Editor's Note: Today's guest blog is published by Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & NERC CIP Product Manager at the SANS Institute and co-author of SANS ICS456 - Essentials for NERC CIP.
The July 1, 2016 enforcement date for what is commonly referred to as CIP Version 6 is right around the corner. Compliance teams across North America have been planning for this date for years now. Budgets were set, project plans developed, personnel were hired, BES Cyber Assets were identified, networks were re-architected, and cyber/physical controls were implemented. Whew! It’s time to rest now ... well, maybe not.
Much attention has been focused on implementing needed security measures to provide for cyber and physical security of the Cyber Assets essential to the operation of the Bulk Electric System or “the grid.” However, in some cases the same level of attention hasn’t been given to the less sexy parts - specifically the required policies, plans, and training programs which in most cases must also be in place by the same enforcement date.
An area that Registered Entities need to verify readiness for involves the changed requirements for the Cyber Security Training Program. Version 6 of the CIP-004 Personnel & Training standard was approved by FERC in January 2016 superseding version 5, and includes expanded training requirements. Specifically, it now requires the training program to include cyber security risks associated with Transient Cyber Assets and Removable Media. While not a significant change, it’s a detail that could be easily missed resulting in expensive and time-consuming enforcement actions. Entities that developed their own training program based on CIP-004 version 5 may need to make some adjustments.
At SANS, we completed a thorough review of our entire CIPv5 CBT training program to ensure we addressed the changes in CIP-004 version 6 and to ensure consistency across the entire training program. We’ve addressed the risks of Transient Cyber Assets and Removable Media, adjusted future tense references to “CIP version 6,” and removed all unneeded references to “CIP version 5.” The updated program which we’ve renamed CIP Cyber Security Training, will be available to current and new customers beginning on June 5th.
Another change in CIP version 6 which will impact your training program involves CIP-003-6 Attachment 1 which provides more detail for the Cyber Security Awareness training required for personnel with access to Low Impact BES Cyber Systems. Fortunately, these requirements don’t become enforceable until April 1, 2017 and future blogs will address ways to comply. In the meantime, check out this month’s SANS Securing the Human video-of-the-month which covers the benefits and the risks associated with the interconnectedness of systems critical to operating the electric grid or visit the STH product page to learn more about the SANS CIP Cyber Security Training program.
1 July 1, 2016 is the enforcement date for the US but Canadian provinces have varied implementation scheduled with provincial regulators having ultimate authority for monitoring and enforcing compliance in most provinces.
Bio: Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & NERC CIP Product Manager at the SANS Institute and co-author of SANS ICS456 - Essentials for NERC CIP. Ted was most recently the Director of Operations Technology & NERC Compliance at Northern Indiana Public Service Company (NIPSCO) where he was responsible for compliance to NERC 693 and CIP standards and the support of the related operations technology systems. He has over twenty-five years of experience working in the electric utility, information technology, and manufacturing industries.