SANS Industrial Control Systems Security Blog

NERC CIP is hard!

If you are a CIP practitioner responsible for developing or maintaining a NERC CIP compliance program you know how tough a job that really is - there is just no denying that NERC CIP is hard! I've been there and I know first-hand the challenges of keeping the wheels on the CIP train all rolling in the same direction. Even with an established compliance program, there are so many moving parts and so many opportunities to fall out of compliance that it can quickly become overwhelming. I found that just staying abreast of standards in development and analyzing them to determine the potential implications to an organization can be a full-time job.

One area that I find many entities struggling with is maintaining a CIP-004 R2 training program that is current and relevant. With CIP Version 5 becoming enforceable on April 1, 2016, that challenge just got a whole lot bigger! Earlier versions of the CIP standards required that persons with authorized cyber or unescorted physical access to in-scope cyber assets be trained on four topic areas. In CIP Version 5, depending on how you read the standards and the Guidelines and Technical Basis section of CIP-004-5.1, there are as many as 49 topic areas that your training program must cover. And if that isn't tough enough, CIP-003-6 which is pending FERC approval more clearly details additional security awareness training requirements for persons with access to Low Impact BES Cyber Systems.

While there isn't much I can do to help with that rogue employee who just propped your transmission control room door open with a chair or that person who just left your PSP without signing out of your visitor log book, I do have some good news!! Here at SANS we've been hard at work to make achieving compliance with the NERC CIP V5 training requirements a whole lot easier. We've developed a NERC CIP V5 computer based training program consisting of 12 modules that address the 49 required topic areas plus an overview module on CIP-014-1 physical security. The modules were developed by SANS with input from an Advisory Board consisting of CIP practitioners from electric utilities, Independent System Operators and a former NERC auditor. Each module uses industry relevant imagery, includes an optional 5-question quiz, and provides an opportunity to link to your internal cyber security policies and procedures. When combined with our Securing the Human End User Awareness modules that address the requirements of CIP-004-5.1 R1 and CIP-003-6 R2, we think you'll agree that SANS has got your NERC CIP training requirements covered. So go ahead and take that long weekend on the beach this summer knowing that your NERC CIP Version 5 compliance challenge just got easier!

To learn more about the SANS CIP Version 5 CBT offering, join me and my colleagues Mike Assante and Tim Conway for a free webcast on July 15, 2015 where we'll continue the discussion about the challenges and strategies of NERC CIP Version 5 Training or for a sneak peek at the program and a full-length sample, visit:

Ted GutierrezBio: Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & CIP Product Manager at the SANS Institute. Ted was formerly the Director of Operations Technology & NERC Compliance at Northern Indiana Public Service Company (NIPSCO)