NERC CIP Compliance Task List

Editor's Note: Today's guest blog is published by Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & NERC CIP Product Manager at the SANS Institute and co-author of SANS ICS456 - Essentials for NERC CIP.

Anyone familiar with the NERC Critical Infrastructure Protection (CIP) standards is painfully aware that July 1, 2016 is a huge milestone.  It’s the enforcement date for the NERC CIP Version 5/6 Standards and represents a final departure from the NERC CIP of yesteryear.  Goodbye Risk-based Asset Methodology, Critical Assets, and Critical Cyber Assets.  Hello Impact Rating Criteria, BES Cyber Assets, and BES Cyber Systems! A lot has changed and NERC CIP compliance teams across North America will always remember July 1, 2016 and how they raced to complete implementations and finalize needed documentation.  I think you actually have to have been through the experience in order to fully appreciate just how much work was involved.  Only the implementation of the NERC CIP Version 1 Standards and the efforts required to meet its staggered implementation schedule could compare. While the efforts involved in achieving compliance at your entity were no doubt massive, I honestly believe that the real challenge is just beginning and lies in the on-going maintenance of your compliance program.

NERC CIP Compliance Task List

There are so many moving parts in these standards.  We now have different requirements and requirements parts applying to different BES Cyber Systems based on system impact rating.  We have tasks that are required on varying cycles including 15 calendar days, 35 calendar days, calendar quarter, 15 calendar months, 24 calendar months, 36 calendar months, and 7 years.  Additionally, there are a lot of monitoring activities that need to occur continuously and some tasks that are event driven and only required on an as-needed basis.  Because each task cycle begins when the previous cycle ends, it’s possible that over time every BES Cyber System could be on a different cycle.  Keeping track and achieving of all of this will be a monumental task that exceeds the effort of achieving compliance.

NERC CIP Security Training by SANS

At SANS we recognize the challenge of running a NERC CIP program that achieves the compliance requirements as well as the desired cybersecurity objectives.  To help in that goal, we have developed ICS456: Essentials for NERC Critical Infrastructure Protection, a five day hands-on technical course that is 100% focused on NERC CIP.  One of the many resources we developed for our students is a downloadable infographic that details each of the recurring tasks required to maintain compliance.  We recognize that there are variations based on BES Cyber System impact criteria and that only the smallest of entities will be able to track the tasks without highly automated compliance monitoring systems.  However, we hope that the infographic will serve as a visual reminder of the tasks that need to be tracked as well as a tool to communicate the effort required to those not directly involved in performing the tasks.  We do hope you find the infographic helpful.

Bio: Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & NERC CIP Product Manager at the SANS Institute and co-author of SANS ICS456 - Essentials for NERC CIP. Ted was most recently the Director of Operations Technology & NERC Compliance at Northern Indiana Public Service Company (NIPSCO) where he was responsible for compliance to NERC 693 and CIP standards and the support of the related operations technology systems. He has over twenty-five years of experience working in the electric utility, information technology, and manufacturing industries.