ReliabilityFirst > Resource Center Page > The Lighthouse: CIP low impact from the ground up – Part 3, Overview of compliance steps

The Lighthouse: CIP low impact from the ground up – Part 3, Overview of compliance steps

By Lew Folkerth, Principal Reliability Consultant, External Affairs

In this recurring column, I explore various questions and concerns related to the NERC Critical Infrastructure Protection (CIP) Standards. I share my views and opinions with you, which are not binding. Rather, this information is intended to provoke discussion within your entity. It may also help you and your entity as you strive to improve your compliance posture and work toward continuous improvement in the reliability, security, resilience and sustainability of your CIP compliance programs. There are times that I also may discuss areas of the standards that other entities may be struggling with and share my ideas to overcome their known issues. As with lighthouses, I can’t steer your ship for you, but perhaps I can help shed light on the sometimes-stormy waters of CIP compliance.

Photo: Aurora over Old Mackinac Point Light, Mackinaw City, Michigan (Lew Folkerth)

In this series of articles, I’ll explore the NERC CIP Standards applicable to low impact Bulk Electric System (BES) Cyber Systems. These articles are my opinions only – consider them to be my advice to you. Most of this advice will reference the enforceable language of the Reliability Standards, and I’ll quote the applicable wording or provide links to the applicable documents. The enforceable language of the standards will always govern, and if you think my advice conflicts with this language, please let me know.

In providing this advice, I will tell you what you must accomplish and what you should accomplish with your compliance program. But I cannot tell you how to be compliant. How you implement these standards is individual to each organization.

I’m going to assume you are new to the CIP Standards. I will begin with some foundational material before progressing to more advanced topics and provide links that may be useful for your own reference library.

In Part 1 of this series, I discussed why Reliability Standards are needed, how NERC came into existence, and what a Reliability Standard looks like and how to read it. Part 2 of the series gave you an introduction to the CIP Standards applicable to low impact BES Cyber Systems. This article, Part 3, is an overview of the steps needed to begin your CIP compliance program at the low impact level.

Overview of compliance steps

There is a certain order imposed on these steps by the CIP Standards. For example, you don’t know which set of cyber security policies you must develop until you know the impact ratings of your cyber systems. Here are my recommendations for the order of developing your initial CIP compliance program. Note that this is just an outline, and each step in the outline will receive its own article: 

  1. Designate your CIP Senior Manager. This should be done first because it is the CIP Senior Manager who is responsible for all of the following steps. (CIP-003-8 R3, Cyber Security — Security Management Controls)
  2. Identify your physical BES assets.
  3. Perform a preliminary classification of your BES assets (CIP-002-5.1a Attachment 1, Cyber Security — BES Cyber System Categorization)
  4. Develop and approve* cyber security policies (CIP-003-8 R1 Part 1.2, Cyber Security — Security Management Controls):
    1. Cyber security awareness;
    2. Physical security controls;
    3. Electronic access controls;
    4. Cyber Security Incident response;
    5. Transient Cyber Assets and Removable Media malicious code risk mitigation; and
    6. Declaring and responding to CIP Exceptional Circumstances.
  5. For each BES asset that contains a low impact BES Cyber System, decide whether you will be protecting all Cyber Assets at the BES asset or only the low impact BES Cyber Systems at the asset (you can make this determination for each BES asset): 
    1. All Cyber Assets at the BES asset 
      1. Develop* the list of BES assets containing low impact BES Cyber Systems (CIP-002-5.1a R1 Part 1.3, Cyber Security — BES Cyber System Categorization). 
    2. Only the low impact BES Cyber Systems at the asset 
      1. Develop* the list of BES assets containing low impact BES Cyber Systems (CIP-002-5.1a R1 Part 1.3, Cyber Security — BES Cyber System Categorization).
      2. Identify all Cyber Assets associated with the BES asset.
      3. Develop* the list of low impact BES Cyber Systems at each BES asset. This list will be needed later when you develop your physical and electronic access controls. Note that, according to CIP-002-5.1a R1 Part 1.3 (Cyber Security — BES Cyber System Categorization), you only need to identify the BES asset containing the low impact BES Cyber Systems. This remains true, but since you are not protecting all of the Cyber Assets at the BES asset, you must be able to identify those Cyber Assets you are protecting.
  6. Develop and implement one or more cyber security plans (CIP-003-8 R2, Cyber Security — Security Management Controls). These plans must include the Sections in CIP-003-8 Attachment A: 
    1. Cyber Security Awareness*
    2. Physical Security Controls
    3. Electronic Access Controls
    4. Cyber Security Incident Response*
    5. Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation
  7. f you own or operate a Control Center, per the NERC Glossary definition, determine if you send or receive Real-time Assessment or Real-time monitoring data to another Control Center. If so, you need to protect the data being communicated in accordance with CIP-012-1 ( Cyber Security – Communications between Control Centers). 

* Note: Each of the items marked with an asterisk (*) above also contains a periodic element that will need to be reviewed on an appropriate schedule. 

I will discuss each of these compliance steps in greater depth in future articles in this series.

Explore other issues of The Lighthouse