April 1, 2017 has finally arrived and it has brought hundreds of new entities into scope as Low Impacts. With these new requirements under CIP-003 Attachment 1, NERC CIP requires a Low Impact Security Awareness Program. There are 2 different types of entities that exist. The first being an existing CIP compliance entity that already fell into scope of a Medium or High. CIP-004 R1 requires those entities to develop and enforce a NERC cyber security awareness program that is updated at least quarterly. The second type of entity is one that has just come into scope of NERC CIP and contains only Low Impact BES Cyber Systems.
Low Impact Cyber Security Awareness Requirements
Each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices, (which may include associated physical security practices). So all this means is that you must have a cyber security awareness program in place for your locations and personnel containing Low Impact BES Cyber Systems starting April 1, 2017. This is not a formal CIP training program, so therefore you do not have to show each individual has completed awareness to an audit team.
What will auditors look for?
Auditors will look for is documentation including the policy, program, and process. First, the audit team will request if the entity documented their cyber security policies? This should be a high level overview of the entire Low Impact plan discussed in CIP-003 R1.
Next, the audit team will review the entity’s process for reinforcing the documented cyber security practices. This will cover how the plan is actually implemented, how it is managed, and how it is delivered.
Finally, the audit team will ensure the entity followed that documented processes to reinforce cyber security practices once every 15 months. This will just be documented evidence on changing and updating the awareness content as well as delivery documentation.
How to implement a Low Impact Security Awareness Program
If you already have a security awareness program in place for your Medium or High Impact sites, then you are in great shape. You can combine these programs and have your High, Medium, and Low Impact personnel follow the same schedule. If you’re brand new to NERC CIP as a Low Impact entity, you should look at options available to build your program. We typically see the best success in security awareness programs when they are combined with a corporate security awareness program. Security awareness applies to multiple departments across an organization and this is a great opportunity to take advantage of a company-wide culture change based on improving security.
Why 15 months isn’t actually awareness
Security awareness is much different than training. The definition of security awareness is having or showing realization, perception, or knowledge of cyber security. Essentially this means surrounding your personnel with constant insights to cyber security risks. You do not need to formally track each individual consuming security awareness content. If you are a High or Medium Impact entity, an additional NERC CIP Training Program is required to get your staff, contractors, and vendors up to speed on the NERC CIP requirements and speaking the same language of CIP. This formal training must be completed prior to getting electronic or physical access to BCAs.
So why do Low Impacts only have to update or distribute any type of awareness every 15 calendar months? If awareness is supposed to be surrounding our personnel with the latest knowledge about current cyber security threats, how can we do that only once a year? Tough questions to answer, right? Imagine buying and implementing a firewall with no access control list. Kind of useless right? Yes, you checked the box saying you have a firewall in place, but it is serving no true purpose other than checking the box for compliance. We can do better than that.
As a security expert, it’s your job to help influence a powerful cyber security program for your organization. Think about different ways to make security awareness fun which will help improve your overall cyber security program. Knowing that hanging a poster up or just sending an email out once a year, probably isn’t going to influence or demonstrate best security practices. If you put in some effort and actually believe the purpose behind a security awareness program, you will not only be helping improve NERC CIP compliance, but will also improve the security culture of your entity.