NERC CIP Version 5 Compliance: Internal Controls or Executive Blinders

NERC CIP Version 5 Compliance: Internal Controls or Executive Blinders

NERC CIP Version 5 internal controls.

A few significant events occurred this week related to NERC CIP compliance that should not go unnoticed. Yesterday on July 1st, Version 5 of the NERC Critical Infrastructure Protection (CIP) quietly went into effect. Version 5 encompasses the most comprehensive updates since the standards launched in 2008. For some achieving Version 5 compliance may be a lengthy process. However, most executives appear confident they already are.

According to a survey published this week by Tripwire, 86% of energy security professionals believe they detect breaches in less than a week. The article points out in spite of the confidence the average time to detect threats is 205 days. As a paradox, it points out the Ponemon Institute last year reported in many cases security professionals never speak to company executives. Tripwire postulates a population of uninformed executives explains the high level of confidence.

NERC CIP Version 5 Standards Change

There are several noteworthy changes to old NERC CIP standards emphasizing security and awareness over compliance. The new standards create substantial changes in how assets are identified. Two new standards to CIP protocols are added. New incident reporting and response planning requirements are in effect. The new standards come at a time when attacks on energy facilities have increased by 380% since 2010 and NERC has assessed $150 million in fines for noncompliance.

Version 5 requires all BES generating facilities implement security policies that address security awareness, physical security, remote access connections, and incident response. The updated NERC CIP requires classifying all cyber systems. The new standards merge the risk management functions of a facility’s operational assets with its IT assets.

The new standards are intended to detect unauthorized modification of BES cyber systems while establishing vulnerability assessment requirements. The new incident reporting and response planning requirements requires entities organizations to report cyber security incidents within an hour of recognition.

The NERC CIP 5 requires facilities to promote security awareness and reinforce precautions by taking the following actions:

CIP-003-5: raises cyber security awareness for physical security controls, electronic access controls and incident response.

CIP-004-5: enhances security through cyber security training, personnel risk assessment, access management, and visitor control.

CIP-006-5: protects BES cyber systems against compromise, mis-operation or instability.

CIP-007-5: protects BES cyber systems against compromises leading to mis-operation or instability of the BES.

CIP-010-11: consolidates the configuration and change management and information protection requirements.

Security First Internal Controls and Compliance

Being compliant does not make you secure. Compliance should be a byproduct of a holistic security program. Security represents the actions you take against threats. Compliance takes a “check box” approach to mitigating threats. Internal controls address NERC reliability standards. Internal controls are not an absolute guarantee of compliance. They provide compliance reporting along with the ability to monitor, identify, assess, and take corrective action.

Control activities may be preventive, detective, and corrective. Preventive controls discourage noncompliance by enforcing reliability standards. They are proactive controls that help ensure compliance objectives. Detective controls find errors or irregularities and support compliance. Corrective controls assess instances of noncompliance and return systems to a state of compliance. Continuous compliance needs to be an ongoing organizational objective. Internal controls encompass compliance operations in the execution of company’s security objectives.

Internal control activities ensure management policies and procedures are carried out. These activities incorporate on boarding, approvals, verifications, asset security and SOD. They are geared toward operations, reporting and compliance.

They are not merely about policy. They include people, their roles, and the actions they take. Internal controls are classified as Preventative, Detective and Correct.

Identity and access management (IAM) provides internal controls for all three occurrences in the following ways:

  • Preventative Controls: Limit the number of events by reducing risks before occurrence by automating on boarding, transfers, terminations, and multifactor authentication.
  • Detective controls: Discover events and reduce risks during a compromise by receiving alerts to unusual activities, privileges, trends, orphaned accounts, and requests.
  • Corrective controls: Address risks after a security breach is discovered. Terminating access in real time. Normalize already existing roles and privileges when new policies and procedures are rolled out.

Internal controls help assess risks, track policies and procedures, and generate reports for audits. They should also help you identify security gaps between your current processes and the new NERC CIP standards.

The new NERC CIP standards increase the need for electric generating facilities to deploy automated internal controls to maintain compliance and ensure security. Identity management internal controls provide tools to manage, measure and report operational risks and compliance. They provide an efficient method to prevent, detect, analyze, and correct actions. For the surveyed companies deploying identity management internal controls, I respect their confidence.

BP_access-governanceGet Your Free Top 10 Access Governance Best Practices Workbook

Learn the top 10 Access Governance Best Practices for successful implementations from experts. Sidestep the challenges that can derail GRC software and compliance management projects.

Request the Workbook

Written by Thomas Edgerton

Thomas Edgerton, Avatier's MVP award-winning Market Analyst and Performance Consultant in information technology, IT security, instructional technology and human factors, blogs on topics ranging from leadership to national security, innovation and deconstructing the future.​