Thanks to FERC’s Order 822, the North American Electric Reliability Corporation’s critical infrastructure protection standards, known as NERC CIP, are continually updated. Seven updated standards proposed by NERC for inclusion have now been accepted. April 1st, 2016, was the compliance deadline for the NERC CIP v5 requirements. Most of the newly-approved standards had a compliance date of July 1st, 2016, (“the first day of the first calendar quarter that is three calendar months after the date that the standard is approved by an applicable governmental authority”), with notable exceptions called out in Order 822 itself. My objective here is to talk meaningfully about the changes in the CIP v6 standards themselves. There are seven newly-approved standards to consider.
Staying Up to Date with NERC CIP Standards
The changes for CIP-004-6, CIP-007-6, CIP-009-6 and CIP-011-2 primarily revolve around two consistent items. First, NERC eliminated a specific bit of language: “ … in a manner that identifies, assesses, and corrects deficiencies.” This language appeared in a number of the CIP requirements, but FERC determined in Order 791 that the language “is too vague to be audited.” The second change is updating guidance to specifically include Transient Cyber Assets and Removable Media. CIP-004-6 and CIP-011-2 include specific additions to add these devices to the existing requirements. The actual requirements for managing and securing transient assets and removable media are addressed in CIP-010-2, but we’ll get to that. I asked one of our NERC Alliance Network partners specializing in CIP training about how the changes in CIP-004 will affect registered entities. Nick Santora from the security awareness training company Curricula, recommends that organizations get their training in place as early as possible. “Otherwise, you will need to perform and demonstrate training for your entire staff, contractors, vendors, etc… [without enough time to prepare]. That could wind up becoming very messy to manage.” Outside of that larger issue, the primary benefit in these changes is greater clarity in the requirements and hopefully, a cleaner, more consistent NERC CIP audit process. If, however, you were well on your way to compliance with the corresponding NERC CIP v5 standards, there’s probably minimal impact.
CIP-003-6: Security Management Controls
The key change from v5 to v6 here is the treatment of Low Impact BES Cyber Assets. For CIP-003-6 R1, the requirement removes the qualification of “high and medium” from the top level and splits the underlying requirements into a section for high and medium and a separate section for low-impact assets. Specifically, the requirement R1.2 now specifies that registered entities must have a policy (and, therefore, corresponding controls) for low-impact BES cyber assets that addresses cybersecurity awareness, physical security controls, electronic access controls for low-impact external routable connectivity (LERC), dial-up connectivity and cybersecurity incident response. This isn’t new, really. It’s effectively a collapse of CIP-003-5 R1 and R2 into a single R1 requirement. The new CIP-003-6 R2 now lays out extended details for the requirements for low-impact assets. The sections required in the policy are now called out more specifically, along with various cycle durations, such as NERC CIP training every 15 months. These details should help both entities and vendors achieve and maintain compliance, but it’s unlikely that they materially impact organizations that were already well situated with regards to CIP-003-5.
CIP-006-6: Physical Security of BES Cyber Systems
The new revision of CIP-006 adds a requirement R1.10 to address physical security of “cabling and other nonprogrammable communication components” located outside a physical security perimeter. A key component of this new requirement is the requirement where physical security of these components is not in place. Essentially, if you can’t adequately protect such components physically, you must implement a set of logical controls, including encryption of data that transits those components, monitoring, and alarm on networks that traverse those components, or “an equally effective logical control.” Practically, the objective here is to prevent physical tampering that results in logical access. Registered entities either have to put in place the physical controls or demonstrate that they can prevent or detect such tampering effectively.
CIP-010-2: Configuration Change Management and Vulnerability Assessments
Can you contain your excitement? We’re finally at the shiny, new requirement for Transient Cyber Assets and Removable Media! Consensus. The juicy details are in Attachment 1 specified by R4. The controls themselves are not overly onerous and include what many would consider best practices. For transient assets, you must have processes for authorization and mitigation of vulnerabilities, malicious code and unauthorized use. These apply, with some exception, whether the assets are owned by the entity itself or a third party provider. For removable media, two controls are specified: authorization and malicious code mitigation. There’s no doubt that this requirement effectively expands the scope of NERC CIP, both in application and audit. Entities will need to spend time defining and documenting processes that are compliant. They may have to actually implement these processes, as well. While the true impact will become clear over time, it’s safe to say that the requirements to securely manage transient assets and removable media are valuable and will ultimately improve the overall security and reliability of the electric supply. It’s important to build NERC CIP training programs for relevant employees.
NERC CIP Compliance Impact Considerations
NERC CIP v6 is largely about scope, and so its impact will be dependent on how the scope expansion affects your organization. The expansion of requirements to low impact assets has zero impact if you don’t have any. The same goes for the transient assets and removable media. While there aren’t many organizations in that situation, scope reduction is absolutely a valid strategy for any compliance program, NERC CIP compliance included. While it may seem obvious to state, don’t wait to determine how you’re going to address the updated NERC CIP standards. If there’s the potential for budgetary impact (and there is), the sooner you start planning, the better.
Allowlisting from Tripwire
One way you can streamline your operations around NERC CIP v6 compliance is with Tripwire's allowlisting capabilities. Tripwire lets you define system settings in alignment with compliance standards like NERC CIP, automating compliance and delivering hard proof to share with your auditors. Settings are enforced through agent-based scans, sending alerts directly to your Tripwire Enterprise dashboard when compliance misconfigurations are discovered. Learn more about how Tripwire technology can help you achieve ongoing, audit-ready NERC CIP compliance by reading our case study on how Western Farmers Electric Cooperative guards their systems with Tripwire.