While NERC compliance involves a vast array of standards, a significant portion of your efforts will be focused on Critical Infrastructure Protection (CIP) standards. These standards are crucial for safeguarding the bulk electric system from cyber threats. Understanding the top three violated CIP standards and their associated programs and processes is essential for strong NERC compliance. Focusing on these frequently violated standards is like fixing the leaks in your roof before tackling maintenance issues affecting the whole house – it’s a targeted approach that can significantly improve your overall compliance posture.
NERC’s Compliance Monitoring and Enforcement Program (CMEP) and Organization Registration and Certification Program (ORCP) Annual Report from the last 3 years and beyond indicate a consistent pattern of top compliance violations. Although their order has varied over the past several years, violations related to CIP-004, CIP-007, and CIP-010 continue to place at the top of most compliance violations. So what are these three oft-violated areas of compliance?
CIP-004 Personnel & Training
CIP-007 System Security Management
CIP-010 Configuration Change Management
People, system security maintenance, and maintaining compliant system change—these themes highlight the importance of effective training and education, maintaining key software systems and careful consideration of compliance when making the (inevitable) needed changes to system configurations. Let’s quickly explore each of these areas:
CIP-004 Personnel & Training
This NERC standard focuses on ensuring that personnel with authorized access to critical infrastructure are properly identified, trained, and supervised. The key requirements include:
- Identification: Conducting thorough background checks on personnel with authorized access to critical assets.
- Training: Providing appropriate training to personnel on security procedures, responsibilities, and potential risks.
- Validation: Implementing effective authorization, oversight, and revocation mechanisms to monitor personnel access and ensure compliance with security policies.
The goal of CIP-004 is to mitigate the risk of internal threats and unauthorized access to critical infrastructure.
Key components of CIP-004 requirements
Select a tab below to learn more.
Security Awareness Training
- Helps personnel understand their role in security
- Reinforced quarterly through education/communication
Cyber Security Training
- Helps personnel understand best practices for cyber security from external forces
- Scope includes security policy; physical & electronic access; handling/storage of BES Cyber System information (BCSI); defining/recovering/responding to cyber incidents; and risks of interconnected systems
- Required completion/at least every 15 months
Personnel Risk Assessment
- Helps you know your personnel
- Confirm identity
- 7-year criminal history check & evaluation
- Verifying contractors/service vendors of the same
- Completed at least once every 7 years
Access Management
most violated!
- Know who can access your systems/data and why
- Authorize electronic access, unescorted physical access, and BCSI access and verify/validate every 15 months
- Have revocation, reassignment, and password change processes according to prescribed deadlines
CIP-007 Systems Security Management
This NERC standard focuses on the security of the bulk electric system’s (BES) systems and applications. The key requirements include:
- Configuration management: Ensuring that systems are configured securely to minimize vulnerabilities.
- Vulnerability management: Regularly assessing systems for vulnerabilities and taking appropriate action to address them.
- Software security: Implementing measures to protect software from unauthorized access, modification, or disclosure.
- System hardening: Taking steps to strengthen system security and reduce the risk of attacks.
The goal of CIP-007 is to protect the BES from cyber threats by implementing robust security measures for systems and applications.
Key components of CIP-007 requirements
Select a tab below to learn more.
System Security Management
- Have a documented process
- Enable only necessary ports with justification
- Protect use of unnecessary input/output port
- Reinforced quarterly through education/communication
Security Patch Management
most violated!
- Have a documented process
- Track, evaluate, install patches; know the source and who is responsible
- Evaluate patches/applicability released since last evaluation/at least once every 35 days
- When determined needed, apply patch or create mitigation plan & maintain/revise mitigation plan (activities/timelines)
- Follow mitigation deadlines or revise
Malicious Code Prevention
- Deploy methods to deter/detect/prevent malicious code
- Mitigate malicious code threats
- Maintain any signatures/patterns involved in discovery/mitigation
CIP-010 Configuration Change Management
This NERC standard focuses on managing changes to the configuration of BES Cyber systems. The key requirements include:
- Change control process: Establishing a formal process for evaluating, approving, and implementing changes to system configurations.
- Documentation: Maintaining accurate documentation of system configurations and changes.
- Testing: Testing changes in a controlled environment before implementing them in production.
- Monitoring: Monitoring systems for any adverse effects of configuration changes.
The goal of CIP-010 is to ensure that changes to critical infrastructure systems are made in a controlled and managed manner to minimize the risk of disruptions or security vulnerabilities.
Key components of CIP-010 requirements
Select a tab below to learn more.
- Change Management
- Vulnerability Asessment
- Configuration Monitoring
- Transient Cyber Assets/Removable Media
Configuration Change Management
most violated!
- Have a documented process
- Develop and document baseline configurations
- Authorize and document changes to the baseline configurations
- Update baseline configuration documentation within 30 days of the change
- Evaluate against CIP-005 & CIP-007 controls prior to making the change and confirm and document they weren’t adversely impacted after the change
- Test prior to implementing in a test or low-impact prod environment & document the conditions and results of the test
- Prior to changing, verify source and integrity of change
Vulnerability Assessment
- Have documented process
- Perform paper or active vulnerability assessment every 15 months
- In test or low-impact prod scenario, run active vulnerability assessment and document the results, testing environment, and discrepancies/considerations of differences from production
- Perform active vulnerability assessment for new cyber assets, except in exceptional circumstances or like (similar) replacements
- Document results of assessments & remediations of identified vulnerabilities & date/execution status
Configuration Monitoring Process
- Have documented process
Transient Cyber Assets & Removable Media
- Have a documented plan
Ease CIP hot spots with cool software
Manual systems and outdated management software can significantly contribute to challenges in achieving CIP compliance. When utilities employ helpful technology systems to track, manage, and analyze the supporting data behind these requirements, compliance teams can be better informed and equipped to address gaps, stay on top of deadlines, and escalate as needed.
CIP-004 Personnel & Training – common woes solved by good software
- Difficulty in tracking training records: Manually maintaining training records can be cumbersome and disorganized, making it difficult to ensure that all personnel have received the necessary training. Effective software can streamline this process and provide better visibility into training compliance, and can generate helpful reports and documentation to support CIP-004 compliance evidence.
- Limited reporting capabilities: Manual systems may not provide the necessary reporting capabilities to track training completion, identify training gaps, and monitor personnel performance. Good software can generate reports that help utilities identify and address compliance gaps. As well as help identify patterns and root-causes of issues.
- Avoidable communication issues: Relying on individual team members to send bulk notifications and communications to personnel related to training can lead to missed deadlines, lost emails, and messages forgotten among workforce shifts and time off. A system that allows you to automate communication and the logging and documentation of those communications can reduce noncompliance issues in the control of your compliance team.
- Stale access reviews & unidentified anomalies: Good systems can periodically surface up regular, reviewable documentation for access permissions to ensure that they remain appropriate and up-to-date. In addition, systems that can comparing current access to predefined roles and responsibilities can help identify anomalies or potential security risks.
- Fragmented access management: A centralized system can efficiently manage and track authorized access, ensuring that only authorized personnel have the necessary permissions. The system can automatically verify the existence and accuracy of authorization records, reducing the need for manual checks. Detailed audit trails can track access activities, making it easier to identify unauthorized access or potential security breaches.
CIP-007 System Security Management – common woes solved by good software
- Reactive patching and vulnerability identification: Tools to track available patches and can surface up patch reviews for teams can help you stay compliant with CIP-007 requirements.
- Forgotten remediations: Intuitive software can significantly enhance a utility’s ability to stay on top of remediation decisions and deadlines, track updates, and help your documentation stay current.
CIP-010 Configuration Change Management – common woes solved by good software
- Disjointed change requests: Technology can streamline the change request process, from submission to approval and implementation. A centralized repository can store and track all change requests, providing a clear audit trail.
- Unknown change impacts: Built-in impact analysis can help identify potential risks and consequences of proposed changes, helping utilities make informed decisions.
- Scattered change request logs: Automated systems can generate detailed reports on change management activities, providing valuable insights for compliance and auditing purposes. These reports can also serve as an audit trail, documenting the history of changes to system configurations.
By prioritizing the top three violated CIP standards and leveraging appropriate software tools, utilities can significantly enhance their NERC compliance efforts. Addressing these critical areas—personnel and training, system security management, and configuration change management—is essential for safeguarding critical infrastructure and mitigating cybersecurity risks. By investing in modern software solutions, utilities can automate key tasks, improve efficiency, and reduce the likelihood of human error, ultimately strengthening their overall compliance posture.
So what kind of software should I look for?
Choosing what kind of software to modernize and optimize your processes can be overwhelming. Karta’s white paper The Software Showdown: Choosing the right approach for your Utility breaks down the three main models of software on the market today, benefits and considerations of each, and an assessment to help you decide which approach may be the best fit for you.
Check it out at the link below! 👇🏻
Sources:
- https://www.nerc.com/pa/comp/CE/ReportsDL/2023%20CMEP%20and%20ORCP%20Annual%20Report.pdf