Architecture Plays a Key Role in NERC CIP Compliance
If you have been involved with a utility’s compliance efforts associated with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, you understand that documentation is everywhere. Nearly every aspect of the NERC CIP standards starts with the requirement of documenting a procedure, process, or plan of some sort and utilities have spent considerable time and resources developing and maintaining documentation to support NERC CIP compliance efforts. While there is much focus on the NERC prescribed documentation, there is another aspect of documentation that plays a key role in a utility’s overall success in achieving and maintaining compliance with NERC CIP standards. One that is not required by the NERC CIP standards and is therefore easy to overlook and underestimate the significant value it provides. This aspect focuses on documentation of the underlying architectural models and principals that serve as a basis for decisions which need to be made regarding numerous interrelated elements that make up the end-to-end system.
So why aren’t the procedures, processes, or plans prescribed by the NERC CIP standards enough? To start with, most NERC CIP documentation is typically developed by utilities in such a way as to be very basic and not overly expose them to the risk of being non-compliant. This documentation is also mostly focused on the operating aspects of the critical utility IT/OT infrastructure and doesn’t provide the needed details to support planning and engineering decision-making to the extent necessary.
The main need is to create a common understanding and end-to-end picture for the various utility groups (OT, IT, compliance, etc.) involved in the entire lifecycle of this infrastructure. Something that is becoming especially important as technology and systems evolve outside of the control center environment, such as transmission substations, where the use of non-routable solutions provided some degree of insulation in the past from the bulk of the NERC CIP requirements. Here, the focus of the effort often turned toward things such as documenting how legacy systems in substations were exempt (in v3) or that the minimal requirements applied (in v5) by the use of non-routable communications to the cyber assets covered by the NERC CIP standards. But this world is changing, and utilities may find that as communications technologies evolve within their environments, things may not be as straight forward as they once were. Without a common picture and end-to-end perspective, what might seem to be a simple change or evolution in the overall system may ultimately result in major compliance implications if certain thresholds are triggered inadvertently (such as external routable connectivity). As most utilities have multiple groups involved in non-control center areas, a lack of a common understanding increases the likelihood that the impact of any system change to the utility’s overall compliance obligation may go undetected until after the updated systems are placed into production potentially leading to an audit finding or self-report. Documenting the utility’s NERC CIP architecture is a key to addressing this risk.
When developing the communications and cyber architecture for a utility’s NERC CIP program, it’s important to note that this is not documentation that is prepared as compliance evidence or intended to be provided to an auditor. It’s meant to be an internal tool for the utility. A tool that provides benefits such as:
- Establishing an “acceptable/approved” catalog of system architecture scenarios that have been vetted ahead of time against the utility’s NERC CIP strategy. This allows engineering and maintenance resources to evolve, modify and/or update deployed systems as long as any changes that are being made can be mapped back to an approved architecture scenario.
- Articulating utility specific interpretations and positions, especially in areas where the NERC CIP requirements lack clarity or clear guidance on applicability to newer technology.
- Providing guidance to internal organizations clarifying how the NERC CIP requirements are applicable for the various devices within the system architecture scenarios.
- Facilitating an understanding of dependencies (often hidden) between systems and elements to maintain a compliance posture.
The big challenge is that this must be a continuing effort. Once developed, impacts of system changes and technology evolution to the architecture must be evaluated on an ongoing basis. Many times, we see cases where there is a huge up-front effort (often project driven by a specific compliance deadline) to develop technical solutions to meet the various CIP standards as they are updated, approved and become effective, but the back-end process of maintaining and evolving the solution does not have the same focus.
Want to know more about how EnerNex can support your NERC CIP compliance efforts? Feel free to contact me at firstname.lastname@example.org to discuss. EnerNex is uniquely qualified to assist you as our staff has decades of experience in NERC CIP, cyber security, utility automation, IT, OT, and communications systems.