Bolstering security for networks that govern critical infrastructure has been one of the nation’s highest priorities for several years, and key to this effort is the continued development of workable cybersecurity standards that unify efforts across the patchwork of independent entities which manage the energy, power and chemical sectors.
The bulk of that effort is the responsibility of the North American Electric Reliability Corporation, a non-profit agnecy which operates under the Federal Energy Regulatory Commission (FERC), responsible for the development of the Critical Infrastructure Protection (CIP) standards.
The first NERC CIP standards went into effect in 2008, and since then several new versions have added additional requirements and broadened the number of entities and assets in-scope.
Currently the industry is subject to CIP version 3, but they are working to meet a deadline to become compliant with version 4 by April of 2014.
Now both NERC & FERC have indicated that they may do away with version 4 altogether in favor of the still to be approved version 5, which is being held up mainly because FERC does not approve of the implementation plan NERC submitted.
Once NERC re-submits the implementation plan, it will most likely be approved, and registered entities will begin an arduous two year process of achieving compliance before they actually become subject to the new requirements.
So what does all this mean to the affected organizations? It means they must maintain a compliant status under version 3 while working to implement the additional requirements of version 4 – namely CIP-002 which deals with the identification of Critical Assets and Critical Cyber Assets – while also looking over the horizon at the sweeping changes in version 5.
To gain a better perspective on this entire process we spoke at length with James Holler CISA, CRSA, CCIPA, CVI (@NERCGuru), principle at Abidance Consulting, who along with hundreds of others is a member of the Standard Drafting Team (SDT) which worked for the better part of a year drafting NERC CIP v5 using the NIST 800 standards as a baseline.
Holler has extensive standards and compliance experience in multiple sectors. In 1996, Holler assisted in the creation of what would emerge as the Health Insurance Portability & Accountability Act (HIPAA), and has developed compliance solutions for the Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes-Oxley (SOX) which have been utilized by some of the largest companies in the world.
Holler has been deeply involved with NERC CIP Standards since 2006, having participated in more than 70 NERC related audits, as well as developing numerous training programs for some of the largest NERC-covered registered entities in the energy sector.
Holler’s intimate involvement in the NERC CIP v5 development gives him an unparalleled perspective into the entire process, and it is our hope that this interview will provide affected organizations and security professionals valuable insight into the complicated nature of the pending changes to the compliance mandates:
Q: What spurred the v5 round of CIP changes before v4 has even been implemented?
Holler: Many people felt that version 4 was not a mature set of standards and only expanded on version 3 slightly. Version 5 is a huge step forward from any of the previous versions of CIP. The format has the look and feel of the PCI requirements, which is better than the previous versions of the CIP requirements.
Q: Where are we exactly in the process?
Holler: Version 5 was submitted to FERC for regulatory approval in January of 2013. NERC requested that FERC “retire” version 4 and use version 5 to replace version 3. FERC has agreed within their NOPR (Notice of Proposed Rulemaking) and public commission statements that this approach is reasonable and they are working towards getting that done.
Q: What is the likelihood v4 will be abandoned in favor of implementing v5?
Holler: It is very likely… NERC, FERC and the registered entities feel that V5 of the standards are a more mature set of standards which will produce added reliability and security. By moving straight to V5, entities can start their transition early, thus freeing up the time and resources needed for V4.
Q: What happens then to the v4 implementation deadline?
Holler: The deadline stays intact until such time as FERC “retires” version 4.
Q: Can you offer insight regarding time frames and the scope of v5?
Holler: Once version 5 is approved – hopefully later this summer or early fall- the NERC registered entities will have 24 months to comply.
Q: What are the biggest changes we will see between v3 and v5?
Holler: There are several huge changes, and there are literally hundreds of additional areas other than the ones I will list here. Version 5 now requires the following:
- Role-based instead of risk-based classifications
- Multiple levels of compliance – Low, Medium and High Impact (in theory, a company could have 10 facilities of which six are low impact facilities, three are medium impact facilities, and one is a high impact facility)
- New terminology (such as BES Cyber Asset)
- All serial connections are to be considered
- Multi-factor authentication requirements
- Triggers are required to be defined for recovery plans
- All software (COTS and custom) must be known
- All security patches from the beginning of time on each device must be known
Q: More assets come into scope with the v5 Low Med High risk based model, will more entities be covered as well?
Holler: Yes… Virtually all NERC registered entities are caught up in this, though most will be Low Impact facilities.
Q: What will we see in regards to additional change management and vulnerability assessment requirements – specifically with the two new CIP requirements CIP-010 and CIP-011?
Holler: CIP-010 and CIP-011 are “nasty” ones. I expect a lot of violations to occur with these standards as many people will not do what is necessary to comply. My personal feelings are that many entities will try to get compliant with the requirements without the assistance of outside help (consultants) who are familiar with the requirements. This is one of the primary reasons we (Abidance Consulting) created a CIP, Version 5 Auditors Training course to teach them what they need to know.
Q: Is generating evidence of compliance still the main goal for v5 – for instance documenting for CIP-007 R2 the justifications for ports and services?
Holler: Yes and no. Yes, you must still show evidence of why a port is open or closed, but then you have to justify the evidence/reason. By providing multiple layers of evidence (stacking the evidence), the better it is for them during an audit or spot check.
Q: Has it been determined what kind of evidence will be needed for CIP-007 R3 in v5 for software updates of security-related patches given that that requirement becomes more burdensome?
Holler: Yes… NERC has given multiple layers of evidence types that are acceptable. NERC states for CIP-007-5 R3.1 that “an example of evidence may include, but is not limited to, records of the Responsible Entity’s performance of these processes (e.g., through traditional antivirus, system hardening, policies, etc.).”
Q: With all the uncertainty, when do registered entities need to start capturing data for v4 or v5 audits?
Holler: Unfortunately, they need to start now on version 4, or they should have already started. For version 5, some should start now – the larger the registered entity is, the sooner they should start. I have talked with several very large registered entities and they say that even starting now, they may not be able to be ready in time.
Q: In the mean time, will NERC / FERC provide guidance to registered entities regarding v4?
Holler: They already have. Every registered entity is required to check the NERC, FERC and appropriate regional entity website regularly for any changes. NERC, FERC and the regional entities are not able to keep a 100% accurate email list for every registered entity, therefore it is the responsibility of the NERC registered entity to make themselves aware. It is things like this that cause registered entities to look at us for managed services because we have staff that are dedicated to doing nothing but “scrub” the web-sites daily. Many people still don’t know that they are required to have a Pandemic or an Internal Compliance Program, because they don’t visit the sites.
Q: What else do we need to know?
Holler: NERC is working with the industry, Regions and Trade Associations to develop guidance for transitioning to CIP V5. This guidance will be released mid-July and will help entities with their transition from V3 to V4 (if applicable) to V5.
* * *
Editor’s Note: Abidance Consulting is offering their NERC approved CIP version 5 Auditors Course at no charge (the normal course fee of $499 per attendee) for the first 35 registrants from an approved NERC registered entity who reference this article. This course will be held in Berkeley, CA (20 minutes from San Francisco). To register or to receive additional information, please email James Holler directly at firstname.lastname@example.org.
- NERC CIP: It Gets Worse Before it Gets Better
- Introducing the Complete NERC Solution Suite
- Preparing for NERC CIP v4 and v5
- SecureCheq Uncovers Critical Configuration Vulnerabilities
Images courtesy of ShutterStock