In this fifth blog installment on successfully implementing the NERC CIP Low Impact BES Cyber Systems (BCS) requirements, I’ll cover the two requirements that must be fully implemented by April 1, 2017.
Cyber Security Awareness
For Entities with an existing High/Medium Impact BCS CIP Program, use of that program’s Security Awareness processes will cover the Low Impact requirements with few modifications. While High/Medium awareness programs have quarterly execution requirements, Low Impact BCS only require the execution process once every 15 months. Burns & McDonnell has recommended that Entities follow the quarterly performance to maintain consistency across the enterprise and gain the greatest benefits from regularly presenting the material to employees.
For entities without an existing CIP program, there are several methods available for establishing an awareness program. First, determine if there is an existing related program outside of CIP that the rest of organization is already using, one that could be reused as is or modified slightly to meet CIP requirements. If no program exists, there are many packages and programs available that Entities can purchase to help meet requirements. Or an Entity can build its own awareness program using a variety of available information.
For Entities with only Low Impact BCS, Burns & McDonnell continues to advise that awareness material be distributed in quarterly performance intervals in order to gain the most benefit and demonstrate to the Region an Entity’s commitment to a secure environment.
Stay tuned for upcoming installments that will provide additional details on security awareness, including methods for delivery.
Cyber Security Incident Response
As noted for Cyber Security Awareness, if an Entity has an existing High/Medium Impact BCS program, use of the CIP-008-5 Cyber Security Incident Response Plan will cover the Low Impact requirements. There are some differences between the High/Medium and Low Impact requirements that should be reviewed and understood, but Burns & McDonnell recommends that those for the Low Impact Plan mirror the High/Medium Impact Plan performance requirements to maintain consistency across the enterprise. The existing CIP-008-5 Plan should be updated to clearly reference the Low Impact requirements and how they are handled by that plan, or create a specific Low Impact Plan that details the Low Impact requirements to the CIP-008-5 Plan processes in order to help audit teams understand how the Low Impact CIP-003-6 requirements are handled.
There are several approaches that Entities without existing CIP programs can take to establish an incident response plan. First, determine if there is a related plan already in place for the rest of organization that can be repurposed as is, or modified as necessary to meet the requirements. If an existing plan is not available, peer Registered Entities may be willing to share their plan, insurance carriers may have plans available that can be a starting point, packages can be purchased and made to meet the requirements, or an Entity can build their own using freely available information.
Keep an eye out for upcoming blog posts that will highlight details on incident response including the six Low Impact requirements and how they can map the processes in a High/Medium Impact plan.
As noted in the first and third articles in this series, the Low Impact Cyber Security Awareness and Cyber Security Incident Response Plans must be in place April 1, 2017. It is recommended the first awareness information be delivered to in-scope personnel, and testing of the incident response plan be completed before April 1, 2017.
If you have any questions on how to approach the Low Impact Cyber Security Awareness and Cyber Security Incident Response requirements, Burns & McDonnell recommends Entities contact internal company resources who might have processes that can be reused, peer Registered Entities, or view the information shown in the Additional Information section. Burns & McDonnell is also capable of assisting Entities, backed by our years of experience, with CIP Standards and helping Entities with the High, Medium and Low Impact BCS CIP Program implementations.
The following information may be of assistance in your Low Impact BCS research and implementation efforts:
- My previous posts for the NERC CIP Low Impact Requirement series: an Introduction to NERC CIP Low Impact Requirements, Cultural Change, Policy, Plans, Processes and Procedures and Inventory or Not
- Burns & McDonnell will host our second annual Power Utility Security & Compliance Symposium August 8-9, 2016, which will cover several subjects related to Low Impact BCS.
- Planning Your Awareness Program from the SANS Institute's Securing the Human division
- The National Institute of Standards and Technology's (NIST) Computer Security Incident Handling Guide; or CERT Coordination Center, Creating a Computer Security Incident Response Team (CSIRT)
Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.