June 6, 2024
Your job includes the responsibility for your NERC Compliance program for your local power company and you’ve just worked another 12-hour day getting ready for your upcoming audit. You are finally home and pull dinner out of the refrigerator, as your family ate hours ago, and you hear a text message come in on your work phone. Before you can even get to the phone to check your message, the phone rings and the call is coming from your boss. “Uh oh”, you think as you answer. She’s frantic on the other end and immediately asks, “Why didn’t we revoke access for Colin from the network team? I was doing a spot check, and they still have access to EVERYTHING and were terminated 3 weeks ago!” Uh oh, indeed.
Under NERC’s Access Management requirements, that employee should have had both physical and electronic access revoked within 24 hours of their termination. Additionally, the individual’s ability to use provisioned access to BES Cyber System Information (BCSI) is required to be revoked by the end of the next calendar day following the termination. But no one told you, yet you are now going to have to file a self-report and who knows what the auditors will say about this mistake. This is one of the largest challenges of this standard, as if there isn’t an automated process for Access Control, you are relying on spreadsheets and people to keep your utility compliant. If you’ve been in the NERC compliance space for long enough, you’ve certainly heard the excuse, “I didn’t know I was supposed to do that”. Not a good answer and you are the one who will have to address this with the Regional Entity’s auditors, not the manager from IT that didn’t know they were supposed to notify the Compliance department about their employee being terminated.
The North American Electric Reliability Corporation (NERC) CIP-004 standard focuses Access Control, both physical and electronic, for Critical Infrastructure within their secure environments. It also dictates personnel and training requirements to safeguard those critical cyber assets within electric utilities. Compliance with CIP-004 ensures that only authorized, well-trained personnel have access to critical infrastructure, reducing the risk of cyber and physical security breaches. However, managing compliance is complex, particularly in the dynamic environments of utilities. It never ends and in the world of NERC Regional Entity audits, you have to be perfect on your process, your documentation, and your efforts or face self-reports, findings, fines… or even worse, you make the news.
Let’s take a look at the problem and talk through the primary challenges in managing physical and cyber access, the difficulties of keeping up with training requirements, and the compounded complexity that arises when these two areas intersect.
Challenges with Managing Physical and Cyber Access
Role Changes and Access Management
When employees are reassigned or transferred, ensuring their access is updated promptly and accurately is critical. However, this is often managed manually using spreadsheets and is spread amongst departments, leading to errors and delays. For instance, if an employee who no longer needs access to critical systems isn’t promptly removed, it poses a security risk. The requirement to remove access by the end of the next calendar day after the determination that access is no longer necessary is a particularly challenging aspect of CIP-004 compliance and one that energy utilities struggle with on an ongoing basis. What if someone forgets to notify the Compliance department? Who, at the end of the day, is responsible for this mistake? You are!
Vendor and Contractor Access
Vendors and contractors add another layer of complexity. These individuals often need temporary access, which must be meticulously tracked and revoked once their engagement ends. A recurring problem is ensuring vendors have up-to-date training. For example, a vendor who completes necessary training, leaves, and then returns may need to redo their training to comply with current standards. Automating this process is essential to avoid lapses in compliance. What if your vendor doesn’t inform you that someone has retired? Who’s on the hook for this mistake? You are!
Communication Breakdowns
Effective access control requires robust communication across departments. For instance, if a manager forgets to inform the security team about an employee’s departure, the individual’s access may not be revoked in a timely manner. Regular reminders and audits are necessary to maintain compliance, but these measures are often resource-intensive and prone to human error.
Challenges with Managing Moving Targets on Training
Training requirements under CIP-004 are not static. They evolve with changes in personnel roles, emerging threats, and updates to regulatory standards.
Dynamic Training Needs
What if you are having a problem with your EMS (Energy Management System) and you call your EMS vendor for support? How do you ensure you only allow authorized access to your Critical Infrastructure and your Medium and High impact systems? Do you have this information in a spreadsheet that you’ll need to reference, or do you have an automated system that won’t allow access provisioning without all the required documentation and training? If you are still doing this manually, is there a better way? There sure is.
Utilities must ensure that all personnel receive initial and ongoing training tailored to their roles. This includes security awareness, specific technical skills, and an understanding of access control protocols. Training must be refreshed regularly, typically on an annual basis, and updated to address new security threats and regulatory changes. This constant need for updated training makes it difficult to maintain consistent compliance. Who is responsible for ensuring all required training is completed and their PRA (Personal Risk Assessment) is still valid? I think you’re getting the point.
Handling Absences and Returns
Personnel who take extended leave, such as maternity leave, pose another challenge. Upon their return, they must quickly catch up on any missed training to regain access. This can create bottlenecks and compliance risks if not managed efficiently. Additionally, the timing of training requirements, such as those triggered by role changes or new access needs, can lead to significant administrative burdens.
Vendor and Contractor Training
Vendors and contractors often require specific training to access critical infrastructure. Managing these requirements is complex, especially for vendors who periodically return. Ensuring their training is current every time they need access is crucial for compliance. Automating these training triggers and integrating them into access management systems can help mitigate these challenges.
When Access and Training Challenges Combine
The intersection of access control and training requirements creates “two challenges in one” for maintaining your NERC CIP-004 Compliance program. We’ve talked a lot about the problem. What about the solution?
Automated Triggers and Workflow Integration
One way is to automate triggers for training based on access changes. For example, if a vendor needs access to a critical system, the system can automatically check if their training is current and only grant access if it is. Similarly, access change requests should not proceed until required training is verified as up-to-date. This integration and automation ensures compliance while reducing the administrative burden on staff.
Timely Access Revocations
Promptly revoking access for terminated employees or those changing roles is critical. However, the requirement to revoke access within 24 hours of the decision adds pressure to already complex processes. Effective internal controls and automated systems are essential to manage this without relying on error-prone manual processes. From the conversations on this topic, the 24 hour access revocation is at the top of the list of the most difficult piece of CIP-004 to manage. Does your NERC Compliance program have the Internal Controls baked into your process to ensure you are perfect every single time? Is there room for improvement on automating these tasks and workflows and, at the same time, documenting it every step of the way?
Communication and Documentation
Ensuring clear communication and thorough documentation across departments is not just vital, it is required. Access logs, training records, and compliance documentation must be maintained meticulously to withstand audits. For instance, documenting the completion of training and the revocation of access in a centralized system can help utilities demonstrate compliance during NERC audits.
Conclusion
To quote a former CIP-004 Compliance SME, “CIP-004 requires a lot of communication amongst departments, ” which is an understatement. Typically, the larger the entity, the more challenging managing your Access Control program.
We’ve seen the most successful audits in electric utilities are ones where your Internal Controls safeguard your compliance efforts through automation, tailored workflows, and integration with all your critical systems, and where the many departments can effectively communicate together to ensure perfection. With NERC, you have to be perfect 100% of the time and the auditors can go back years and look under any rock for a mistake.
Navigating NERC CIP-004 compliance involves tackling the dual challenges of managing access control and training requirements. The complexity of these tasks increases when they intersect, requiring utilities to adopt automated solutions and robust internal controls. By integrating training triggers into access management workflows and ensuring timely revocations and comprehensive documentation, utilities can better manage compliance and protect critical infrastructure.
Join us for our upcoming webinar, where we will dive deeper into these challenges and discuss practical solutions to streamline CIP-004 compliance in your organization. Can you automate the process? Absolutely. Can we show you how? Sure can. See you on June 27!
About the Author
Scott Crow is the Senior Business Systems Strategist – Energy & Utilities at AssurX. Scott has a proven track record of delivering successful IT/OT solutions that solve the challenges of cyber security for Critical Infrastructure. Passionate about bringing better ways of solving business problems through innovation to the marketplace and specializing in the intersection of people, technology and process.
