How to increase security by adding simple High/Medium Requirements to your Low-Impact program.
Going beyond “let’s do what’s required to be compliant,” to a mindset of how do we protect ourselves and the BES at all times, it would be a great idea to consider some of the cybersecurity controls found in high and medium impact standards.
High and Medium impact sites have robust cybersecurity controls that low impact BES systems do not require; however, appropriately implemented can take you beyond compliance.
Many of you have just completed the low-impact cyber asset list. Although not applicable to low-impact, the NAES NERC CIP Library utilizes CIP-002.5a, a High/Medium requirement, to create a cyber asset list so that you know what BES assets you’re protecting in your facility.
Consider the following High/Medium CIP requirements:
CIP-010-3 R1 Configuration Change Management
The purpose of this control is to review and approve changes to cyber assets and BES cyber systems. Any changes to a BES cyber system is monitored and compared to an original baseline.
This control is used to manage changes made to a cyber asset’s operating system, firmware, or configurations.
CIP-010-3 R3 Vulnerability Assessment Controls
This control is to perform and document vulnerabilities for a low-impact facility. This can be a straightforward process, and also very handy to know where the vulnerabilities are and how to recover if compromised.
It doesn’t have to take a huge budget to implement some of the NERC CIP standards for High and Medium impact into your low impact facilities. Doing so would take you beyond merely being compliant to being diligent.