WIXLIB

NERC Compliance Automation:Can It Be Resource and Cost Effective?WhitepaperPresented by:&

NERC (North American Electric Reliability Corporation) compliance management has always been challenging for utilities,often having to work with already limited resources. Enforcement and compliance have been further complicated withtoday’s heightened and frequently-changing cyber security concerns. This paper will present an overview of the key CIP(Critical Infrastructure Protection) requirements for NERC compliance and discuss a practical approach to establishing acompliance program as well as an approach to an automated cost-effective solution that will reduce the risks whileimproving efficiencies in the compliance process.The ProblemCompliance to regulatory standards is critical, perhaps second only to employee safety and reliable power generation andtransmission. In years past, a multitude of processes for collecting compliance data – manual or systemic, distributed orcentralized, dynamic or static, pull or push – have been sufficient to meet compliance requirements. But, that is no longerthe case with today’s changing compliance environment, which demands immediate answers and readily-auditabletrails. Spreadsheets, databases, digital documents, binders of paper, various calendaring techniques and multiple processowners no longer suffice. Therefore, more sophisticated program management and automation are required. Afteremployee safety and the reliability of power generation/transmission requirements, maintaining a state of compliance toregulatory standards is critical. This is true for all types of compliance: environmental, NERC CIP and O&P, OSHA, other city,county, state, and Federal considerations.However, implementation of a sophisticated process must be balanced with the practicality of managing and reportingrequirements. The recurring question is how to create situational awareness for those who need to know: seniormanagement, operational managers, compliance team members, field engineers, and other stakeholders?Therefore, the industry needs a compliance management solution that addresses all regulatory compliance managementneeds, is cost effective, resource efficient, and leverages tools already used in the current environment. High and MediumImpact facilities need a specific toolset: logging, alerting, reporting, access control, and monitoring. Low Impact facilitieshave a smaller set of requirements to maintain, but still require highly efficient tools that optimize the productivity of theirlimited facility employees.SKRIAutomationSimplificationBest PracticeWORKCreating and maintaining a CIP compliance program can be both cumbersome and costly. Internal compliance individualsand/or teams can reduce the drain on people’s time and resources by streamlining operational work efforts or automatingthe processes in support of a CIP compliant environment. With the large amount of data collection required to continuouslyanalyze and provide compliance, data repositories need to be transformed into useful management information that allowappropriate resources (human, financial, technological) to maintain a state of compliance within the organization in the mostefficient manner possible.BUSINESSUP TO SPEEDCOMPLIANCEEnd-to-End SolutionReal-Time Audit ReadinessTransparency and OversightIdentificationAssessmentCorrection

CIP ProcessFigure 1 provides an overview of the CIP Program Lifecycle. While high-level, it clearly shows the need for seamlessinteraction between a compliance manager or consultant CIP SME (subject matter expert) and each step in the compliancesolution. Missteps in any stage of the process can result in significant non-productive costs in addition to the potentialconsequences of a control failure which results in non-compliance.“While many of the proposed standards retain the traditional approach of clear, easily enforceable requirements withzero room for error, CIP Version 5 recognizes that in some cases reliability is better served with flexible, adaptable,self-correcting requirements. For example, for Low Impact cyber systems, the standards have adopted programmaticcontrols rather than specific cyber controls. These new approaches require more sophisticated audit procedures toensure compliance, because they are focused on implementing risk-based policies instead of filling out paperwork todocument compliance with specific requirements. But despite the increased enforcement challenge, these newapproaches have the potential to more effectively and efficiently protect our Nation’s critical infrastructure”.– Version 5 Critical Infrastructure Protection Docket No. RM13-5-000NERC CIP v5 Low Impact Program Life CycleReliabilty StandardAudit WorksheetNERC CIP Reliability Standards Version 5CIP-002-5.1BES CyberSystemCategorizationPOLICIES & PROCEDURESLISTS, DATA, INFORMATION,PROGRAMS, PLANSCIP-003-6SecurityManagementControlsR1 – Low Impact Cyber Security Policy(ies)R2 – Attachment 1 – Cyber Security Plansfor Low Impact BES Cyber Systems (Implicit) – Cyber Asset Inventory BCS List BCA List Security Awareness Cyber Security Physical Security Controls Electronic Access Controls for ExternalRoutable Connectivity (LERC) andDial-up Connectivity Cyber Security Incident Response Transient Cyber Assets and RemovableMedia Malicious Code Mitigation Other Supporting DocumentationCIP-002-5.1BES ntControlsR3 – CIP Senior ManagerR4 – CIP Senior Manager DelegatesEvidence and Artifact RepositoryWindows Directory / Shared Drive / SharePointSigmaFlow Compliance ManagerDocumentation & Workflow Management,Evidence Collection, ReportingFigure 1

Automation ConsiderationsTo maximize efficiency and seamlessly connect all stakeholders, Industry needs a comprehensive compliance management toolthat provides document management, workflow management, task management, personnel management, data collection,aggregation and reporting. The application needs to integrate with existing network devices and monitoring software, usingdate or event driven triggers for tasks to be done, while maintaining records for work that has already been completed.The tool should provide internal reports from the data as the utility prepares for regulatory reporting and audits. Theapplication should be able to maintain and generate evidence as needed to demonstrate compliance across theorganization without sacrificing flexibility or being limited to specific regulations. The application should be as configurableas appropriate for low, medium or high impact utilities, but also simple to use and interpret by the organization on aday-to-day basis.Audit Readiness Audit Readiness1-click RSAW generationWorkflow templatesWorkflow automationSeamless system integrationChange Management Compliance rules tSoftware Solutionfor CIP & 693EvidenceManagementComplianceStatus &UpdatesEvidence Management Automatic document reviewschedules Document version controland historyCompliance Status & UpdatesComplianceKnowledgeManagement Pre-configured and customizedcompliance dashboards Standards updates managementCompliance Knowledge ManagementSelf Certification Workflow with task guidance Data repository Automated notificationsSelf Certification Automated RSAW generation process Review and approval trackingFigure 2The elements of a compliance management solution are shown in Figure 2. Each of these elements should be consideredwhen evaluating an automated solution. Several toolset categories need to be considered, including the management of cyberasset configurations, logging and alerting based on cyber asset monitoring, access control to electronic and physical assets,documentation management, and a repository that collects and manages the data for the eventual audit package output.

Solution SelectionWhen selecting an automated solution, companies must first fully understand their core business needs and evaluate whichneeds are effectively met by each application or software product. It is generally helpful to consider a few scenarios as youdevelop your business needs. Below is a basic list of requirements that should be considered when evaluating a product:The Right Automated Solution Will: Leverage your existing IT infrastructure Integrate with your existing compliance toolsets Be capable of on premise or hosted (cloud) implementation for low impact utilities Be highly configurable but simple to use, requiring an in-house User Admin (not a software supplier) for customization Be cost effective Simplify the compliance management process and reduce compliance management personnel hours Generate the final copy of completed reports to be submitted to regulatory bodies Provide task escalation and workflow calendaring Provide Post-implementation customer service and technical support for upgrades and unforeseen issues Allow for easy integration into existing applications (i.e. Tripwire, Industrial Defender, SAP) Allow for migration from test to production instances without major reconfiguration, excessive conversion costs, ordata/functionality loss Have published minor and major release schedules and processes for updating with hot fixes or critical code issuesSuccessful DeploymentOnce a solution has been selected, an implementation process must be defined. This includes identifying the participants andstakeholders, the time allocation of the appropriate resources, and an implementation timeline with defined milestones andsupport from the “Kickoff” to “Go-Live”.Figure 3 provides a high-level outline of the major steps for implementing a compliance solution.Platform DeploymentNERC ControlsUser Acceptance Testing Kickoff Project Create Site (Install) Orientation & Requirements Design & Approval Configuration & Review Integration Configuration Training Testing Refine ConfigurationTrainingGo-LiveTransition to Support End User Training Administrator Training Support Training Go-Live Support Project Post Mortem Introduce Support TeamFigure 3: Implementation of compliance management software