Scaling the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance requirements across an enterprise can be daunting. With an ever-expanding list of assets in both IT and OT that needs to be accounted for, even the most experienced CISO can become overwhelmed with the complexities of centralizing information across multiple business units. Fortunately, there are solutions that enable information security leaders to centralize and scale NERC CIP compliance across the entire enterprise.
NERC CIP is the Critical infrastructure Protection guidelines for operating, maintaining, and protecting our Bulk Electric System. As the oldest regulatory agency for our electrical grid, NERC serves as a frontline defense against the catastrophic danger of instability and misuse within the BES. The implications of a compromised electric system can have devastating consequences for consumers and operating entities alike.
For many CISOs, the NERC CIP standards are not new. The challenge arises as more and more business-side executives and Boards are asking more of their CISOs to report on enterprise-wide cyber posture for both risk and compliance. Typically, organizations working with NERC communicate directly with the FERC to help tailor new regulations to fit their operating model. As such, the processes and workflows these organizations use to satisfy NERC aren’t shared publicly since so much private data is involved. Fortunately, NERC CIP outlines its requirements and is primarily evaluated using a risk-based approach. A risk-based approach for NERC CIP allows for easier visibility when running cyber risk assessments since the data is not aggregated in one place. It also allows other risk-based frameworks like NIST CSF to act as a metrical tool for satisfying NERC CIP.
For organizations working within the bulk power system, the need for the tools that make NERC CIP standards possible is changing. Information security leaders must look beyond meeting the security management controls and be prepared to align their cyber program with the organization's business objectives. This post will examine the critical capabilities of tools that enable security leaders to scale NERC CIP across their enterprises.
The risk and compliance tool you select to help you scale NERC CIP compliance should be capable of acting as a single source of truth for your organization. The fundamental element of NERC CIP compliance is knowing where your assets are and which of those are deemed critical assets to ongoing operations.
With the rapid convergence of IT and OT (and IIOT), information security teams face an expanding attack surface and new assets they are responsible for tracking and securing. To successfully scale this level of compliance across the organization, spreadsheets or modular GRC solutions are too inefficient. Integrated solutions enable information security leaders in the energy space to store their asset assessment data in one centralized repository - both risk and compliance, enabling a more holistic approach. CyberStrong’s fully integrated platform enables the categorization of IT and OT assets, allowing for the assessment and reporting of these assets to be broken down by business unit, location, and asset type.
The single source of truth we outlined in the categorization of assets feeds directly into the planning stages of a NERC CIP cybersecurity assessment. Ensuring that your team is on the same page and that all participants in the assessment understand their role is paramount to a practical and comprehensive NERC CIP assessment. Spreadsheets and modular GRC tools can support the planning stages well enough. However, you will start to see version control rapidly become an issue in the case of spreadsheets. In the case of GRC tools, depending on the configuration of your particular platform, you may find that your teams cannot use the tool given its complexity.
On the other hand, integrated solutions enable organizations to see the entire plan from a single source of truth without having to dig around multiple modules or sift through a plethora of spreadsheets. CyberStrong’s collaboration tools include bulk control assignments, asynchronous collaboration notes between teams responsible for a given assessment, and automated due date follow-ups to streamline the assessment process and help energy risk and compliance teams get to know faster.
As all CSPs know, any given plan is subject to (and does) in the face of carrying out the assessment. Making sure that the tool you use to conduct the assessment can change and update your team due to those changes is paramount. Where spreadsheets could get your team through the planning stages, the execution is where spreadsheets’ value will truly begin to break down. As the assessment plan begins to shift in practice, risk and compliance leaders must be able to determine accountability at the control level to understand how the project plan is changing. An integrated solution enables this to be tracked more effectively than across modules in a legacy GRC tool.
Finally, once the assessment is completed, the reporting is, in fact, the most critical piece. Most organizations using spreadsheets will spend hours breaking apart the control set and then reassembling it into a single file to report on. This inefficiency can take extraneous hours as well as an increased risk of reporting inaccurate data from an incorrect version.
Furthermore, with more and more business leaders wanting insight into the organization's cybersecurity posture, information security leaders must be able to illustrate their program data across a broader range of audiences than they have in the past. Creating more reports out of spreadsheets or modular GRC tools drains time and resources. Using an integrated risk-based platform that automatically generates reports from real-time data saves your team time and allows your cybersecurity program data to be actionable to a broader range of audiences, from business-level stakeholders and C-suite executives to technical CSPs.
With so much at stake for organizations operating within the bulk electric system, protecting critical cyber assets and adopting a risk-based methodology allows your organization to accommodate NERC CIP using a cyber risk management solution like CyberStrong to standardize multiple frameworks. Many framework solutions claim to use NERC CIP across other business functions to help make informed decisions on resources within but fall short. CyberStrong has the functional flexibility to map the latest version of NERC CIP to NIST CSF controls and will allow you to assign relationships between job roles and individuals with Admin, Manager, and Collaborator access levels.
Additionally, CyberStrong can aggregate your compliance requirements from multiple sources using control tagging to help you know which controls satisfy their respective requirements in real time. This, coupled with our patented AI and machine learning, provides threat feeds and remediation suggestions for your organization’s needs based on risk and impact.