This is part 4 in a series of posts designed to get you and your organization up to speed on the changes that the Nerc CIP v5 updates will bring about. You can find the previous post in this series, Are You Ready for NERC CIP Version 5? Part Three: CIP 005-5, by clicking here
Change is on the horizon - as of the first day in April this year, electric reliability organizations that manage bulk electric systems and the cyber assets connected to them will need to adopt new regulatory guidelines handed down by the North American Electric Reliability Corporation and the Federal Energy Regulatory Commission.
A modern electrical grid, advanced though it may be, is still susceptible to modern threats. Moreover, change management capabilities tied to the numerous physical assets comprising the national grid can do more and go further than ever before, which means unauthorized changes to configuration can do a lot of damage to service. In response, the NERC seeks to establish a straightforward, baseline standard by which all EROs can operate safely.
NERC Critical Infrastructure Protection 010, one of the two newest CIPs to join the nine others, addresses change management protocols for BES cyber assets, whereas all others we've mentioned in this series only do so indirectly. What does this new CIP have in store for ERO change managers and change advisory boards?
Figuring Out Configuration
According to the NERC, each medium- and high-level BES cyber asset contains things like an operating system, software, network-accessible ports and security features. Additionally, a single BES cyber system may work in conjunction with smaller, supplementary assets, like electronic access control or monitoring systems (EACMS), physical access control systems (PACS) or other protected cyber assets.
Before launching into a brave new world of change management, EROs must first map out all these components and how they interrelate, as well as produce evidence for having done so both for the NERC and the organization's own posterity.
Auditing Change Management Processes
In CIP 010, the NERC examined the typical change management process and introduced safeguards that both ward off unwanted configuration changes and ensure the integrity of the BES after changes have been made.
CIP 010 dictates changes deviating from the above-mentioned configuration map must be in effect within 30 calendar days of completion. After each change, EROs must verify the most recent changes haven't compromised the stability of the security protocols established in other CIPs. That said, the NERC asks that EROs test changes before applying them, instead of just reacting to adverse changes should they arise.
As for impact on an ERO's IT department, these subsections of CIP 010 put pressure on change managers to optimize their IT service management processes, since not only does everything require some form of documentation and verification, but release time is still an integral factor.
Evaluating 'Big Picture' Configuration Changes
NERC CIP standards also require EROs to run vulnerability diagnostics on BES cyber systems and related control assets with some degree of regularity. Once every 15 months, EROs should "conduct a paper or active" security assessment on all medium- and high-impact BES cyber assets, as well as the EACMS, PACS and PCAs connected to them. Additionally, once every three years, EROs are expected to perform an active vulnerability review "in a production environment where the test is performed in a manner that minimizes adverse effects." Here too, dated documentation of procedure is necessary for compliance.
Finally, when EROs onboard new BES cyber assets, CIP 010 specifies they are to perform another active vulnerability assessment on relevant systems to mitigate risk of adverse change. However, the assessment isn't necessary in rare instances. For example, the NERC makes an exception for cases where one BES cyber asset is replaced by another of the same model.
NERC CIP 010 shows how vital change management is to the future of grid security. Once only charged with maintaining physical assets, EROs and their IT teams must now step up to adequately defend electrical infrastructure in the digital age.