Controls are becoming very important to NERC CIP compliance.
Yet these are not traditional oversight controls, they are reliability assurance controls. Sounds great, doesn’t it? The only challenge is – what are reliability assurance controls?
The best way to understand what reliability assurance controls are is to look at some common threats to reliability assurance. Logical or physical access rights that have not been properly reviewed and approved prior to being provisioned are a threat. Ports and services that are enabled when they should not be are a threat. Missed events from logs that are not collected and processed for asset issues are a threat. Security patches that have not been installed are a threat. Security patches that have been installed, but have not been properly assessed are a threat.
These are all examples of situations where a Utility can be exposed to unnecessary cyber security risk. Any one of these threats has the potential to open up an exploit that can be compromised by a hacker (an unreliable situation).
The risk to the Utility associated with these kinds of threats is the combination of a) how many of these situations occurs, b) how long it takes for us to find them, and c) how quickly we resolve or correct them once they are found.
Reliability assurance controls should reduce the number, frequency, and elapsed time of these threats. To do that controls need to include closed-loop capabilities. They need to enforce compliance processes and produce the records of what is approved (what we say we did). They need to extract and process the data needed to determine what was actually done (what really happened). And they need to notify us of any inconsistencies between the two (the variance). Of course, they should also facilitate resolving any inconsistencies as well.
If our reliability assurance controls are really good, then a big shift happens. We find that any of these threats that do occur are brought to our attention in minutes or hours; not days, weeks, months (or years!). Once they are found, they can be resolved – immediately.
That is certainly a big shift from a quarterly, yearly or audit-based cycle of discovery. Think about it. If you are in the middle of a CIP audit, and your last CIP audit was three years ago, and find one of these compliance issues how long has that vulnerability existed? Several months? A year? Several years?
Effective reliability assurance controls need to reduce the number of this issues that exist in the first place, and find any that do occur now. Finding and resolving compliance issues in near real-time is an important part of protecting our grid and goes a long way in helping us build an effective reliability assurance program.