The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Standards are a cybersecurity compliance framework designed to protect utility organizations. Adhering to these guidelines is essential—falling short will leave your environment vulnerable to malicious actors and can result in some hefty fines. NERC CIP is a burdensome set of standards, so when it comes to strategizing how you will bring your organization into compliance, it can be difficult to know where to even start.
Through collaborating with Tripwire utility customers that have successfully brought their organization into NERC CIP compliance, I’ve developed a maturity model that will help you outline your strategy for tackling NERC CIP yourself.
It’s important to realize that you will not be able to achieve NERC CIP compliance overnight. Tripwire offers solutions that can help you in nearly every element of NERC CIP that involves technical controls. However, your keys to success are the people and processes that work with these technical components. These take longer to develop and adjust. The best course of action is to implement a bit of technology at a time and then let your people and processes adapt before moving on. This will allow you to ultimately scale your implementation across your entire organization.
There are four phases to the NERC Maturity Model.
Phase 1: Implement Tripwire Enterprise
Tripwire® Enterprise is the first core tool that you will use for addressing NERC CIP compliance. Therefore, implementing it should be your first course of action. Tripwire Enterprise is a powerful tool with broad capabilities—it can collect a great deal of information from a wide variety of asset types.
You will use Tripwire Enterprise for many functions that will help you tackle NERC CIP standards. It will monitor the system state of your assets and will note if there have been any changes to their configurations. You can also set it up to evaluate the configuration against a certain standard (in this case NERC CIP). Tripwire Enterprise also has robust reporting capabilities that will provide you with evidence reporting and help create holistic visibility.
Phase 2: Implement Tripwire State Analyzer
Your other core tool for addressing NERC CIP compliance is the Tripwire State Analyzer app. This tool gives you the possibility of adding automation for seven of the controls in the NERC CIP compliance framework. This turns a lot of work and difficult requirements into simple red and green reports.
It’s important to note that a lot of organizations won’t utilize automation for all of these controls. This depends on your organization’s needs and requirements. Your people and processes may not be organized to utilize this capability at the moment. Or maybe one of the controls is not a big focus for your organization’s compliance program.
Before implementing automation, it’s valuable to assess the manual processes that you have in place. Assess if and how these processes can be streamlined and if it would benefit from being automated. If automation makes sense, Tripwire Enterprise and the Tripwire State Analyzer app will help you implement it.
Phase 3: Additional Explicitly Required Controls
There are a handful of explicitly-required controls that are outside of what is covered by the Tripwire State Analyzer App. They are fairly easy to implement, such as rules about password length and complexity and OS/firmware versions. Implementing this will not change your processes and which views and reports you utilize—it builds on what you have already established.
Phase 4: Supporting Controls
By this point, you will have the groundwork set and will be up and running. From here, you’ll be getting more comfortable with using Tripwire solutions and feeling like you have a grasp on NERC CIP compliance for some of the toughest technical controls.
However, a question that you’ll want to ask yourself—before an auditor does—is, “How do I know that my technology is doing what it says it’s doing?” If you have an area of concern, you can leverage Tripwire Enterprise to monitor those configuration details in question. You can visualize the correct configuration of details with the same red and green charts for what you are already monitoring.
Attaining NERC CIP compliance is not an easy or linear path. Every organization has different priorities and requirements it needs to consider, which makes the road to success unique to each organization.
This is an overview of the NERC CIP Solution Maturity Model, but there are more ways to grow and expand beyond what is covered here. Tripwire is happy to work with you on building your strategy of achieving NERC CIP compliance and helping you develop the best approaches and practices to get you there. If you’d like to learn more about how you can use the NERC CIP Solution Maturity Model in your organization, reach out to your account executive or request a demo.