An Introduction to NERC CIP Compliance and Identity & Access Management Technologies
For professionals who work in Information Security (InfoSec) within the Energy sector, NERC (the North American Electric Reliability Corporation) is simply a part of everyday life. NERC is a self-regulatory, non-government organization which has statutory responsibility to regulate bulk power system users, owners, and operators through the adoption and enforcement of standards for fair, ethical and efficient practices, to ensure that the nation's power grid is properly secured. One of such standards is the CIP (Critical Infrastructure Protection) standard.
What does that mean for a CISO of an energy company?
It means spending a lot of time becoming familiar with the pages of NERC CIP standards 001-009 (and their various interpretations), that cover all types of information security controls such as electronic security perimeters, physical security perimeters, asset identification, and incident reporting and response. It also means sifting through a multitude of software vendors and their promises of easing the burden of demonstrating compliance. Add to that the pressure of million dollar fines for non-compliance, and you've got a recipe for confusion and stress.
After helping a number of companies on this path through our Identity Management Workshops, we at Identropy have found some patterns that have emerged in addressing the NERC CIP standards; particularly using Identity & Access Management (IAM) technologies.
What are auditors looking for?
Based on anecdotal evidence from our existing clients, auditors (and pre-auditors) are at this point looking for a logical approach and plan towards compliance, as well as practical, demonstrable steps. We don't believe that it is mandatory, as of today, that any corporation has a fully functioning and integrated automated solution that comprehensively addresses the NERC CIP standards.
Obviously, an approach or plan is much more than simply providing the auditor a list of technologies that will be purchased and implemented. It should include your interpretation of the standards, as well as a logical approach to how it addresses your infrastructure in specific. Once you have clearly documented your interpretation of the standards (which may break down each CIP standard, all related requirements, and all control activities associated with each requirement), you can start looking at technologies and how they fit your organizational infrastructure and help you automate the specific controls within your environment.
Is documentation enough?
Of course not. Once you've boiled all requirements down to a set of control activities, the endeavor of applying technology to the problems can finally begin. Having been personally involved with a number of workshops with Energy clients, certain technology patterns are beginning to emerge. Some technologies can provide a 'quick wins', while others require more planning and development.
The good news is that IAM solutions can significantly help address NERC CIP specific requirements in an expedient and efficient manner. In future posts, we'll dive a bit deeper into each of these categories and present a mixture of process and IAM technologies as a suggested means of demonstrating compliance, in specific to NERC CIP-004 (Personnel & Training) and NERC CIP-007-1 R5 (Account Management).