The auditors are here. They’ve been combing through your Reliability Standard Auditing Worksheet and supplemental evidence demonstrating compliance, but they’re still not satisfied. Something is missing. A few of the auditors are convinced you are missing assets in your CIP-002 process—the entire foundation of your Critical Infrastructure Protection (CIP) security program. After hours of debate between your team and the auditors, it becomes clear that you missed a key definition in your compliance program: “programmable electronic device.” But how? It’s not a defined term in the North American Electric Reliability Corporation (NERC) Glossary of Terms. It did not come up as an issue in your mock audit a few months ago. And you were compliant prior to this audit. So what happened?
You just got NERC’d.
This story is not an uncommon one for electricity utilities in North America. With over 1,500 entities that must comply with the NERC CIP requirements, it’s an unfortunate reality that many utilities will have entirely different experiences in their compliance journey depending on their power system topology, their region, and even their past history and culture. Without a common understanding of the requirements—as well as their interdependencies and foundational concepts—a utility’s experience can vary drastically from one year to the next. In short, we are in the Wild, Wild West of electric sector cybersecurity regulations.
Part of the confusion stems from stories like the one above—that is, even if you are familiar with the requirements, a minor phrase (or even a comma!) can put your entire program into jeopardy. The other more common concern is around the requirements themselves, which are often described as “what to achieve” rather than “how to achieve it.” Well, if you don’t know the “how” based on what’s written, how can you possible achieve the “what?”
This is what I affectionately call being in a state of “inCIPtion.” In the case of the NERC CIP requirements, it’s not uncommon to need to refer to additional standards and guidelines to achieve the “what.” Even more confusing is when NERC CIP requirements reference Attachments, or when auditors arrive and quote the (non-mandatory) Guidelines & Technical Basis for the requirement. As they build, grow, and sustain their NERC CIP compliance program, practitioners find themselves with references inside references citing other references. The mind maps alone can be printed 3D models of horrifying compliance language.
ICS456: Created by Practitioners for Practitioners
I have been proud to teach ICS456: NERC Critical Infrastructure Protection Essentials for over four years now. Prior to taking the course myself, I had been through many CIP “bootcamps” and different utility training programs. As the former technical lead for the Federal Energy Regulatory Commission for NERC CIPv5, I had been lucky enough to see CIP mature across multiple years prior to implementation. On the other hand, as an independent researcher and company executive, I had also seen the struggles firsthand for utilities unable to comply with the technical requirements within the regulations. Many of the reasons why link back to “inCIPtion”—that is, the general confusion as to “how” to comply with the “what” of the requirements.
Frankly, none of the training options I had seen addressed those concerns. ICS456 changed that. It was not a “death-by-PowerPoint" class. It did not teach the standards “in numerical order,” but instead linked complimentary topics together for practical program development. And the investment in hands-on labs—actually letting students implement technical CIP controls—meant students could immediately apply what they learned with tools they could bring back to their utilities. I had never seen anything like it (and still haven’t).
ICS456 was designed with multiple perspectives in mind, leading to the creation of feature-rich content. Some of the roles involved in authoring the course (from course creators Tim Conway and Ted Gutierrez) and reviewing it (by Mike Assante, Rob Lee, and several utility beta students) included:
- CIP senior managers
- Technical practitioners for each requirement
- Compliance managers
- Utility executives
- Former NERC CIP auditors
- Utility lawyers and general counsel
- Former NERC CISOs
- Incident responders
- Federal and state regulators
Today, hundreds of students, each with their unique perspective and strengths, have taken ICS456. By the end of the five-day course, they have not only been exposed to all of the requirements, they have also applied technical controls, understood the compliance implications, and walked away with a common understanding of the “how.”
Frankly, it’s a course I wish we had as an industry 12 years ago. But better late than never, right?
Simplifying InCIPtion
Many utilities feel bound by the restrictions of the NERC CIP requirements. And it’s no wonder—the language feels both vague and limiting. And without the key elements around “how to comply,” practitioners may feel rudderless in a sea of compliance.
What we do during our five days together in ICS456 is cut through the thick regulatory language and provide approachable concepts to learn from. Some of this requires building a foundation of understanding, but other times we will explore the realm of “non-CIP” guidelines with better structure, clearer language, and informed templates for your program.
For example, utilities struggling with incident response that open up CIP-008 may find themselves asking a lot of questions. In R1.1, you’ll need to have a process to “identify, classify, and respond to Cyber Security Incidents.” But how? What’s the best way to “identify”? Where do you look? What triggers are needed for “classification”? Who should be on the team to “respond”? And let’s not even talk about the new requirement to report “attempts to compromise” to both the Electricity Sector Information Sharing and Analysis Center (E-ISAC) and the U.S .Department of Homeland Security. If incident response is not part of your background, the language seems both simple, yet obviously missing key details.
Absolutely part of that is built into the design. With, again, some 1,500 active entities complying with NERC CIP requirements, there is not going to be a lot of prescriptive language that works for the variety of operations found in different electricity utilities. But that does not mean your program needs to be held hostage by the fear of getting it wrong, not complying, or (even worse) not being secure.
Let’s re-examine the example with incident response.
What if I told you we could easily map more guideline-driven incident response frameworks (such as those from organizations like SANS and NIST) to the NERC CIP requirements? And that auditors are aware of and familiar with seeing organizations pursue these quick “cheat codes” to build a robust CIP-compliant incident response program? Or that you could have access to industry resources such as the recent American Public Power Association’s Incident Response Playbook for templates and educational resources to build a plan easily adaptable to your operations (and engineer-friendly)?
Now let me blow your mind even further: We can do that for every requirement in NERC CIP.
Every instructor for ICS456 has decades of experience implementing, regulating, and advising on NERC CIP compliance. And we use that knowledge to give you all the cheat codes, hacks, and best practices available to not only “survive” your audit, but to build a culture of security and compliance around the standards themselves.
Speaking of Culture...
There has been a massive surge in changing the culture within utilities over the past few years. As has been said, “culture eats strategy for breakfast,” which simply means that, despite our best plans and processes, if our culture is not aligned with the goals of our organization (in the case of NERC CIP that means being both compliant and secure), then we will always be behind the proverbial eight-ball.
That’s another clear win for ICS456. We take the time to discuss the culture of compliance and the culture of security. We discuss the linkage to safety and reliability—that is, we understand the engineering of power systems and how compliance protects the utility and our very way of life through more secure power generation, transmission, and delivery.
But we can also help move toward more mature teams with a better sense of culture, training, and awareness. I discussed this when the GIAC Critical Infrastructure Protection (GCIP) certification went live in 2018, and I am pleased to see the hundreds of GCIP certified professionals join the ranks over the years. Having said that, we have so much more to do.
If you’re interested in joining us for the next session of ICS456 (either in-person, via LiveOnline, or onDemand), find out more here: www.sans.org/ics456
.jpg "ICS_Blog_Building a Better OT Ransomware Response Plan_340 x 340(1).jpg")
