Cybersecurity regulations in the energy industry create a constantly evolving challenge to efficiently monitor, manage, and report on compliance activities. The NERC CIP Evidence Request Tool (ERT) is an effort to bring structure to the documentation of data and evidence for the benefit of both registered entities and regulators.
This article is an abridged version of a more comprehensive guide. It will cover high-level concepts and techniques to make NERC CIP ERT reporting easier.
Evolution of NERC CIP Standards & Requirements
NERC Regulations have been in effect since 2007, with the goal of increasing the reliability of the Bulk Electric System. NERC Critical Infrastructure Protection (CIP) family of Standards addresses the cybersecurity needs of the industry. Today there are 13 mandatory CIP standards, the most recent addition becoming effective 7/1/2022.
In order to comply with the NERC CIP regulations, entities need to track extensive data. This data relates to people, processes, documents, and assets that are owned by or interact with the entity.
People includes employees, contractors, vendors, supervisors, suppliers, & customers. They are privy to specific information and have access to certain assets. Their positions change and they leave through various circumstances. Tracking people is critical to security.
Processes are important for ensuring that things are done in a controlled yet timely manner. Furthermore, processes require proper approval and documentation along the way.
Documents include policies, procedures, network diagrams, and many other types of information. The proper documentation and approvals are critical for compliance.
Assets can be electronic, physical, or information assets. They include facilities, substations, control centers, transmission lines, generators, computers, networks, OT equipment, ESPs, PSPs, operating systems, software, firmware, patches, and more.
All of this data must be sourced, verified, reviewed, and cataloged. Plus, much of this data has a time element to it. This includes a myriad of data such as employee date of hire, network access logs, commissioning of substations, firmware patch dates, etc.
Regardless of source, this data must be readily available for regulators and auditors when they request it.
The NERC CIP ERT and the Role of Compliance Management Software
Today, the NERC CIP ERT is in use in all Regions. The ERT User Guide v6 provides detailed instructions on how to populate the worksheets therein.
The Level 1 data provides consistent information to the auditors that is then used to select sample sets for submission of Level 2 data.
Further, Level 2 data provides a deeper dive into the evidence related to the sample sets.
Version 6 of the ERT has:
12 mandatory worksheets, plus 1 optional worksheet of Level 1 data
57 different sample sets
78 Level 2 requests based on the sample sets
CIP data is found across all the networks, IT & OT systems, communications, devices, databases, spreadsheets, people, and more. Long before it is time to fill out the ERT, this raw data must be gathered.
Therefore, software automation of NERC CIP-related data can result in a resilient, adaptable cybersecurity ecosystem with an output of effortless compliance reporting. Automating data collection activities from the data source ensures that the data is consistently and accurately obtained. As a result, evidence can be tagged, creating uniformity for proper cataloging of data.
Furthermore, triggers in the automation process prevent missed compliance deadlines while providing visibility into the current state of compliance. Finally, automation improves efficiency and productivity and can result in considerable time savings.
Some examples of automation in NERC CIP compliance include:
Polling the network for asset lists and open ports
Querying assets for baseline information
Connecting to the HR system to get up-to-date employee information
Using a patch discovery service to obtain patch information
Document review scheduling and evidence collection tasks
Centralizing CIP data brings it all together so there is one consolidated way to view, access, and report on data and evidence. As a result of centralization, entities achieve substantial time savings preparing the ERT.
To start, review each Level 1 data worksheet in the ERT. Create checklists to ensure you:
Capture all applicable data and access to that data
Identify the parties responsible for generating and managing the data
Ensure source data matches NERC CIP ERT expectations
Determine where data is, access points, and permission levels
Set up the necessary levels of data mining
Next, study the applicable Level 2 Sample Set Evidence Requests, and perform similar checks.
Establishing the what, where, and who for each ERT data set and evidence request is essential to create one single view of truth to report from.
Unfortunately, many entities are familiar with the challenge of preparing reports with tools that don’t align with desired results. The struggle includes pulling data from those multiple sources, copying and pasting into the target spreadsheet, manually cleaning up the data, and cross referencing the data by hand. The NERC CIP ERT worsens those challenges without the right preparation.
Automating and centralizing data makes reporting a breeze. However, note that this data is dynamic, and changes during a given time period are equally important to account for.
Deeper down, Level 2 data also includes CIP Training data, PRA data, authorization evidence, termination and transfer data, access to Electronic, Physical, and BCSI systems, and shared account access. Therefore, data may come from several sources within the entity (e.g. HR, LMS, PRA process records, etc.).
Finally, having a centralized system with CIP data being fed into it automatically helps establish controls on that data. It’s necessary to monitor for new, missing, or changed data and view, alert, and/or act on discrepancies.
The NERC CIP ERT is a key feature of compliance audits and formalizes presentation of the data and evidence needed to convey compliance. The ERT will continue to be an integral part of NERC CIP audits for the foreseeable future. Without the right processes and technologies, the ERT can be a challenging exercise of data and evidence collection and reporting.
With foresight and attention to preparing an environment that automates and centralizes CIP data collection, ERT reporting becomes a quick, painless process. In addition, automation enables continual improvement of broader cybersecurity programs.
Kathryn Wagner is Vice President, Industry Solution, Energy & Utility Industry at AssurX, Kathryn has a decade of experience at AssurX working in complex environments in the utilities sector, helping customers implement solutions for NERC and other quality and compliance requirements. Kathryn is responsible for the development and evolution of product offerings for NERC compliance and related systems that focus on reliability and resilience.
QUALITY AND COMPLIANCE SYSTEMS
FOR EVERY ENTERPRISE
Sign up for our newsletter and get all of the latest news and updates.