What Not To Do With NERC CIP. Tim Lockwood, CISSP, CISA Lead Information Security Risk Analyst

Size: px

Start display at page:

Download "What Not To Do With NERC CIP. Tim Lockwood, CISSP, CISA Lead Information Security Risk Analyst"

Marcia Harrington
6 years ago
Views:

1 What Not To Do With NERC CIP Tim Lockwood, CISSP, CISA Lead Information Security Risk Analyst

2 General Disclaimer I can neither confirm nor deny that any of the issues we will talk about today have occurred at California ISO at one time or another I can not tell you definitively what your critical assets are or what you should do to properly protect them. That s the job of a paid consultant! Some topics discussed will make sense for your entity, while others may not. But hopefully you will be able to take away at least one new idea Page 2

3 Management Commitment Go ahead and add it to existing employees regular workload Management oversight is not needed Upper management support is not required Wait right until self-certification or audit to collect evidence, since it doesn t take a lot of effort Go with the flow as the standard versions come out Page 3

4 A Better Approach Might Be CEO on down support for NERC CIP A realization that this is not a trivial paperwork exercise Properly plan, fund and staff Create a compliance team that validates collected evidence throughout the year Analyze the potential changes to the standards and get involved with a standard drafting team if you have the time s_under_development.html Page 4

5 NERC CIP Enforcement Actions Located here Ignore the listing of all non compliance deemed worthy of a penalty or other unsavory actions Think your are like nobody else, so none of this can possibly apply to me Don t read the Notice of Penalty to see if it sounds familiar Page 5

6 Take a look at some NOP s Dear Ms. Bose: The North American Electric Reliability Corporation (NERC) hereby provides this Notice of Penalty1 regarding Unidentified Registered Entity (URE), NERC Registry ID# NCRXXXXX, in accordance with the Federal Energy Regulatory Commission s (Commission or FERC) rules, regulations and orders, as well as NERC Rules of Procedure including Appendix 4C (NERC Compliance Monitoring and Enforcement Program (CMEP)). URE self-reported a violation3 of CIP Requirement (R) 44 for failing to update its list of personnel with authorized access to Critical Cyber Assets (CCAs) within seven calendar days of any change of personnel, or any change in the access rights of such personnel. In addition, URE failed to revoke access to such CCAs within seven calendar days for personnel who no longer required such access to the CCAs. Page 6

7 A Better Approach Might Be Read the NOP s and see if they might apply in your situation Look all reliability standards not just CIP If there is something similar in the way you do business, look into what you can do to change before the on site audit shows up Page 7

8 Training Try to track and train individuals as they need access. Use a live trainer for everyone Use a spreadsheet to track who did what when Manual tracking scales well for all sizes of entities CIP-004 is one of the most violated standards according to NERC ed%20standards_w_cover%20sheet.docx.pdf Page 8

9 So What Might Work Well Computer Based Training Tracking with an online learning management system Train everyone! Onboarding training, make it part of ELC Page 9

10 External Audit Assessments Schedule the external auditor to come in at any time Take everything the auditor says at face value, they always know better than you that s why we pay them so much! Scramble to change your process without talking it over with other stakeholders Make sure not to speak up that you think the auditor could be mistaken Page 10

11 What Might You Do Get all you evidence in order before they show up to maximize the benefit Discuss with the external auditor why you think their approach would not work in your organization as they are assessing Talk to management before the results are presented Publically state you do not agree with the observation Come up with alternatives if the initial suggestion does not seem to make sense Page 11

12 Dealing with Auditors Volunteer information above and beyond the requirement, especially if it s contradictory to your RSAW and evidence Fill up any uncomfortable silences with lots of discussions Don t have your compliance team or a backup in the room with you, you have it all covered! Page 12

13 Tips For the Hot Seat Just stay quiet even if uncomfortable, the auditors need time to take notes and review other evidence between asking questions Know thy RSAW and stick to the script. Let the auditor find the issue Know thy evidence. An auditor may go fishing, so be prepared to dive into what has been submitted If you don t understand a question, ask the auditor to restate it with reference to the specific requirement Page 13

14 Thanks For Listening Management commitment, understanding where others are having difficulty, getting external help/confirmation and knowing how to deal with the auditors are key to successfully navigating NERC CIP Hopefully you have found one thing during this presentation that helps you deal with CIP and reduce potential frustration Page 14

Cover Your Assets in Version 5. August Webinar #CIPv5

Hosted By: Sponsored By: Cover Your Assets in Version 5 August 21 2013 Webinar Welcome! Why are we doing this webinar? The transition from CIP v3 to v5 is a big deal Bright line criteria require new attention