BLOG HOME

  • Electric

September 20, 2023

According to the North American Electric Reliability Corporation (NERC), CIP standards represented seven of the top ten most frequently violated serious and moderate risk standards in 2022.

The three standards with the most violations were CIP-007, CIP-010, and CIP-004, adding up to 200 violations total. Each one of these standards contains thousands of opportunities to miss a compliance-related event or piece of documentation.

Furthermore, in any single requirement, there are hundreds of similar opportunities, especially when utilities use spreadsheet-based tracking processes. In this article we detail some of the most common challenges with these commonly violated CIP standards, and how automation can help utilities reduce risk.

Read a free case study to learn how one utility automated NERC compliance processes

CIP-007: Cyber Security – System Security Management

CIP-007 noncompliance made up the lion’s share of serious and moderate risk NERC noncompliance filings—108 in total—in 2022. This standard requires that you inventory, control, monitor, and keep current several aspects of all of your in-scope assets including ports and services, security patches, malicious code detection, security events, and system access. When you consider that you may have dozens or hundreds or even thousands of these items for every asset, the amount of data to track and react to is staggering. Such a high volume of data and any manual handling of it increases the risk of noncompliance.

A number of challenges related to manual tracking contribute to the high number of noncompliance reported for this standard, including:

  • Lack of escalations and reminders increase the risk of missing compliance dates, for instance, the 35-day window for patch evaluation or the 15-day window to review security event logs.
  • Decentralized validation and implementation evidence makes it hard to track, doubling, or even tripling the effort required for annual certifications or software audit prep.
  • Manual controls for patch evaluation, approval, installation, and mitigation are error-prone and hard to prove, especially given the large number of patches that utilities must document.

An automated NERC compliance management system simplifies these processes with the ability to:

  • Import daily baselines into the platform and catalog them automatically via API integration with a baseline tool to save time on evidence collection
  • Use time-initiated workflows to remind SMEs to evaluate security patches, with automated escalations for approaching deadlines acting as a failsafe to the system
  • Provide patch-related evidence such as patch evaluation date, approvals, mitigation plans, and digital signatures

These functions eliminate a lot of the human error contributing to NERC compliance violations, allowing utilities to provide concise, easily accessed evidence to auditors. It also saves significant time on the process, so SMEs can focus on higher-level activities. Automating patch management alone, for example, saves up to two hours per month per asset.

CIP-010: Cyber Security – Configuration Change Management and Vulnerability Assessments

CIP-010 accounted for 55 of the serious and moderate NERC noncompliance filings in 2022. This standard focuses on preventing unauthorized changes to the environment, including through transient cyber assets (TCAs) and removable media. Here again, a large number of violations may be traced back to manual tracking processes, which create obstacles to compliance in several ways:

  • Spreadsheet-based tracking doesn’t provide a mechanism for warning teams of unauthorized changes to the environment.
  • Decentralized evidence around change management complicates the change process and limits the effectiveness of internal controls.
  • Authorizations and escalations are difficult to track manually and can lead to missed compliance dates.
  • Documentation of identity and integrity for all software, a new requirement as of 2020, can easily be missed.

NERC compliance management software addresses these challenges, providing a built-in change management process with:

  • Automatic escalations, evidence collection and tagging for CIP-005 and CIP-007 controls
  • The ability to streamline testing of software identity, integrity validation, and evidence collection in both test and production environments
  • Time-initiated vulnerability assessments, workflows, and automated evidence collection, ensuring that they are performed on time
  • Automated workflows to track all data, all documentation, and any approvals necessary in the asset change process

This last piece is especially important, with many utilities struggling to stay on top of all configuration changes in their distributed, varied environments.

CIP-004: Cyber Security – Personnel & Training

In 2022, entities filed 37 instances of serious and moderate risk noncompliance under CIP-004. Here many utilities struggle to ensure that numerous prerequisites have been met before granting access to the system, as well as meeting time-based requirements for revocation of access.

Areas often missed prior to granting employees access are ensuring completion of background checks, personnel risk assessments, and cyber security awareness training.

CIP-004 also has strict time-based requirements around revoking access, including revocation of certain types of access within 24 hours of termination. Again, a critical challenge is the fact that manual tracking is decentralized, making it hard to collect evidence and approvals when access is granted or revoked. Furthermore, the lack of escalations means that compliance deadlines may be missed for CIP-004 R.5.

Automating the access management process solves these problems by preventing access if prerequisites aren’t met. In other words, the system won’t allow the workflow to progress until the evidence for meeting the requirement is there. SMEs get reminders of compliance dates and activities, with notifications escalated to management if those activities aren’t completed. Integration with third-party software automates evidence collection and tagging related to access granting and revocation.

All in all, these functions dramatically reduce the time required to gather evidence while providing a single system of record for all compliance-related evidence, workflows, and access change tickets.

Conclusion

Repetitive compliance activities involving spreadsheet-based tracking are ripe for human error. With hundreds—or even thousands—of opportunities for compliance tasks to fall through the cracks, utilities need a better system for staying on top of NERC obligations.

An automated NERC compliance management system standardizes evidence collection to minimize compliance gaps, with escalations and periodic reminders providing an added failsafe to ensure organizations meet requirements. In the end, this also means SMEs can spend more time monitoring internal controls and validating that the evidence meets security objectives—the very essence of compliance.

Download a free eBook on Selecting and Implementing Automated NERC Compliance Management Software

About the Author

Kathryn Wagner is Vice President, Industry Solutions, Energy & Utilities at AssurX. Kathryn brings more than 25 years of experience in manufacturing systems integration and compliance while being responsible for the development and evolution of product offerings for NERC compliance and related systems that focus on reliability and resilience.