NERC CIP v5 is Coming; Get Ready

Wednesday, January 16, 2013 @ 06:01 PM gHale

By Jacob Kitchel
It’s official: NERC CIP version 5 (v5) is on schedule to gain approval this April by FERC (Federal Energy Regulatory Commission).

Over the years, NERC (North American Electric Reliability Corporation) CIP (Critical Infrastructure Protection) has provided compliance regulations that stretch across the electric industry. Although NERC is a moderately young organization, the most recent version (version 4) extended its reach to additional organizations across the electric sector, including nuclear facilities. The regulations in v5 will influence the compliance process for all critical assets under the NERC CIP umbrella.

RELATED STORIES
ID, Protect Critical Cyber Assets
Compliance Program Growing Pains
Industrial Defender in Disaster Recovery Pact
Security First; Not in Smart Grid

In the past, NERC has hinted v5 will be an update with more stringent regulations, leading to a less flexible interpretation of requirements. Now that NERC CIP v5 has entered the final approval stage with FERC, many are wondering: What makes v5 different from the previous versions of NERC CIP and how can you get ready after it gains approval in April 2013?

What’s New?
The main change in NERC CIP v5 comes in a major shift of priorities; the regulation will primarily focus on improving security posture, instead of focusing only on compliance. This move from compliance to security signals a turning point in NERC CIP regulations. Although being in compliance is a key step in securing an organization, it often leaves large and problematic security gaps. Version 5 aims to combine compliance and security through the goal of achieving compliance through security.

NERC CIP v5 will reinforce and expand the focus on change management and monitoring. As a result, an entire section within v5 is dedicated to defining the change management requirements. When operators begin implementing change management procedures, they ensure their organization is effectively managing and controlling all of the various assets within the critical environments.

One area of potential confusion lies with the “high,” “medium” and “low” classifications. These classifications refer to critical asset classifications rather than any particular cyber asset. The classification of a critical asset into “high,” “medium” or “low” will determine the extent to which an asset owner must meet compliance regulations. For example, CIP-010-1 R1 parts 1.1-1.4 applies to high impact Bulk Electric System (BES) Cyber Systems and medium impact BES Cyber Systems, while CIP-010-1 part 1.5 only applies to high impact BES Cyber Systems. There are no parts of CIP-010-1 R1 that require low impact BES Cyber Systems to take action.

A second area to note is the switch from “Critical Cyber Assets” to “BES Cyber Systems.” According to NERC CIP v5, a BES Cyber System is “a grouping of Critical Cyber Assets.” This shift in terminology allows asset owners to apply security measures to a system as a whole, rather than individual assets. This allows for greater flexibility in the application of controls. For example, malware protection may apply to a grouping of assets, rather than all individual assets.

Need for NERC CIP v5
NERC CIP v5 seeks to address the ever-increasing threat landscape while providing a reasonable level of security and compliance in critical infrastructures. The critical infrastructure environment is rapidly growing in connectivity and complexity, which demands additional resources to meet security and compliance requirements. As more technical resources need to meet compliance and security measures, organizations must invest in solutions that automate the data collection of this process.

To be in compliance, organizations must take all necessary steps to follow NERC CIP v5 regulations. Gathering compliance documentation once or twice a year is not a feasible approach to complying with NERC CIP. The process can become extremely costly and time intensive. Often, it is possible to miss security issues and data collection inconsistencies arise when conducting tasks manually. When these mistakes happen, operators must go back and restart the manual process from the beginning, costing the organization valuable time and resources. Automation solutions enable operators to collect data and produce comprehensive reports quickly and easily, providing analysis on the security strengths and weaknesses within the organization. Approaching security with automation reduces human error and allows for issues to be found and remediated immediately – as opposed to starting the process over manually.

How to Ready for v5
The most important date in this process is January 1, 2013. In order to be prepared well in advance of an audit, operators must begin addressing v5 regulations and searching for an automation solution at the start of the New Year. Below is a list of steps and milestones that ICS professionals must be aware of in order to adhere to v5:

Step One: Start evaluating the new regulations outlined in NERC CIP v5 on January 1, 2013. Organizations need an approximate time span of one and a half years (July 2014) to begin the process of security and compliance evaluations, sales, implementation and operationalization lifecycle. Below is a detailed timeline of all the necessary action items operators must complete in order to comply with NERC CIP v5 by the effective date of July 2015.

Pre-evaluation (Approximately takes three months)
• Identify stakeholders in a security, compliance and change management solution
• Differentiate what tasks are needed for a successful implementation
• Classify which requirements and features contribute to a successful implementation
Evaluation (Approximately takes three months)
• Investigate three possible vendor solutions
• Determine which vendor provides the widest scope of coverage from an asset perspective (for example: Vendor X covers 85% of the organization’s critical cyber assets)
• Establish which vendor makes the data collection, analysis, storage, documentation and reporting the easiest
• Prioritize working with vendors who are willing to run a small scale proof of concept project with your organization

Sales (Approximately takes three months)
• Implement proof of concept project to verify the chosen solution’s efficacy
• Verify data collection, analysis, documentation and reporting capabilities
• Identify production roll-out requirements (for example: time, resources and consulting services)

Implementation (Approximately takes four and a half months)
• Roll out production implementation in stages
• Prioritize the roll out to maximize breadth of coverage

Operationalize (Approximately takes four and a half months)
• Update procedures based on the chosen solution
• Schedule employee trainings to learn the new solution
• Verify that procedures deliver the desired and necessary results
• Integrate the solution into daily, weekly, monthly, and annual activities

Step Two: The presumed date of approval for NERC CIP v5 is April 1, 2013. Once v5 is approved, it will be adopted into law and considered the new standard for security and compliance within the utilities industry.

Step Three: Organizations must be “auditably compliant” by July 2014. This means they must have already fully implemented an automation solution and begun the collection of CIP compliance documentation. In the event that an organization is audited, operators must have already gathered at least one year’s worth of data proving compliance with v5 regulations. Only with this extensive amount of data and proof of compliance will an organization be able to pass a NERC audit. Point by point, operators need to:
1. Begin collecting NERC CIP v5 audit documentation
2. Ensure the timely completion of compliance requirements; pay special attention to daily, weekly, monthly, quarterly and annual time requirements
3. Review audit documentation collection methods on a quarterly basis to check for gaps
4. Integrate any gaps into the audit documentation processes

Step Four: The effective date of v5 is July 1, 2015. From this date on, anyone under NERC CIP can be audited with v5. Operators must have compliance data gathered in preparation of a NERC audit.

Version 5 compliance is not something that can be achieved overnight by a manual effort. It will remain important for organizations to leverage automated solutions that support NERC CIP v5 and adhere to the compliance regulations on an ongoing, consistent basis. These automated tools help reduce risk exposures on critical cyber assets, while providing operators with the tools to effectively manage their increasingly complex environments.

Jacob Kitchel is senior manager of security and compliance responsible for security and compliance strategy across Industrial Defender’s products.