CIP Compliance vs. True Security

NERC CIP Cyber Security Standards

CIP Compliance vs. True Security:
Be Sure You Address Both
by Michiko Sell – Senior NERC CIP Specialist

Responsible entities too often believe that if they comply with NERC CIP Standards, their physical and cyber environments are fully protected from bad actors. False!

True security requires ongoing vigilance that may not be fully spelled out in current CIP Standards. So why comply with CIP Standards if they do not protect all of your Cyber Assets – particularly those that support the reliability of the grid? It’s a good idea to evaluate your compliance efforts honestly and consider whether they truly protect you – regardless of whether you’ve checked the compliance box.

Typically, responsible entities do only what they must to check that box. Those that are classified as Low Impact may not want to create a Low Impact BES Cyber Asset List, which technically is not required of them. However, having this list is essential if you’re going to thoroughly address physical and electronic security controls for your Low Impact BES Cyber Systems (BCS).

The requirements for Low versus Medium/High Impact BCS differ dramatically because of the relative reliability risk to the BES. Understandably, the bar is raised much higher for Medium/High Impact BCS. However, some of those requirements – implementation of physical security perimeters with monitored access control, for example – are just sensible security practices for any generation plant.

NAES NERC CIP Cyber Security Standards Image

False Sense of Security?

By now you might be saying, ‘We already comply with all applicable NERC CIP Standards!’ While this is commendable, you should ask yourself some more difficult questions:

  • Do you protect only those Cyber Assets that support the BES?
  • Does your business network have a process for security patch management?
  • Do you have a ‘bring your own device’ policy outside of your BES Cyber Systems?
  • Do you routinely give users access when they forget their badges?

Relaxed attitudes toward these issues are pretty common. Unfortunately, such attitudes contribute to the spread of malware and ransomware. All they need is access.

Since you’re required to demonstrate compliance, why not try to stay one step ahead by implementing programs and processes that further enhance your security? Regulators do not have the resources to monitor the compliance of all registered entities all of the time, hence their increasing use of Inherent Risk Assessments and Internal Control Evaluations. You can take advantage of these surveys to demonstrate that you’ve not only complied but have also taken action above and beyond what is required. Such efforts on your part will likely reduce your audit scope and monitoring actions.

What You Can Do

  • Take advantage of the required policy, program and procedure documents used to demonstrate compliance by adding a section on Internal Controls. Make sure your documents show evidence of compliance, but exploit the Internal Controls section by narrating how you secure your plants and your BCS to ensure reliable operations above and beyond the stated requirements.
  • Make your cyber security awareness program meaningful to your entire organization – not just to those who interact with CIP-protected devices. Encourage use of the same security measures in your business networks that are used in your BCS environment.
  • Incorporate some of your security measures in your safety program. For example, controlling physical access to your plant supports safety as well as security. This strategy can also help you obtain funding to implement controls that serve a dual purpose.
  • Create a ‘bring your own device’ policy for your organization that applies to both the BCS and your general business network.
  • Include your IT and Facilities departments in the development and review of CIP procedures. This can help you establish uniform processes for addressing security and compliance throughout your organization.

Simply complying with the CIP Standards does not guarantee security. It’s critical to adopt a program that addresses the overall security of your facilities and people – not just your compliance.