As you all know, April 1, 2016 has come and gone. We are now left with the new effective date for CIP compliance on July 1, 2016. Curricula just completed a joint webcast with Tripwire as part of the NERC Alliance Network to talk about what you should be doing in these final days leading to the CIP compliance effective date. If you didn’t get a chance to catch the webcast, head over to Tripwire and watch the recorded webcast.
One question that has been coming up over and over again lately is about training your personnel for CIP V5/V6. There was a lot of confusion based on what we discussed in the webcast about what you need to do prior to July 1, 2016. Nothing has changed as far as implementation goes, but the date obviously moved from April 1 to July 1. If you are confused about the effective dates, check out the NERC Transition Program website for more information.
July 1, 2016 is an important date. Why is that? You will need to have completed training for all of your staff, contractors, vendors, and any personnel that fall into scope of CIP-004 R2. The applicable systems for these personnel are:
- EACMS; and
- PACS
- EACMS; and
- PACS
It is important to note that they need to be trained PRIOR to July 1, 2016. Simply having a V3 training program in place without re-training will automatically get your entity a Possible Violation when it comes audit time. Technically you would need to self-report this on July 1 if it has not been done.
Why is this? Well think about it CIP-004-3 only had 4 objective statements. The concepts within those objective statements are obsolete and the terms are formally retired. Here are the old objectives:
- R2.2.1. The proper use of Critical Cyber Assets;
- R2.2.2. Physical and electronic access controls to Critical Cyber Assets;
- R2.2.3. The proper handling of Critical Cyber Asset information; and,
- R2.2.3. Action plans and procedures to recover or re-establish Critical Cyber Assets and access thereto following a Cyber Security Incident.
CIP V5 has 9 objective statements that are brand new, concepts that are brand new such as CIP Exceptional Circumstances, BES Cyber Systems, Intermediate Systems, Transient Devices, and Removable Media. Not to mention the applicable systems are completely new as well as many of the language changes within the standards. Your personnel needs to understand all of these new terms, concepts, and have documented proof they went through the new program. Here are the CIP-004-6 objective statements:
- 2.1.1. Cyber security policies;
- 2.1.2. Physical access controls;
- 2.1.3. Electronic access controls;
- 2.1.4. The visitor control program;
- 2.1.5. Handling of BES Cyber System Information and its storage;
- 2.1.6. Identification of a Cyber Security Incident and initial notifications in accordance with the entity’s incident response plan;
- 2.1.7. Recovery plans for BES Cyber Systems;
- 2.1.8. Response to Cyber Security Incidents; and
- 2.1.9. Cyber security risks associated with a BES Cyber System’s electronic interconnectivity and interoperability with other Cyber Assets, including Transient Cyber Assets, and with Removable Media.
What you will also notice in the CIP V5 Implementation Plan is a line item about CIP-004 R2.3 which is considered the re-training section of the requirement part. After the initial performance requirement is met by training your personnel, you have a 12 month implementation period for re-training those staff. Yes, technically this should be a CIP year and have the 15 calendar month application provided like the standard provides, but NERC might have missed that one.
During our webcast, Tim Erlin from Tripwire and I pointed out the 3 things you should be doing leading into the NERC CIP Compliance effective date on July 1, 2016:
1. Perform a mock audit:If you haven’t done so already, you need to have a mock audit. Don’t worry if you call it an assessment, review, audit, exercise, or any other term. As long as you can get everyone on your team together to review each of the requirements, this will help dramatically when it comes time for the real thing. You can find your strong points and areas of weakness to improve when your audit approaches.
2. Implement your NERC CIP training and cyber security awareness program:As we discussed already, you must have your CIP training completed by July 1, 2016 to avoid any compliance possible violation. A V3 program will not suffice and will end up with a lot of issues during an audit. As for your CIP-004 R1 cyber security awareness program, you must implement your first campaign in Q3 of 2016 with a documented program in place. I discussed on the webcast that this is also a great way to start implementation at some of your Low Impact sites to get them ready for their requirements in April 1, 2016. You can have the same program for all of your High, Medium, and Low Impact sites to encourage a cyber security culture across the organization.
3. Automate or Die:This was a common theme that came up during the NERC CIP Implementation Study. Entities found ways of truly understanding processes within their organization and developed ways to help improve or automate those processes. Without automation, CIP can become very challenging so look to the experts that have been there and done that. Utilize your resources and discuss your challenges with your peers.