By Phil Marasco, CISSP and Jay Abshier, CISSP
If you are a North American Electrical Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) assessor, you probably spent much of last year in electric substations and operation centers helping power companies perform due diligence in addressing the requirements of NERC's CIP standards. You probably worked with some very talented operations personnel confirming the settings and configurations of thousands of cyber assets in preparation for their NERC CIP audit. Several power companies went through an audit subsequent to these authors' visits, and their comments and questions prompted this article.
Until you have actually been through the process at least once, there will likely be some uncertainty regarding how you should prepare. However, with some planning and focus, the process should not be as daunting as some would have you believe. While it would be nearly impossible to cover all the requirements that should be checked during a CIP assessment, a look at a few key assessment activities will benefit anyone facing an audit. In fact, this information can also be applied to other technology audits, such as Federal Information System Management (FISMA) and Gramm-Leach-Bliley Act (GLBA), as well.
There are two aspects of a CIP audit that are examined by this article: First is preparing your response and documentation, and second is preparing for the audit.
Prepare Your Response and Documentation
First, make sure the whole organization understands what CIP requires. This might seem straightforward, but experience shows this is not always the case. There are usually individual groups in an organization that have a good understanding of what is required, but that knowledge rarely makes it across all the groups with CIP responsibilities. For example, in a pre-audit one group provided a list of approved TCP/IP ports and services used on each cyber asset in every electronic security perimeter. However, another group in the same company provided, for their list of approved ports, a network diagram showing which Ethernet port on each switch had an asset connected. Each group thought that their list was complete and correct and could not understand the other group's interpretation of the requirements.
Your organization needs to ensure that each of the entities responsible for a portion of CIP interprets and implements the requirements consistently and can justify its actions. The largest differences are usually in organizations where there were administrative/functional separations between the groups, such as the Windows administrators versus Unix administrators or operations center operators versus substation technicians. It helps to use a single person or team to compile the pre-audit documentation and perform the walk-through to ensure consistency.
Once your response to the CIP standards is implemented and documented you are prepared for the audit—right? Maybe not.
Prepare for the Audit
Prepare for Diverse Interpretations of the Standards. Not being prepared allows the auditors to use their interpretation of the standards without tempering that view with your own research and efforts. Differing interpretations of the standards is probably due to two circumstances—imprecise measures and diverse audit teams.
First, the measures listed for each standard do not provide any means tests or parameters. Some argue this was by design to allow the standards to adapt and be applied to all the different architectures and technologies represented by generation and transmission (and maybe distribution?). The problem, of course, is auditors apply standards, and less precision in those standards provide an auditor more leeway regarding how to apply measures for compliance. This can work in a company's favor, but it is much more likely to work against your best interests.
Second, the audit teams are the responsibility of the NERC regional entities. While it is good that regional interests are represented, by definition each region will have different representation with different interpretations. Mix imprecise standards with inconsistent audit teams, and it should surprise no one that audits across different regions may result in very different outcomes. Evidence of this can be found in several companies that had very similar pre-audit assessment results, but very different official audit outcomes.
Your best defense to ensure consistent results is to ensure your approach to CIP is consistent and justify all your reasons for your CIP implementations. It will be harder for an auditor to issue a finding if you show a consistent and clear approach for your implementations. If a company does the work in good faith and with sound reasons, its audit results tend to be more consistent and favorable than those companies that do not implement CIP consistently across the entire organization. The effort required to coordinate a consistent response involving large numbers of devices, people and real estate is great and requires significant resources, but not expending them doing so can lead to very unfavorable audit findings.
For example, a customer had an issue with particular Windows services using dynamic, or random, ports when they were started. This means it was difficult for the customer to comply with CIP-007 2a R2.1, which says that the responsible entity shall enable only required ports and services. The customer was worried that an auditor might issue a finding that, since the ports changed every time the service restarted, they were not in compliance with CIP-007 2a R2.1.
The company prepared by approaching the vendor regarding achieving compliance, but ultimately the vendor decided that compliance was not possible, and since the service was required, there shouldn't be a compensating measure required. The company saved all the correspondence with the vendor and its own documentation and research to prove there was no other choice.
Ensure a Mutual Understanding of the Scope. All of the variables involved in CIP compliance and audits—different audit teams, imprecise standards, different interpretations of the requirements and very different environments to be audited—contribute to potentially unpredictable audit results. These variables can be counteracted by achieving a clear and mutual understanding of what is in scope for the audit and auditor actions that will and will not be allowed. While your attempt to accomplish this with the audit teams may meet limited success, at the very least, make sure your teams are aware of what will be expected of them and what they will expect of the auditors.
Define Actions that Are and Are Not Allowed. Do not assume that auditors will ask to see or do something only when necessary. For example, auditors should never need to see a password to verify its complexity. If you show a password to an auditor to prove compliance with CIP-007-2a R5.2, then it must be changed immediately. If you do not, you will not be in compliance. Instead of showing passwords to prove they meet complexity requirements, you can provide examples of acceptable passwords and show how the default password no longer works.
Auditors should also never need to "test" physical controls. Trying to see if a cover is anchored securely by yanking on it is more akin to a penetration test than standard audit practices. Auditors should not damage property or ask that security controls be circumvented in order to assure that the controls are adequate.
Auditors should observe and record and not "penetrate." Nor should auditors ask your personnel to do something that violates your organization's established processes or policies. You shouldn't need to dismantle your infrastructure to prove your compliance. An audit team should not need the use of power tools to complete an audit.
Conducting a pre-audit walk-through really pays off. If you have never been audited, a walk-through will provide the opportunity to see what kind of efforts your organization will need to ensure success. Many companies typically do not realize that all assets are fair game. A pre-assessment of sample assets is not audit preparation. You need to check all your assets.
And, by the way, the above examples were not fabricated.
There are always electronic security perimeter diagram typos. Be prepared to double-check your work and documentation in minute detail. While a typo may be trivial, an auditor may think it is evidence of sloppy work and bad documentation.
The same internal teams should be used to work the pre audit and then the actual audit. Everyone gets used to the process, and they are much less likely to get flustered or be inconsistent with the audit team.
Protect your critical assets. Auditors do not need to do anything that may compromise the bulk electric system, and auditors should be subject to all the safety and security rules you have in place.
If you refuse to let an auditor take an action that is in violation of your safety or security controls, be prepared to help them achieve their objective using acceptable methods.
Do not exempt the auditors or pre-audit assessors from standard safety briefings. Not only is that good policy, but also the audit team expects it. Requiring EVERYONE to be trained on and follow policy and procedures also focuses the company's team, and where CIP is concerned focus is exactly what is required.
Phil Marasco, CISSP, ISON, LLC, Phil.Marasco@ison.com
Jay Abshier, CISSP, Sentigy, firstname.lastname@example.org