In the previous article of our Countdown to NERC CIP V5 Compliance series, we talked about performing mock audits to prepare for the eventuality of a formal audit. This week, we are once again going to be talking about the intersecting topics of compliance and security.
In Peter Key’s December article on EnergyBiz, entitled 8 ways to ensure CIP V5 compliance, Key compiled advice from discussions with cybersecurity experts about best practices for CIP V5 compliance. While there are many great takeaways from the article (and we will discuss more than one of his points in this series), today I will be taking an opposing view in regard to one of the article’s assertions.
Tip #2: Keep the Focus on the Requirements
Key notes in the article that an important aspect of compliance for electric utilities is to “maintain visibility” of their cyber assets and networks to ensure they are secure through the use of applications. However, it’s also worth noting that applications are not the focal point with regard to NERC CIP compliance.
SigmaFlow’s VP of NERC Solutions Terry Schurter had this to say:
“In the electric industry and with NERC CIP, applications are definitely not the focus. I’m not saying they are not important, but applications are actually a very limited subset of the overall NERC CIP standards.
In the NERC CIP standards, applications are part of the Software that must be tracked, managed, and updated as needed to close any security vulnerabilities. Unlike many other industries, there are no applications installed in the critical infrastructure that have not gone through a robust compliance review. All of the settings for ports and services for each application must be reviewed, approved, and justified. The accounts that give access to applications must be granted to people who meet all prerequisite criteria on a needs-only basis. The same goes for networks where ESPs must be clearly defined, cyber systems within them identified, and Access Points identified and controlled.
Again, all of these things don’t just happen under NERC CIP, they all follow a set of formal processes that are designed to ensure that only what should be in the infrastructure is in the infrastructure.
While it makes sense to have the capability to look into and extract information about cyber assets and networks for the information that will prove that CIP approved configurations are in fact provisioned, and nothing else is provisioned, it is a component of a CIP program and not the means to an end.
I think that oftentimes there are technologies that can do really cool things and a lot of those things can make a big difference in helping solve specific problems for a particular industry or business. But I also think that keeping the focus on what the CIP standards are actually requiring, and producing the evidence that demonstrates adherence, is where the energy industry needs to be focused. Solve that challenge first before considering different approaches and technologies that can augment the CIP program.”
In conclusion, while many aspects of cyber security absolutely apply to and can contribute toward NERC CIP compliance, electric utilities will benefit from focusing on meeting the requirements as the end goal when implementing an overall compliance plan.
Thanks for reading! I post a new tip every Friday here on the SigmaFlow Blog, so be sure to check back or follow SigmaFlow on Twitter, Facebook, or LinkedIn if you want to stay up-to-date on the latest articles.
Read the next article in this series: Countdown to CIP V5 Compliance: Go Beyond the Standards