By Phil Marasco, CISSP and Jay Abshier, CISSP
If you are a North American Electrical Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) assessor, you probably spent much of last year in electric substations and operation centers helping power companies perform due diligence in addressing the requirements of NERC's CIP standards. You probably worked with some very talented operations personnel confirming the settings and configurations of thousands of cyber assets in preparation for their NERC CIP audit. Several power companies went through an audit subsequent to these authors' visits, and their comments and questions prompted this article.
Until you have actually been through the process at least once, there will likely be some uncertainty regarding how you should prepare. However, with some planning and focus, the process should not be as daunting as some would have you believe. While it would be nearly impossible to cover all the requirements that should be checked during a CIP assessment, a look at a few key assessment activities will benefit anyone facing an audit. In fact, this information can also be applied to other technology audits, such as Federal Information System Management (FISMA) and Gramm-Leach-Bliley Act (GLBA), as well.
There are two aspects of a CIP audit that are examined by this article: First is preparing your response and documentation, and second is preparing for the audit.
Prepare Your Response and Documentation
First, make sure the whole organization understands what CIP requires. This might seem straightforward, but experience shows this is not always the case. There are usually individual groups in an organization that have a good understanding of what is required, but that knowledge rarely makes it across all the groups with CIP responsibilities. For example, in a pre-audit one group provided a list of approved TCP/IP ports and services used on each cyber asset in every electronic security perimeter. However, another group in the same company provided, for their list of approved ports, a network diagram showing which Ethernet port on each switch had an asset connected. Each group thought that their list was complete and correct and could not understand the other group's interpretation of the requirements.
Your organization needs to ensure that each of the entities responsible for a portion of CIP interprets and implements the requirements consistently and can justify its actions. The largest differences are usually in organizations where there were administrative/functional separations between the groups, such as the Windows administrators versus Unix administrators or operations center operators versus substation technicians. It helps to use a single person or team to compile the pre-audit documentation and perform the walk-through to ensure consistency.
Once your response to the CIP standards is implemented and documented you are prepared for the audit—right? Maybe not.
Prepare for the Audit
Prepare for Diverse Interpretations of the Standards. Not being prepared allows the auditors to use their interpretation of the standards without tempering that view with your own research and efforts. Differing interpretations of the standards is probably due to two circumstances—imprecise measures and diverse audit teams.
First, the measures listed for each standard do not provide any means tests or parameters. Some argue this was by design to allow the standards to adapt and be applied to all the different architectures and technologies represented by generation and transmission (and maybe distribution?). The problem, of course, is auditors apply standards, and less precision in those standards provide an auditor more leeway regarding how to apply measures for compliance. This can work in a company's favor, but it is much more likely to work against your best interests.
Second, the audit teams are the responsibility of the NERC regional entities. While it is good that regional interests are represented, by definition each region will have different representation with different interpretations. Mix imprecise standards with inconsistent audit teams, and it should surprise no one that audits across different regions may result in very different outcomes. Evidence of this can be found in several companies that had very similar pre-audit assessment results, but very different official audit outcomes.
Your best defense to ensure consistent results is to ensure your approach to CIP is consistent and justify all your reasons for your CIP implementations. It will be harder for an auditor to issue a finding if you show a consistent and clear approach for your implementations. If a company does the work in good faith and with sound reasons, its audit results tend to be more consistent and favorable than those companies that do not implement CIP consistently across the entire organization. The effort required to coordinate a consistent response involving large numbers of devices, people and real estate is great and requires significant resources, but not expending them doing so can lead to very unfavorable audit findings.
For example, a customer had an issue with particular Windows services using dynamic, or random, ports when they were started. This means it was difficult for the customer to comply with CIP-007 2a R2.1, which says that the responsible entity shall enable only required ports and services. The customer was worried that an auditor might issue a finding that, since the ports changed every time the service restarted, they were not in compliance with CIP-007 2a R2.1.
The company prepared by approaching the vendor regarding achieving compliance, but ultimately the vendor decided that compliance was not possible, and since the service was required, there shouldn't be a compensating measure required. The company saved all the correspondence with the vendor and its own documentation and research to prove there was no other choice.