How to build NERC CIP compliance: a new course by the SANS Institute
SANS ICS456 ‘Essentials for NERC Critical Infrastructure Protection’ is the newest course to be offered in critical infrastructure protection by the SANS Institute. The course is designed to provide engineers, cybersecurity experts, auditors, vendors, and others working in the electric power industry with a detailed overview of the latest iteration of the NERC CIP standards, the federally mandated cybersecurity standards for the bulk electric system (BES). I took the course as a researcher interested in learning more about the standards and their impact on the resilience of the electric grid. (You can read about my research here).
Taking place over five days of eight-hour classes, the course offers students a step-by-step walkthrough of the standards, focusing on both what the standards are and how they can be implemented. Each day covers a different component of the standards, which combine to provide students with an overarching picture of how the standards work. The first day, ‘Asset Identification and Governance’, focuses on the basics of defining the systems that are under the Standards. Day two, ‘Access Control and Monitoring’, discusses how to establish, monitor, and maintain physical and electronic perimeters for BES cyber systems. The next day, ‘Systems Management’, reviews how to protect individual cyber assets in order to protect BES cyber systems. The fourth day, ‘Information Protection and Response’, outlines the training and information protection strategies necessary to maintain NERC CIP compliance. The last day, ‘CIP Processes’, concludes the course by providing a framework for establishing organizational and system level processes for working with auditors and maintaining CIP compliance.
It is obvious that much care and attention went in to crafting the course. The course includes six associated books (one per day plus a workbook), all well over 100 pages, which include the day’s lecture slides with detailed notes underneath. The course has a clear, logical order that starts with the big picture overview of the scope of standards, before moving on to the requirements within the scope. Each of the 10 standards is reviewed in detail over five days, breaking the standard down to its components, describing what those components mean and how they can be implemented, and offering a series of hands-on labs for specific implementation techniques.
Lectures serve as a means of providing students with information and offer a place for students to ask questions and engage in discussions. The lecturers have an intimate knowledge of cybersecurity and the CIP standards and are able to answer the questions posed by students, including the highly technical and detail-oriented. The students themselves are also a key source of information, as they held varying kinds of responsibility for implementing the standards, and freely shared their stories and perspectives throughout the course.to the standards and sharing their stories and perspectives over the course of the module. In this way the course provides not only an overview of the standards from the perspective of coverage but also a broad view of implementation.
The labs are all very practical: some teach students how to use specific tools to build a compliance program (for example, CSET to review the structure of industrial control and enterprise network systems) and others focus on how to understand the standards and place them in their broader context (for example, how the standards align with the Cybersecurity Capability Maturity Model). Of the latter, one exercise taught students how to pick a lock, an entertaining and highly practical exercise that demonstrated the requirements of physical security protections. The first-hand experience provided in the exercise showed students how easily traditional locks can be compromised and the risks of using them for a physical control system.
During the course, I also gained a sense of some of the broader strengths and weaknesses of the CIP standards from the distinctive perspectives of compliance and of security. The mandatory tasks required in the latest version are substantial, and implementing them can have very real security benefits: entities must identify critical cyber systems and must implement a variety of controls to secure those systems (like segmenting critical from non-critical systems and training staff). Such activities are audited, with auditors looking not just at the standards themselves but assessing entities on their ‘cultures’ of compliance and security. While many CIP programs are motivated primarily by concerns about reputational risks of potentially being found to be non-compliant, some aspects of compliance will enhance security by default and auditors will try to ensure that security is at the fore of a program.
Although the standards themselves have evolved considerably over the past number of years, what I learned in the course suggests that more work is needed to ease the burden of implementation and to address neglected issues. The standards do not cover certain important issues, such as supply chain and distribution, and the role of executive leadership in making decisions and structuring staff roles in ways that integrate CIP compliance with cybersecurity responsibilities. There are also implementation challenges including ambiguous wording and inconsistencies between regional reliability organizations’ audit approaches. Some implementation challenges stem from the fact that the standards are focused on improving cybersecurity, which is a moving target that changes with technology and advancements in adversary techniques. Challenges also stem from the fact that CIP is a blanket standard that covers the entire electric industry, which is comprised of entities of highly variable sizes, governance structures, functionalities, organizational histories, and risk profiles. The best strategy for resolving these challenges is a matter for further research.
This course helped me gain a much better understanding of how the CIP standards worked. My classmates, many of whose jobs relate directly to the standards, also felt that the course was well worth their time in money. For example, two working for a large utility in the southern United States stated that the course gave them more confidence in their existing compliance program and that they learned a number of new things. The course is currently being offered by the SANS institute, so if you think it might be useful check out their webpage for more information.
Aaron Clark-Ginsberg is a postdoctoral researcher at Stanford University. He is currently working on a project examining the effectiveness of the CIP standards in building the resilience of the electric system. If you would like to learn more about the study, you can read about it here or contact him at firstname.lastname@example.org. This article was produced as part of a project funded by the US Department of Homeland Security, but the views and conclusions in this article are the author’s. Aaron is not affiliated with the SANS Institute.
No discussions yet. Start a discussion below.