CIP: More Than Just a Buzzword – Do You Have Evidence of Implementation?

By Leland McMillan, Supervisor, NERC Services

January 1, 2020 is almost here and the highly anticipated pressure to complete the CIP-003-7 cyber security plans will be over. Or will it?


Since 2017, registered entities have been deploying plans as required for:

Section 1. Cyber Security Awareness and

Section 4. Cyber Security Incident Response

Also, entities have been preparing to complete plans required by1/1/2020 for:

Section 2. Physical Security Controls

Section 3. Electronic Access Controls

Section 5. Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation

The purpose of this article is to raise awareness that simply writing and approving the plan is just the beginning. The work will not end on 12/31/19.


Requirement 2 of CIP-003-7 states:

Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.

*The key word here is “implement;” which means that your entity will need to demonstrate that the plan documents you have been working on have, in fact, been deployed. The following narrative constitutes what those words can mean for the applicable sections.

Physical Security: Examples of controls and evidence are found in the standard, but the key is to demonstrate that you are controlling access. Whether you use the fence, locked rooms, or key cards, it would make sense to have a list of individuals with access for the audit period. This means that terminated individuals and new hires are tracked, with some sort of periodic verification, with documentation to serve as good evidence.

Electronic Access: For those of us with routable communications (almost everyone), obtaining a copy of the firewall rules is a good first step. However, that doesn’t necessarily show evidence of controlling access. It is critical that a technical review is

performed to ensure that external communications are limited to only ports that are needed. Evidence can be as simple as an excel spreadsheet, but must show that all ports are closed, except those needed for operations. The open ports must have a documented justification. Network diagrams along with an Access Control List showing justified firewall rules restricting IP addresses, ports, or services, are good evidence of implementation of electronic access controls.

Transient Cyber Assets/Removable Media (TCA/RM): Perhaps the most onerous of the new requirements, registered entities must now document that applicable portable devices connected to control systems, microprocessor relays, etc. have been verified free of malicious code prior to connection. Did I mention that this needs to be documented? The evidence can vary, but a simple form or checklist can serve well if personnel are properly trained.

The Future:

As soon as Version 7 goes into effect, its days will be numbered. Version 8 goes into effect on April 1, 2020. Don’t worry though – all your favorite requirements from V7 will stick around. V8 simply adds Section 5.2.2 to document additional mitigating steps to address risks of third-party TCAs containing malicious code.

Beyond that Supply Chain issues have emerged as a global threat. The recent NERCAlert and NERC data request on this subject serve as evidence of the importance for this topic.

Certainly, the future of cybersecurity risks and potential for new requirements is overwhelming, but the first step is making sure that your cybersecurity plans for the CIP standards are supported by evidence of implementation. Training is not required but is highly recommended to help your staff understand and implement the new requirements properly.