Requirement 2 of CIP-004 mandates an annual cyber security training program for personnel who have cyber or physical access to critical cyber assets.  The training needs to include the following:

• Proper use of critical cyber assets.
• Physical and electronic access controls to critical cyber assets.
• Proper handling of critical cyber asset information.
• Recovery plans and procedures for critical cyber assets following a cyber security incident.

Encari can provide this training either as online courses, which you deliver through your LMS or using our online service, or as onsite classroom courses.

In addition to specific CIP-004 R2 training, Encari also offers more general security training focusing on security operations specifically applicable to particular roles within your organization.  These roles include generator, transmission and dispatch operators, system administrators, EMS engineers, field engineers, compliance personnel, and other roles.

Your organization may have conducted cyber security vulnerability assessments for years.  Or maybe you are considering executing your first cyber security vulnerability assessment in order to comply with the NERC CIP Reliability Standards.  In either case, you are probably wondering, “What kind of cyber security vulnerability assessment do I need to conduct in order to comply with requirements CIP-005, R4 and CIP-007, R8?”

CIP-005, R4 and CIP-007, R8 clearly indicate the scope of required cyber security vulnerability assessments.  But executing the activities required to comply with these requirements is far from simple, as elaborated upon below:

1. Only ports and services required for operations should be enabled.  This may sound straightforward until you ask two questions:
   1. How do you discover which ports and services are enabled?  On your corporate network, the answer is easy; you use an automated port scanning tool.  However, using such a tool brings with it the risk of causing system outages.  Can you introduce the risk of causing system outages on your DCS and / or SCADA network(s) by using a port scanning tool?  Fortunately, Encari has alternatives to using port scanning tools in order to comply with these requirements.
   2. How do you know specifically which ports and services are required for operations?  In the ideal world you have, for every critical and non-critical cyber asset with your ESP(s) and / or ESP access point(s), a list of the services the cyber asset provides and the exact ports required to be open for each service.  And you have established procedures necessary to ensure this list of ports and services is updated as soon as any change is made.  If you are currently operating in the presence of any insufficiencies in this regard, Encari can provide the expertise required to bridge any existing gaps and help you establish and maintain an ongoing compliant cyber security vulnerability assessment program.
2. A review of controls for default accounts and passwords.  These may already be well identified and documented, or they may require a significant effort to identify and address accordingly.
3. Discovery of all ESP access points.  Again, while the use of automated scanning tools would be ideal for accomplishing this task on your corporate network, a similar approach likely will not be viable for your DCS and / or SCADA network(s).
4. An action plan to remediate or mitigate vulnerabilities.  You must determine for each encountered vulnerability whether the vulnerability may be remediated or mitigated, and you must develop an action plan to implement your decision without detrimentally interfering with system operations.

Encari can help you develop or refine and execute your NERC CIP cyber security vulnerability assessment program.  We are very experienced in navigating all of these issues to provide your organization with thorough and actionable results.  These results will enable you both to remain NERC CIP compliant and to improve the security posture of your DCS and / or SCADA networks.

Please note: Besides conducting the NERC CIP vulnerability assessment, Encari will be pleased to help your organization prepare to conduct future vulnerability assessments on your own.  We can help you install and learn to use a variety of open-source or low-cost assessment tools, as well as have your staff members look “over our shoulder” as we conduct the manual aspects of the assessment. 

Congratulations, your organization has certified compliance with some or all of the 41 requirements of the NERC CIP-002 through CIP-009 Reliability Standards!  But what happens now?  You probably realize that maintaining compliance with the NERC CIP Reliability Standards requires substantial effort; unlike the effort to attain compliance, sustainment efforts will continue indefinitely.  Literally every day, maintaining NERC CIP compliance requires your organization to engage in ongoing monitoring, documenting, and assessing and re-assessing, each of which potentially inflicting a significant burden on your staff.

As you certainly realize by now, the foundation of NERC CIP compliance is processes and procedures; up to this point, you focused your compliance efforts on developing and implementing these processes and procedures.  And while these processes and procedures did meet the criteria for compliance, are they really optimal for your organization?  Will maintaining these processes and procedures place as much, if not more of a burden on you as the compliance effort itself did?  If so, you have only two choices, neither of which is good: suffer the burden of suboptimal processes and procedures or become non-compliant.

This is why Encari is now focused on assisting Responsible Entities with achieving sustainable NERC CIP compliance.  Our consultants have many years of experience both implementing and maintaining cyber security processes and procedures for electric utilities, generation companies, manufacturers, financial institutions, government agencies, and more.  Encari can conduct a NERC CIP compliance sustainment review to most importantly help your organization maximize assurance it will maintain NERC CIP compliance, and secondarily to identify opportunities for your organization to save time and money by enhancing current compliance processes and procedures and by achieving varying levels of automation through the use of commercially available security technologies.

• Critical cyber assets (CCAs) within an electronic security perimeter (ESP).
• Access points to the ESP(s).
• Cyber assets used in access control and monitoring of the ESP(s).
• Cyber assets used in the access control and monitoring of the physical security perimeter (PSP).

This may at first glance seem like an easy thing to do, but many NERC-registered entities indicate that ports and services identification is among the most challenging aspects of achieving NERC CIP compliance.  This is because determining why a particular port or service has been enabled on a cyber asset, and whether it should still be enabled, is very difficult in many cases.  This process becomes even more difficult due to the fact that production systems – such as SCADA and DCS servers – should never be scanned for open ports using automated tools (like those regularly used on IT networks) due to the considerable risk of degrading or disabling the system.

Encari’s consultants have many years of experience in identifying and disabling unnecessary ports and services on industrial control systems.  Our consultants will:

1. Identify open ports and services using a variety of software tools that do not risk degrading or disabling the system, as well as using purely “manual” methods.
2. Verify, for each open port or service, the process(es) or system(s) that require it to be open.  This may require reviewing network or system documentation, interviewing system owners, contacting vendors, etc.
3. For those ports and services that are in use, confirm that the processes or systems using them are authorized and required by normal or emergency operations.
4. For ports or services whose use is required neither by normal nor emergency operations, develop with the client an appropriate procedure for disabling them, while testing to ensure that required processes or systems are not impacted.
5. For cases in which a port or service cannot be disabled due to technical limitations, identify compensating measures to mitigate risk exposure, as required by the NERC CIP Reliability Standards.
6. Document all of the above procedures because the NERC CIP Reliability Standards (as well as good security practices) require that they be performed on a regular basis.
7. Provide knowledge transfer to clients' staff members so they may apply these tools and procedures on an ongoing basis in the future, independently of external assistance.

Encari helps electric utilities identify and develop (i.e., document) sustainable core security policies and procedures required to achieve NERC CIP compliance, and more importantly, to maximize assurance that their workforces, business partners, and end-consumers are safe and secure.  Additionally, security policy and procedure management is not simply a documentation exercise – policies and procedures need to be instituted, enforced and maintained on an ongoing basis, and exceptions need to be strictly managed.  Encari is your answer for acquiring thought leadership and support for your ongoing security policy and procedure management strategy and operations.

These policies and procedures include:

• The information protection program for critical cyber assets.
• Change control and configuration management procedures.
• Personnel risk assessment procedures.
• Electronic access control processes.
• Electronic access monitoring procedures.
• Physical access monitoring procedures.
• Procedures for logging electronic and physical access.
• Test procedures for changes to cyber assets.
• Systems security management procedures, including documenting open ports and services, security patch management, malicious software prevention, and account management.
• Security status monitoring procedures.
• Cyber security incident response plan and procedures.
• Recovery plans and procedures.

The first requirement of the NERC CIP Reliability Standard CIP-004 succinctly states: your organization needs to “document, implement and maintain a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access receive on-going reinforcement in sound security practices.”  How do you plan on complying with this requirement?  Encari can help you in two ways:

First, starting on July 30, 2009 Encari is providing several complimentary services, to all NERC registered entities, to help with CIP-004 R1 compliance.  These services include:

1. Quarterly security awareness Webinars focusing on security challenges commonly encountered at electric power market participant organizations.  The Webinars address both security best practices and recent incidents and regulatory developments.  We encourage you to forward the Webinar invitation to as many of your fellow employees, contractors, and peers as you would like.
2. Bi-monthly emailed security awareness bulletins that you can distribute to your employees, contractors, and peers.  Topics addressed include proven information security best practices and recent incidents and regulatory updates.
3. Periodic emailed templates for posters, intranet pages, and brochures (CIP-004, R1 requires security awareness programs to consist of both indirect and direct communications).

• Define and implement access conditions,
• Enforce only solicited or two-way communications,
• Monitor and respond to activity, and
• Generate audit trails.

As an electric utility or other power market participant subject to the 41 requirements of NERC CIP Reliability Standards CIP-002 through CIP-009, you realize that, for some of your cyber assets within your electronic security perimeter(s), strict compliance with all of the NERC CIP requirements may not be possible.  For instance, how do you load anti-virus software on a network device that will not let you load anything but the vendor’s firmware, which lacks malware protection functionality?  Or how do you require and enforce a password policy that is to consist of a combination of alpha, numeric, and “special” characters when the manufacturer requires that device passwords be comprised solely of upper-case letters?

When FERC approved the NERC CIP Reliability Standards, FERC directed NERC to establish a procedure for the submission, review, audit, and approval of Technical Feasibility Exceptions (TFEs). A Technical Feasibility Exception (TFE) is available where the text of the CIP standard requirement expressly provides either (i) that compliance with the terms of the requirement is required where technically feasible, or (ii) that technical limitations may preclude compliance.

Under NERC’s proposed rules, your organization may request approval for a TFE and have that request evaluated in the context or environment of your organization.   A TFE may be applied to a NERC CIP requirement when satisfying the requirement is: a) not technically possible, b) operationally infeasible, c) poses safety risks that outweigh the reliability benefits, d) conflicts with another regulatory requirement, or e) incurs costs that far exceed the reliability benefits.

It is important to emphasize that, under the TFE procedure, you cannot simply claim an exception to a requirement; you must identify compensating or mitigating measures as an alternative to achieving strict compliance with the requirement in question.  You must also document a time line both for implementing compensating or mitigating measures, as well as for ultimately achieving strict compliance with the requirement (if this will ever be possible; if not, the timeline for the compensating measures is indefinite). Once a TFE is approved, you will need to implement the compensating measure and periodically update NERC on your progress towards strict compliance. 

There are many more nuances to the process just described. Encari can help your organization navigate the complex TFE request process, ranging from supporting the initial preparation of the TFE request, through implementation and documentation of the compensating measures, and ultimately through your final transition to strict compliance.  Here are some of the services Encari provides:

• TFE Needs Identification:  Encari can work with you to identify the situations where a TFE would be appropriate, helping you demonstrate a robust compliance program that NERC and FERC ultimately expect from Responsible Entities. 
• Compensating or Mitigating Measures Definition:  Encari’s broad experience in cyber security technologies and the NERC CIP reliability standards requirements is applied to help you define appropriate, practical, executable and sufficient compensating or mitigating measures.
• TFE Request Development:  Encari applies its expertise in the procedural intricacies involved in formulating a TFE request and assists Responsible Entities in persuasively articulating their unique circumstances.
• TFE Request Enhancement:  Should your TFE request be disapproved, Encari will help you identify and implement the steps required to execute a successful resubmission or appeal.
• Compensating or Mitigating Measures Implementation and Reporting:  Upon approval of the TFE request, Encari helps you adhere to established plans governing the implementation of compensating or mitigating measures.

To summarize, in many situations it is not technically feasible to strictly comply with CIP requirements.  In these situations, a NERC Responsible Entity faces the choice of either self-reporting non-compliance (and developing a mitigation plan to come into compliance) or preparing TFE requests under the NERC procedures – and by doing so remaining in compliance.