Top 5 NERC CIP Compliance Program Mistakes
I spent quite a bit of time on the road while working at NERC. I was involved in everything from CIP compliance audits, investigations, advisory sessions, and CIP standards development. Along my journey, I came across some very successful programs and others that needed a lot of work. Nonetheless, I thought I would share some of the top 5 NERC CIP compliance program mistakes I discovered across my experience in the industry.
1) Fear Driven
One of the first mistakes I have seen at some entities across the country is when compliance violations are tied to performance. Specifically, I mean tying performance bonuses to compliance. How do you think that makes your employees feel? If a compliance issue were to arise, how do you think they would react? Who would want to report an issue that would get them and their team penalized?
“Instead of building a culture of compliance, you are creating a culture of silence.”
Employees don’t want to let down their peers. The fear that making a mistake or doing something wrong can impact their performance is a huge mistake in motivating compliance. The purpose of compliance is to identify issues, assess their causes, and find an action plan to correct those issues from being replicated again in the future. Does that language sound familiar?
Your employees are working hard to make sure the program is running smoothly. They should be actively looking for potential issues of non-compliance. They should also be looking for process improvements and identifying areas of risk in your compliance program. Give them the tools and power needed to be open and honest, and your CIP compliance program will benefit greatly.
2) Practice Makes Perfect
Understand that your entity is going to get audited sooner or later. I cannot tell you how many times I came across many entities that didn’t understand that. Audits are not voluntary, and they are required for a reason. The best way to prepare for an audit is perform a mock audit. This can be done by an internal audit team, a third party, or even another department. It is best to have someone independent perform this mock audit since they won’t be biased on the questions being asked.
You never want the first time you are audited to be your first audit experience. You should constantly be asking yourself questions such as, “what would the auditor think” or “what would someone in my position think” if presented with this information. Mock audits are a great way to find your strengths and weakness in the program. After you identify your weaknesses, you can help improve processes and procedures to help get you moving in the right direction. Get different departments involved in this process. Work together to find common strengths, gaps, and move forward with an action plan to build a solid program.
3) Show Your Work
The purpose of compliance is to adhere to a set of guidelines and standards. When an auditor begins their assessment, they are going to check your work. Anyone can say they are doing something, but you’ll need to provide the evidence of doing so. The auditor will look at your processes, procedures, and the evidence you provided. You will need to tell the entire story of compliance. Just having a process in place doesn’t mean you are following it. And just producing evidence doesn’t always mean you followed your process.
Lets take for example a patch management process in CIP-007. One can simply say they checked for patches and did or did not apply them. The real question is how did you get there? How did you check for patches? What process did you use? When and how did that person verify that the patch was applicable. How can you show and auditor or even your team that you went through this process. It is always important to show your work on how you followed processes with any type of documentation and even a sign off when an individual completes a process. The auditors will appreciate this type of documentation and it will give you peace of mind that your team if following the correct steps.
4) Overanalyzing the Standard
Don’t sit there and over-analyze the standards. Time and time again I have seen compliance teams get caught up in the specific language. Use common sense, read the guidance and technical basis, and you will be fine. Contrary to popular belief, the standards aren’t here to trick you and neither are the auditors. They are all here to help establish a foundational baseline of cyber security best practices. Don’t waste time reading specific words and arguing over their meaning. Instead, spend that time implementing and focusing on results.
I sat during an audit and watched the entity and their lawyers argue with the auditors over the word significant. They debated the meaning significant for the entire week. The time and mood of the entire audit changed at that moment. It was a waste of time and frustrating for what gain? The audit team was beyond frustrated and this just caused them to scrutinize other areas of the audit that shouldn’t have been questioned in that much detail. Don’t sweat the small stuff and focus on what is important for your audit.
5) Weak Employee Training Program
Lastly, one of the biggest mistakes I have seen in CIP compliance program is having a weak CIP training program. Think about it, your CIP compliance program is managed by people. With all the personnel involved, you need to build a strong foundation of knowledge around CIP compliance. The foundational education is there for a reason. That way, your employees can use critical thinking to apply the CIP concepts to your own program. You need everyone to speak the language of CIP!
Required under CIP-004 R2, a NERC CIP Training Program is a necessity to be successful. Too many times I have seen the CIP training program become a check the box exercise and not a priority. Slapping together a few PowerPoint slides with the CIP standards copied and pasted. Adding a few images and then having the lawyers add some very technical legal language. The result is what the industry likes to call a check the box approach. Although this checks the box for compliance, the approach is completely ineffective on teaching the concepts of CIP compliance, and mistakes will happen as a result. You can also check out a whitepaper highlighting the Top CIP Compliance Training Program Mistakes to see if you are making some of the most common mistakes in your program.
This post orginally appeared on the Curricula security awareness blog here.