NERC-CIP compliance is an integral part of the conversation in the Utility industry. Management practices are being continually refined and deployed against it, technology is being implemented because of it, and gaps identified by NERC-CIP audit experiences are driving compliance efforts. Many Utility companies have successfully reached the stage where they can confidently state that they are NERC-CIP compliant. But what does that mean?
First let’s review the difference between audit and intent. An audit is a review process intended to determine if appropriate policies, procedures, and controls are in place as defined by the NERC-CIP compliance regulations. Each Utility company approaches these elements of compliance in their own way because the regulations are a guide, not a prescription.
Intent is a different story all together. We can pass our audits, we can rightfully claim we are NERC-CIP compliant, but that does not mean we are meeting the intent of the NERC-CIP regulations. The intent is that we are supposed to protect our vital electrical power infrastructure so that we all have the electricity we always need and that we have the mechanisms in place to stop potentially disruptive events from occurring. Intent covers both service loss and exposure to service loss. For example, losing generation capability due to generation systems being compromised is a service loss, and a clear NERC-CIP violation. Allowing a security risk to occur that makes the generation system vulnerable to exploitation is also a clear NERC-CIP violation. Both compromise the intent of NERC-CIP. Both cases, should either occur, would take a company that can rightfully claim to be NERC-CIP compliant into being out-of-compliance.
For example, let’s say we have strong physical security in place at a given location where a Cyber Asset exists. There could be a building that has a locked door or a fence with a locked gate. There could also be a cabinet or interlock device that has another lock on it, to ensure only those authorized to access that Cyber Asset can do so. These examples would meet NERC-CIP requirements from an audit perspective and the claim of being NERC-CIP compliant in many cases.
But what if the authorized person who accesses the Cyber Asset fails to follow the procedure for changing, configuring, updating, patching, modifying, etc. the Cyber Asset? What is done could directly lead to a service loss but more likely it would create a threat or vulnerability that we simply do not know about (until something bad happens). Transparency and oversight depend on knowing what each person who touches a Cyber Asset does to it. A procedure for getting approval for, and documenting, all changes will satisfy auditors but any exceptions or deviations from the procedure are a violation of the NERC-CIP and compromise its intent.
The challenge for many Utility companies is now focused on ways to gain oversight and control over NERC-CIP policies. We all know that procedures that people must follow will result in exceptions and errors sooner or later.
So while many Utility companies have solved the challenge of being NERC-CIP compliant, the NERC-CIP challenge has only begun to be addressed. The focus is shifting now to looking for ways to move policies into systems for oversight, simplification, elimination of human error, and proactive response to potential threats.
See Resources for more information on how ConsoleWorks tackles NERC-CIP Challenges.