The prospect of a NERC audit can leave you feeling overwhelmed. You’re certainly not alone if you feel like the NERC CIP Reliability Standards are confusing or unclear. Industry-wide, organizations find it challenging to understand the guidelines, let alone embark on the journey of passing a CIP audit.
Of course, knowing others share your anxiety is only mildly comforting. Thankfully, with a bit of preparation, passing the CIP audit doesn’t have to be a stressful or uncertain time. We’ve put together some information to help you prepare for the audit, understand the stages, and get the support you need to pass the process smoothly.
What is the NERC CIP Audit?
The NERC (North American Energy Reliability Corporation) enforces regulations outlined in the CIP (Critical Infrastructure Protection) framework. The NERC CIP framework is, effectively, a reliability standard for the BES (Bulk Electric System) operation and the security of physical and critical cyber assets.
Originally established in response to widespread blackouts, the CIP framework introduced guidelines and standards to improve electric grid reliability. Supported by regional entities, the CIP is enforced through audits, inspections, self-reporting measures, and investigations into possible violations.
NERC standards became compulsory in 2007 and focused on operational risk. As the electrical grid’s dependency on internet connectivity has increased, cybersecurity standards were introduced into the framework. Since 2008, NERC has required electrical entities to adhere to the CIP guidelines and safeguard their assets against cybersecurity threats.
How to Prepare
A NERC CIP compliance audit assesses tools, processes, training programs, procedures, potential and actual risk, and compliance with security standards. Audits can be either on-site or virtual, both led by the appointed Regional Entity.
If you’re required a NERC CIP audit, here are a few key tips to help you prepare:
A classic tip for any big process, the necessity of early preparation cannot be overstated. When preparing in advance, ensure you develop a schedule that leaves space for adjustments and unforeseen impacts. As you prepare, you may identify issues and you will need time to address and resolve them before moving forward.
Use the CIP Tools
Thankfully, there are a variety of tools available to assist with the audit. The NERC CIP Evidence Request Tool (ERT) is a widely-used tool and it is advisable to become familiar with the tool itself and its evidence requests. This will help you prepare for the audit and any questions or alerts that may arise.
Know Your Environment
For some, this goes without saying. For others, it’s a novel idea. For everyone, the advice is the same: get the scope of your environment before the audit occurs. That includes devices, software, and firmware. Understanding your environment will prove beneficial not only for you but also for the RE performing your audit, as you will be able to adequately review and verify the security integrity of your devices and software.
Appoint Your Team
Your team will have a dramatic effect on the ease (or lack thereof) of your audit. Choose your team wisely by selecting those with a security background, and thorough attention to detail. Your team should be both willing and able to document throughout the audit and be able to discuss the process along the way. More than that, your team should understand the requirements and the verbiage of the standards being audited.
Senior Management Buy-in
Support from senior management is not only favorable but crucial for a NERC CIP audit’s success. Your senior management team will be valuable if not silent partners during the audit process. Ensure they are familiar with the audit and what may be required from them along the way.
What to Expect
Helpful in preparing for your audit is having an understanding of what’s to come. Here are some milestones in the NERC CIP audit journey:
90 Days Before
Ninety days before your audit, you will receive an Audit Notification Letter (ANL) from the Audit Team Lead (ATL). This letter will provide information including the monitoring period to be audited, the in-scope requirements, any additional RFIs in advance, the names of audit team members, and any pre-audit materials.
60 Days Before
Up to sixty days before the audit (or thirty days from receipt of the ANL), the following pre-audit materials should be provided:
- Pre-audit survey
- Responses to Level 1 requests
- General questionnaire reply
- Mitigation Plan documentation
- Additional documentation as requested
30 Days Before
The Regional Entity (RE) will review the initial submission and respond with Level 2 requests and any other requirements to be delivered before the audit.
The official audit period requires the audit team to perform certain tasks, including:
- Documentation reviews
- Additional documentation requests
- Opening presentation
- SME interviews
- Results and findings documentation
- Exit briefs
30 Days After
Within thirty days, the RE will provide a draft report, including such information as:
- Objective, scope, and methodology for the compliance review
- Evidence of potential non-compliance
- Identification of any directives, plans, or other activities related to mitigating identified concerns
- Areas of concern and recommendations
60 Days After
By now, the RE must respond to the draft audit report. This response must include a corrective action plan to resolve issues and provide quarterly status updates.
115 Days After
NERC will issue a final report to the RE within forty-five days of receiving the draft audit response. This final report will be presented to the NERC Board of Trustees Compliance Committee.
After taking an orderly approach to the preparation and facilitation of your NERC CIP audit, your work is not done. You and your team should ensure comprehensive post-audit coverage to ensure success.
It is vital that your team captures lessons learned from the process and findings of the audit. When planning your workflow, ensure you’ve made time and space for recording these insights while they are still fresh after the audit. Debriefing sessions as a team can help to make accurate internal reports.
You will also be notified of any enforcement, penalties, or sanctions related to non-compliance (if applicable as a result of your audit). Your team must present a plan to immediately address any of these reported issues. Regional hearings are available to resolve violations or penalties.
Set Yourself Up for Success
Protecting your IT infrastructure is a crucial part of doing business, bolstered by the rise in nefarious activity from cybercriminals. As cyberattacks impact infrastructure (such as the recent Colonial Pipeline attack), government organizations invest more in frameworks and standards to keep networks safe.
While meeting these standards is paramount, understanding their importance doesn’t make them any less overwhelming for many organizations. Preparing in advance and understanding the process is the first step toward audit success.
Thankfully, businesses don’t have to go through the process alone. With a partner such as ITEGRITI on your side, you can approach the audit with confidence. ITEGRITI has been supporting organizations with NERC audits since 2006, offering planning, consulting, and support services.
Read our comprehensive field guide to passing the NERC CIP audit, and contact us for advisory and consulting services for your audit journey.