NERC CIP Low Impact Requirements — Security Awareness & Incident ResponseIn this fifth blog installment on successfully implementing the NERC CIP Low Impact BES Cyber Systems (BCS) requirements, I’ll cover the two requirements that must be fully implemented by April 1, 2017.

Cyber Security Awareness

For Entities with an existing High/Medium Impact BCS CIP Program, use of that program’s Security Awareness processes will cover the Low Impact requirements with few modifications. While High/Medium awareness programs have quarterly execution requirements, Low Impact BCS only require the execution process once every 15 months. Burns & McDonnell has recommended that Entities follow the quarterly performance to maintain consistency across the enterprise and gain the greatest benefits from regularly presenting the material to employees.

For entities without an existing CIP program, there are several methods available for establishing an awareness program. First, determine if there is an existing related program outside of CIP that the rest of organization is already using, one that could be reused as is or modified slightly to meet CIP requirements. If no program exists, there are many packages and programs available that Entities can purchase to help meet requirements. Or an Entity can build its own awareness program using a variety of available information.

For Entities with only Low Impact BCS, Burns & McDonnell continues to advise that awareness material be distributed in quarterly performance intervals in order to gain the most benefit and demonstrate to the Region an Entity’s commitment to a secure environment.

Stay tuned for upcoming installments that will provide additional details on security awareness, including methods for delivery.

Cyber Security Incident Response

As noted for Cyber Security Awareness, if an Entity has an existing High/Medium Impact BCS program, use of the CIP-008-5 Cyber Security Incident Response Plan will cover the Low Impact requirements. There are some differences between the High/Medium and Low Impact requirements that should be reviewed and understood, but Burns & McDonnell recommends that those for the Low Impact Plan mirror the High/Medium Impact Plan performance requirements to maintain consistency across the enterprise. The existing CIP-008-5 Plan should be updated to clearly reference the Low Impact requirements and how they are handled by that plan, or create a specific Low Impact Plan that details the Low Impact requirements to the CIP-008-5 Plan processes in order to help audit teams understand how the Low Impact CIP-003-6 requirements are handled.

There are several approaches that Entities without existing CIP programs can take to establish an incident response plan. First, determine if there is a related plan already in place for the rest of organization that can be repurposed as is, or modified as necessary to meet the requirements. If an existing plan is not available, peer Registered Entities may be willing to share their plan, insurance carriers may have plans available that can be a starting point, packages can be purchased and made to meet the requirements, or an Entity can build their own using freely available information.

Keep an eye out for upcoming blog posts that will highlight details on incident response including the six Low Impact requirements and how they can map the processes in a High/Medium Impact plan.

Implementation

As noted in the first and third articles in this series, the Low Impact Cyber Security Awareness and Cyber Security Incident Response Plans must be in place April 1, 2017. It is recommended the first awareness information be delivered to in-scope personnel, and testing of the incident response plan be completed before April 1, 2017.

Assistance

If you have any questions on how to approach the Low Impact Cyber Security Awareness and Cyber Security Incident Response requirements, Burns & McDonnell recommends Entities contact internal company resources who might have processes that can be reused, peer Registered Entities, or view the information shown in the Additional Information section. Burns & McDonnell is also capable of assisting Entities, backed by our years of experience, with CIP Standards and helping Entities with the High, Medium and Low Impact BCS CIP Program implementations.

Additional Information

The following information may be of assistance in your Low Impact BCS research and implementation efforts:

Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.

by
Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.