Today we wanted to discuss what a NERC CIP Cyber Security Awareness Program is all about and what is expected to demonstrate compliance for CIP-004 R1. We will also discuss the CIP-003 R2 Attachment 1 requirements for your Low Impact Cyber Security Awareness Program effective April 1, 2017.
The CIP Cyber Security Awareness Program is intended to be informational in its purpose and not as formal as its training partner requirement. Security Awareness is probably one of the most fundamental tools needed to keep your staff, contractors, and vendors aware of current threats and vulnerabilities related to cyber and physical security. You have a great opportunity to provide educational content which is not limited in scope to all of your personnel. We are going to think outside the box of just hanging a poster up in the hallway.
Historically, I have seen security awareness program’s made available only in a physical presence and neglected their remote staff, vendors, and contractors. Also, take note that this requirement is for all High and Medium Impact BES Cyber Systems, regardless of connectivity. Unlike like the CIP Training Program requirements, all personnel with authorized unescorted physical access or authorized electronic access to High or Medium Impact BCAs need to be in the security awareness program.
Remember, you don’t need to provide documented records of each person that consumed content in your security awareness program. (although that is the entire point of a security awareness program) But you do need to demonstrate that you made the program available to everyone in scope as we just discussed.
How to Demonstrate CIP-004 R1 Compliance
When a CIP auditor is looking at your CIP Security Awareness Program they will request the following information:
Content: The auditor will ensure that you have content that reinforces cyber and physical security practices. Content is not limited to NERC specific topics. Your content should cover any relevant aspect of cyber or physical security to educate your staff on current threats and vulnerabilities. Think about subjects such as tailgating, passwords, removable media, and other relevant topics. Remember, an awareness program is not a phishing tool, it is educational in scope.
Delivery: The auditor will also validate your delivery method. What we mean here is they will want to see evidence of the process for how you deliver content to all authorized personnel in scope of the CIP Cyber Security Awareness Program. A group distribution list and simple process document will suffice in explaining how your security awareness program works.
Records: Finally, the auditor will ask to demonstrate that your organization has delivered content and followed your process at least once each calendar quarter. This applies to High and Medium impact programs. You can demonstrate this by supplying dated records of when and how content was delivered during each calendar quarter. A summary report of activities as well as additional details about your content will suit as evidence. Tools such as the Curricula Aware platform will automate all of your compliance evidence to hand right over to your audit team.What About Our Low Impact Security Awareness Program?
We typically get asked the following question by entities, “Can I combine my Low Impact Security Awareness Program with my High and Medium Impact Security Awareness Program?” Yes, you can and should combine them. CIP-003 R2 Attachment 1 states that your Low Impact personnel only require security awareness every 15 months or as we say every CIP year. Although this is not really following great security awareness practice, it is what has been written into the CIP standards. In most cases, your Low Impact Security Awareness Program has to be available across many sites and must be launched at the latest by April 1, 2017.
You obviously do not have to perform the bare minimum on this requirement and we highly recommend you put as much effort into your Low Impact Security Awareness Program as other areas of your overall cyber security program. Developing a robust cyber security awareness program will not only win you bonus points with your audit team, it will also ensure you have a knowledgeable and cyber aware staff. A strong security awareness program may also be delivered in your corporate environment to help build a culture of security across the entire organization.
Curricula recommends at a minimum you develop a cyber security awareness program that delivers content each calendar quarter to meet your CIP requirements. Developing and managing a NERC CIP Cyber Security Awareness Program can be challenging. If you are looking to automate your program or just need some advice, feel free to reach out and we would be happy to help.