Scaling the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance requirements across an enterprise can be a daunting task. With an ever-expanding list of assets in both IT and OT that needs to be accounted for, even the most experienced CISO can become overwhelmed with the complexities of centralizing information across multiple business units. Fortunately, there are solutions that enable information security leaders to centralize and scale NERC CIP compliance across the entire enterprise.
NERC CIP serves as the Critical infrastructure Protection guidelines for operating, maintaining, and protecting our Bulk Electric System. As the oldest regulatory agency for our electrical grid, NERC serves as a frontline defense against the catastrophic danger of instability and misuse within the BES. The implications of a compromised electric system can have devastating consequences for consumers and operating entities alike.
For many CISOs, the NERC CIP compliance requirements are not new. The challenge, though, arises as more and more business-side executives and Boards are asking more of their CISOs in terms of reporting on enterprise-wide cyber posture for both risk and compliance. Typically, organizations working with NERC communicate directly with the FERC to help tailor new regulations to fit their operating model. As such, the processes and workflows these organizations use to satisfy NERC aren’t shared publicly since there is so much private data involved. Fortunately, NERC CIP outlines its requirements and it is primarily evaluated using a risk-based approach. Using a risk-based approach for NERC CIP allows for easier visibility when running assessments since the data is not aggregated to one place, it also allows other risk-based frameworks like NIST CSF to act as a metrical tool for satisfying NERC CIP.
For organizations working within the bulk power system, the needs of the tools that make NERC CIP standards compliance possible are changing. Information security leaders must look beyond meeting the security management controls and be prepared to align their cyber program with the business objectives of the organization. In this post, we’ll be examining the critical capabilities for tools to enable security leaders to scale NERC CIP across their enterprises.
Centralized directory and categorization of assets
The risk and compliance tool that you select to help you scale NERC CIP compliance should be capable of acting as a single source of truth for your organization. The fundamental element of NERC CIP compliance is knowing where your assets are and which of those are deemed critical assets to ongoing operations.
With the rapid convergence of IT and OT (and IIOT), information security teams are faced with an expanding attack surface and new assets that they are responsible for tracking and securing. In order to successfully scale this level of compliance across the organization, spreadsheets or modular GRC solutions are too inefficient. Integrated solutions enable information security leaders in the energy space to store their asset assessment data in one centralized repository - both risk and compliance, enabling a more holistic approach. CyberStrong’s fully integrated platform enables the categorization of IT and OT assets, allowing for the assessment and reporting on these assets to be broken down by business unit, location, and asset type.
Single Source of Truth During Planning
The single-source-of-truth that we outlined in the categorization of assets feeds directly into the planning stages of a NERC CIP assessment. Ensuring that your team is on the same page and that all participants in the assessment understand their role is paramount to an effective and comprehensive NERC CIP assessment. Spreadsheets and modular GRC tools can support the planning stages well enough. However, you will start to see version control rapidly become an issue in the case of spreadsheets, and in the case of GRC tools, depending on the configuration of your particular platform, you may find that your teams cannot use the tool given its complexity.
Integrated solutions, on the other hand, enable organizations to see the entire plan from a single source of truth without having to dig around multiple modules or sift through a plethora of spreadsheets. CyberStrong’s collaboration tools include bulk control assignment, asynchronous collaboration notes between teams responsible for a given assessment, and automated due date follow-ups to streamline the assessment process and help energy risk and compliance teams get to knowing faster.
Flexibility in the Face of Changes During the Assessment
As all CSPs know, any given plan is subject to (and does) in the face of carrying out the assessment. Making sure that the tool you use to conduct the assessment can change and update your team as a result of those changes is paramount. Where spreadsheets could get your team through the planning stages, the execution is where spreadsheets’ value will truly begin to break down. As the assessment plan begins to shift in practice, risk and compliance leaders must be able to determine accountability at the control level to understand how the project plan is changing. An integrated solution enables this to be tracked more effectively than across modules in a legacy GRC tool.
Transparent Reporting that Moves Up and Down the Chain of Command
Finally, once the assessment is completed, the reporting is in fact the most critical piece. Most organizations using spreadsheets will spend hours breaking apart the control set and then reassembling it into a single file to report on. This inefficiency can take extraneous hours as well as an increased risk of reporting inaccurate data from an incorrect version.
Furthermore, with more and more business leaders wanting insight into the cybersecurity posture of the organization, information security leaders must be able to illustrate their program data across a wider range of audiences than they have in the past. Creating more reports out of spreadsheets or modular GRC tools is a drain on time and resources. Using an integrated platform that automatically generates reports from real-time data not only saves your team time but also allows your cybersecurity program data to be actionable to a wider range of audiences from business-level stakeholders and C-suite executives to technical CSPs.
Prepare for the future with an integrated solution
With so much at stake for organizations operating within the bulk electric system, by protecting critical cyber assets and adopting a risk-based methodology, your organization can accommodate NERC CIP by using an integrated risk management solution like CyberStrong to standardize multiple frameworks. A lot of framework solutions claim to use NERC CIP across other business functions to help make informed decisions on resources within but fall short. CyberStrong has the functional flexibility to map the latest version of NERC CIP to NIST CSF controls and will allow you to assign relationships between job roles and individuals with Admin, Manager, and Collaborator access levels.
Additionally, CyberStrong is capable of aggregating your compliance requirements from multiple sources using control tagging to help you know which controls satisfy their respective requirements in real-time. This coupled with our patented AI and machine learning provides threat feeds and remediation suggestions specific to your organization’s needs based on risk and impact. Our Company Compliance and Oversight dashboard also allows your organization’s policies to also be mapped to controls and assessments, so you can compare your security posture to specific frameworks.