Becoming NERC CIP-Compliant

Following is a high-level view of these phases and some typical tasks in each:
Phase 1: Critical asset and cyber asset identification

• Task 1: Establish governance.
• Task 2: Develop methodologies.
• Task 3: Identify critical assets.
• Task 4: Develop cyber asset inventories.
• Task 5: Identify critical cyber assets.

Phase 2:  Gap Analysis

• Task 1: Develop and validate electronic security perimeters with access points.
• Task 2: Develop and validate physical security perimeters with access points.
• Task 3: Gap analysis between current state and CIP requirements.
• Task 4: Develop recommendations for policies and procedures.
• Task 5: Develop recommendations for technical and infrastructure changes, including software required for document, change, log file and configuration management, etc.
• Task 6: Establish approval and budget for gap closure; select and procure any required tools or equipment.

Phase 3:  Implement recommendations to close gaps

• Task 1: Implement changes or additions to policies.
• Task 2: Implement changes or addition to procedures.
• Task 3: Implement technical and infrastructure changes.

Phase 4:  Auditable compliance

• Task 1: Collect required forms, logs and other documentation for one calendar year.

Establishing a Compliance Process

The resources required for a CIP compliance project and ongoing compliance will be determined by the size of a company.  In general, the equivalent of three to ten full-time employees are required to complete a compliance project and one to four to ensure ongoing compliance.

From a documentation point of view, for a single entity, the requirements for policies, procedures and forms typically include about 140 policy statements in fourteen policy documents, 20 to 30 procedures and 50 to 60 forms.

From a software tool point of view, compliance typically requires software for document management, change control, configuration discovery and management, log file consolidation and analysis, anti-virus, intrusion detection, network access control and end-point (workstation) device control.

Also, to be “auditably compliant,” an entity must collect one calendar year’s worth of documentation.  This means that if compliance with CIP is required by June of 2010, then the collection of documentation (essentially being compliant without the collected documents) must start on Jan 1, 2009. 

Conclusion

Any new regulatory requirement poses risks, and the implementation of NERC reliability standards compliance is no exception. Entities that act early and proactively to become  compliant will benefit in several ways. They will establish a positive relationship with NERC auditors and rule-setting committees that will enhance their influence in setting further reliability compliance standards. Shareholders and investors are likely to view compliant entities with more confidence. Finally, compliance minimizes the possibility of financial penalties as well as other financial, legal and personal risks that can damage an entity’s reputation.

Jay Abshier, CISSP, is a senior principal consultant with  KEMA Inc.

Penalties for non-compliance use the standard FERC and NERC penalty matrix, with fines ranging from $1,000 to $1,000,000.