What You Will Learn
The five-day ICS456: Essentials for NERC Critical Infrastructure Protection empowers students with knowledge of the what and the how of the version 5/6/7 standards. The course addresses the role of the Federal Energy Regulatory Commission (FERC), North American Electric Reliability Corporation (NERC), and Regional Entities, provides multiple approaches for identifying and categorizing BES Cyber Systems, and helps asset owners determine the requirements applicable to specific implementations. Additionally, the course covers implementation strategies for the version 5/6/7 requirements with a balanced practitioner approach to both cybersecurity benefits, as well as regulatory compliance.
This course goes far beyond other NERC Critical Infrastructure Protection (CIP) courses that only teach what the standards are by providing information that will help you develop and maintain a defensible compliance program and achieve a better understanding of the technical aspects of the standards. Our 25 hands-on labs utilize three provided virtual machines that enable students to learn skills ranging from securing workstations to performing digital forensics and lock picking. Our students consistently tell us that these labs reinforce the learning and prepare them to do their jobs better.
You Will Learn:
- BES Cyber System identification and strategies for lowering their impact rating
- Nuances of NERC defined terms and CIP standards applicability and how subtle changes in definitions can have a big impact on your program
- The significance of properly determining Cyber System impact ratings and strategies for minimizing compliance exposure
- Strategic implementation approaches for supporting technologies
- How to manage recurring tasks and strategies for CIP program maintenance
- Effective implementations for cyber and physical access controls
- How to breakdown the complexity of NERC CIP in order to communicate with your leadership
- What to expect in your next CIP audit, how to prepare supporting evidence, and how to avoid common pitfalls
- How to understand the most recent Standards Development Team's (SDT) efforts and how that may impact your current CIP program
Syllabus (31 CPEs)Download PDF
A transition is underway from NERC CIP programs that are well defined and understood to a new CIP paradigm that expands its scope into additional environments and adds significantly more complexity. On day 1, students will develop an understanding of the electric sector regulatory structure and history as well as an appreciation for how the CIP Standards fit into the overall framework of the reliability standards. Key NERC terms and definitions related to NERC CIP are reviewed using realistic concepts and examples that prepare students to better understand their meaning. We will explore multiple approaches to BES Cyber Asset identification and learn the critical role of strong management and governance controls. We'll also examine a series of architectures, strategies, and difficult compliance questions in a way that highlights the reliability and cybersecurity strengths of particular approaches. Unique labs will include a scenario-based competition that helps bring the concepts to life and highlights the important role we play in defending "the grid."
- Regulatory History and Overview
- NERC Functional Model
- NERC Reliability Standards
- CIP History
- Terms and Definitions
- CIP-002: BES Cyber System Categorization
- CIP-003: Security Management Controls
Strong physical and cyber access controls are at the heart of any good cybersecurity program. On day 2 we move beyond the what of CIP compliance to understanding the why and the how. Firewalls, proxies, gateways, IDS, and more - you'll learn where and when they help as well as practical implementations to consider and designs to avoid. Physical protection includes more than fences, and you'll learn about the strengths and weaknesses of common physical controls and monitoring schemes. Labs will re-inforce the learnings throughout the day and will introduce architecture review and analysis, firewall rules, IDS rules, compliance evidence demonstration, and physical security control reviews.
- CIP-005: Electronic Security Perimeter(s)
- Interactive Remote Access
- External Routable Communication and Electronic Access Points
- CIP-006: Physical Security of BES Cyber Systems
- Physical Security Plan
- Visitor Control Programs
- PACS Maintenance and Testing
- CIP-014: Physical Security
CIP-007 has consistently been one of the most violated standards going back to CIP version 1. With the CIP Standards moving to a systematic approach with varying requirement applicability based on a system impact rating, the industry now has new ways to design and architect system management approaches. Throughout day 3, students will dive into CIP-007. We'll examine various Systems Security Management requirements with a focus on implementation examples and the associated compliance challenges. We'll also cover the CIP-010 requirements for configuration change management and vulnerability assessments that ensure systems are in a known state and under effective change control. We'll move through a series of labs that reinforce the topics covered from the perspective of the CIP practitioner responsible for implementation and testing.
- CIP-007: System Management
- Physical and Logical Ports
- Patch Management
- Malicious Code Prevention
- Account Management
- CIP-010: Configuration Change Management and Vulnerability Assessments
- Change Management Program
- Baseline Configuration Methodology
- Change Management Alerting/Prevention
Education is key to every organization's success with NERC CIP, and ICS456 graduates will be knowledgeable advocates for CIP when they return to their place of work. Regardless of their role, students can be a valued resource to their organization's CIP-004 training program and the CIP-011 information protection program. Students will be ready with resources for building and running strong awareness programs that reinforce the need for information protection and cybersecurity training. On day 4, we'll examine CIP-008 and CIP-009, covering identification, classification communication of incidents, and the various roles and responsibilities needed in an incident response or a disaster recovery event. Labs will introduce tools to ensure file integrity and the sanitization of files to be distributed, how to best utilize and communicate with the E-ISAC, and how to preserve incident data for future analysis.
- CIP-004: Personnel and Training
- Security Awareness Program
- CIP Training Program
- PRA Evaluation Process
- CIP-011: Information Protection
- Information Protection Program
- Data Sanitization
- CIP-008: Incident Reporting and Response Planning
- Incident Response Plan/Testing
- Reporting Requirements
- CIP-009: Recovery Plans for BES Cyber Systems
- Recovery Plans
- System Backup
On the final course day students will learn the key components for running an effective CIP compliance program. We will review the NERC processes for standards development, violation penalty determination, Requests for Interpretation, and recent changes stemming from the Reliability Assurance Initiative. Additionally, we'll identify recurring and audit-related processes that keep a CIP compliance program on track: culture of compliance, annual assessments, gap analysis, TFE's, and self-reporting. We'll also look at the challenge of preparing for NERC audits and provide tips to be prepared to demonstrate the awesome work your team is doing. Finally, we'll look at some real-life CIP violations and discuss what happened and the lessons we can take away. At the end of day 5, students will have a strong call to action to participate in the on-going development of CIP within their organization and in the industry overall as well as a sense that CIP is do-able! Labs on day 5 will cover DOE C2M2, audit tools, and an audit-focused take on a "blue team - red team" exercise.
- CIP Processes for Maintaining Compliance
- Preparing for an Audit
- Audit Follow-Up
- CIP Industry Activities
- Standards Process
- CIP of the Future
GIAC Critical Infrastructure Protection
"The bulk electric system or "the grid" is arguably the most critical of the critical infrastructures demanding that personnel charged with supporting it, understand the impact of their actions and inactions with regard to system reliability, safety and security. The GIAC Critical Infrastructure Protection will help validate that the professionals who access, support and maintain the critical systems that keep the grid running have an understanding of the regulatory requirements of NERC CIP as well as practical implementation strategies to achieve both regulatory compliance and its cyber security objectives." -Ted Gutierrez, co-author of SANS ICS456: Essentials for NERC Critical Infrastructure Protection
BES cyber system identification and strategies for lowering their impact rating
Nuances of NERC defined terms and CIP standards applicability
Strategic implementation approaches for supporting technologies
Recurring tasks and strategies for CIP program maintenance
NOTE: It is critical that students have administrator access to the operating system and all security software installed. Changes may need to be made to personal firewalls and other host-based software in order for the labs to work.
- 64-bit system
- Laptop with latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
- Laptop with at least one USB port
- Laptop must include wireless capabilities
- Ability to update BIOS configuration settings to enable virtualization (VT) support
- VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
- Ability to disable all security software on your laptop, including antivirus and/or firewalls
- At least 100 GB of hard-drive space
- At least 8 GB of RAM
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"The SANS ICS456: NERC Critical Infrastructure Protection Essentials course was developed by SANS ICS team members with extensive electric industry experience, including former Registered Entity Primary Contacts, a former NERC officer, and a Co-Chair of the NERC CIP Interpretation Drafting Team. Together the authors bring real-world, practitioner experience gained from developing and maintaining NERC CIP and NERC 693 compliance programs and actively participating in the standards development process."
- Tim Conway and Ted Gutierrez