NERC CIP Version 5 is now approved by FERC (though modifications are expected based on FERC comments in specific areas). Now is the time to start gearing up for the changes that are coming, and the sooner the better. Once the new version becomes enforceable, Utilities should already have a year’s worth of evidence available to validate their compliance against the new version.
But there are issues. With modifications to the standard likely, who wants to gear-up for version 5 and then have to redesign and revamp that work when the modifications finally roll in? For example, one of the areas is the introduction of new language – “Identify, Assess, and Correct.” As written, audible evidence does not appear to be required, and FERC wants that changed. So what is (or will be) the evidence expectation? Nobody knows for certain and because this language is part of 17 Requirements in version 5 it places a major part of compliance into limbo. FERC comments on this language clearly show a concern around auditability for this language.
Does that mean it is best to take a wait and see attitude? I do not believe this is a good choice. If we think about the purpose of NERC CIP, it is a mechanism to ensure Utilities have effective cyber security practices and there is more than enough best practice to chart a course through these muddied waters.
As I see it, controls are the quintessential backbone of cyber security practices. At a basic level, controls enforce cyber security-related policies and programs. More advanced controls validate “what we say we did” against “what we really did” – making controls closed-looped.
For example, an advanced control for CIP Access Rights would have a compliance process for granting/revoking rights and it would produce the records of what has been granted and revoked (and to whom) – what we say we did. By querying Access Rights Systems, we can also document what Access Rights have actually been granted – what we actually did. Validation results from the comparison of the two datasets.
Move a control to an even more advanced level of sophistication, and it can now automatically produce the data-driven evidence that is needed to support the most stringent audit requirements.
Well-designed Controls like these provide automation that simplifies work and produce evidence that meets the most rigorous audit expectations. When the Control is doing all of the heavy lifting, it is easy to opt to cover the worst case scenario from an audit perspective. Even if FERC gets its way (and it probably will) in making auditable expectations become required for identify, assess, and correct – the most advanced controls already solve this challenge.
My advice is simple. Don’t wait. Think of this as the lull before the storm. Adopt a comprehensive controls approach now. By deploying the right set of CIP controls the evidence question becomes moot because the control will produce the evidence for even the most stringent requirements. Do it right and do it once. That way we can all get on to the other pressing matters calling for our attention.