to get a better understanding of your environment. This isn’t a court hearing. The audit team is merely attempting to obtain a big picture overview, since they don’t know your environment as well as you do. They may also not be familiar with certain acronyms, diagrams, or any other procedures that your organization uses. Take the time to explain these things to them since it will help tell your story of compliance.
7) Audit = Training
When I was in the Hellenic Air Force and was assigned as an Information Security evaluator for NATO, the units we were visiting were afraid of evaluations for many reasons – one not being able to demonstrate their compliance with NATO security directives. I used to say that evaluations are not a means of punishment, rather they are a way to improve ourselves – both the evaluated unit and the evaluators.
Treat the upcoming audit as an excellent opportunity to train yourself. Listen to what the auditor says and don’t argue every word. Both of you are working towards the same purpose: to ensure the reliability and security of the North American energy grid.
The ITEGRITI team has both the expertise and the experience to assist your Entity in your forthcoming NERC CIP audit. Contact the experts to learn how.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of ITEGRITI, Inc.