Illustration showcasing the levels of the Purdue Model
Blog

What to Expect When You’re Expecting… a NERC CIP Audit

Preparing for a NERC (North American Electric Reliability Corporation) CIP (Critical Infrastructure Protection) audit is no small task. If your company is part of the network of power generation plants and transmission facilities responsible for part of the Bulk Electric System (BES), you’ve probably heard of NERC CIP and its compliance requirements.

Companies that own or operate critical infrastructure assets (including, but not limited to control centers, generating assets, substations, and more) are subject to meeting NERC CIP compliance standards. These cover a range of cybersecurity requirements, including security awareness training, incident response, and more.

We’ve put together a walkthrough of what the compliance timeline looks like, along with brief, easy-to-understand explanations of what each standard is looking for. This information will help your team to be prepared once it’s time for an audit (and since compliance is required, there will be an audit).

Prepping for the NERC CIP Audit

Audits are conducted annually as Regional Entities (the authorities that govern compliance within specific regions across North America) have availability. Larger, more complex environments that play a significant role in the BES are more likely to have formal, in-person audits than smaller co-ops and municipal utilities.

The CIP Evidence Request Tool (ERT) is another way for Regional Entities to gather and review evidence for compliance activities and to be more consistent and transparent in its audit approach. The ERT is also a useful tool in helping organizations fulfill any requests for information more efficiently by understanding what evidence is useful when preparing for the audit.

The ERT has two levels of evidence:

  • Level 1 information is the initial information request, which generally assesses two types of evidence: details associated with CIP Reliability Standards, and general requests for information that the audit team will use to assess compliance (programs, processes, and procedures).
  • Level 2 requests ask for detailed implementation evidence for items specified by the audit team.

It’s also important to note that the ERT utilizes asset classes to organize the evidence that needs to be provided during an audit.

These asset classes include:

  • Cyber Assets: electronic devices, equipment, and systems used to manage & operate the BES.
  • Physical Assets: physical components of the BES, including transformers, transmission lines, and generating units.
  • BES Cyber System Information: Data and information used to manage and operate the bulk electric system, such as system models, network diagrams, and security plans.
  • BES Cyber System Reports: Reports generated by cyber systems such as event logs and incident reports.
  • Access points: Entry and exit points for data into and out of the cyber systems.
  • Vendor remote access: Remote access systems used by vendors and contractors to access the BES.

Familiarity with RSAWs (Reliability Standard Audit Worksheets) and the CIP ERT can facilitate a smooth audit process and ensure your team knows what information and evidence they’ll need to provide throughout the audit.

The NERC CIP Audit Timeline

📅 90 days before the audit, organizations will receive an Audit Notification Letter (ANL). Besides the date, time, and estimated duration of the audit, the ANL will typically include information about the audit team, documentation requirements, logistics, the scope of the audit, and any pre-audit requests for information.

This is a good time to review the scope of the audit to see which systems will be investigated more closely, which will also determine what documentation needs to be gathered to prepare for the formal audit. This is also a good time to assign any roles and responsibilities for team members who are participating in the audit.

📅 60 days before the audit (or in the specified deadline in the ANL), the organization must submit any relevant evidence and documentation for any pre-audit requests for information. What needs to be submitted will vary for each audit, but this could include evidence of compliance for specific standards (security awareness training documentation, access control activity logs, etc), network diagrams or other architectural evidence around IT and OT environments, and more.

📅 30 days before the audit, the Regional Entity will have reviewed anything you’ve submitted and will have responded with any Level 2 requests for information. In some cases, this is the extent of the information gathering process – there might never be an on-site audit. Depending on the information that an organization submits and how large or complex the environment is, the auditing team might decide that a formal audit might not be necessary.

If and when an audit does formally kick off, the auditing team will typically meet with your organization’s representatives to discuss scope, objectives, and the process. This way everyone understands what will be evaluated, how, and the information that will be required. From there, the auditing team will be reviewing documentation, interviewing SMEs, performing technical tests, and more as they gather evidence for compliance with the standards.

The length of an audit typically depends on the complexity of the environment, the quality and organization of the evidence submitted, and other factors. The more rigorously your evidence is documented and packaged, the easier the auditing team’s job will be, which (hopefully) means the audit won’t last any longer than necessary.

📅 30 days after the audit, the organization will receive a draft report with information such as the scope and methodology of the compliance review, audit findings, areas of concern and any evidence of non-compliance.

📅 Within 60 days after the audit (or 30 days after receiving the preliminary report), the organization has an opportunity to respond to any of the findings and recommendations identified in the report. The response should include detailed explanations for steps it has taken or plans to take to address each finding, as well as any details around these actions and the timeline for completion. Any supporting evidence for these future or in progress corrective actions should also be provided.

📅 115 days after the audit (or within 45 days after receiving your response), if the auditing team is satisfied with the response and documentation, the audit will be complete, the organization will be notified, and the final report will be submitted to the NERC Board of Trustees Compliance Committee.

Sometimes, auditors may need additional information or clarification, or they may determine that the corrective actions don’t sufficiently address the findings. If this is the case, the organization may have to provide more information or revise the proposed corrective actions.

What Does Each CIP Standard Mean?

While we’ve compiled the gist of each standard below, it’s always a good idea to look through each requirement and make sure you and your team understand what each requirement is asking for. The information in the “Requirements and Measures” section for each standard will be most helpful, and the NERC Glossary of Terms will keep everyone on the same page.

CIP-002: Critical Cyber Asset Identification. Identify and document any critical cyber assets associated with the BES.

CIP-003: Security Management Controls. Establish, implement, and document a security management program for your critical cyber assets.

CIP-004: Personnel and Training. Organizations should have a personnel risk assessment program, personnel security training program, and access controls to ensure that team members who require access to critical cyber assets are identified, trained, and have the necessary clearances.

CIP-005: Electronic Security Perimeter(s). Establish and maintain one or more Electronic Security Perimeters (ESPs) to protect any BES cyber assets by preventing unauthorized physical and/or logical access, as well as to monitor and log activity at the ESPs.

CIP-006: Physical Security of Critical Cyber Assets. Develop and implement a physical security program for critical cyber assets.

CIP-007: System Security Management. Define methods, processes, and procedures for securing and maintaining the reliability of BES cyber systems.

CIP-008: Incident Reporting and Response Planning. Requires responsible entities to develop and implement incident response plans to detect, respond to, and recover from cybersecurity incidents.

CIP-009: Recovery Plans for Critical Cyber Assets. Requires responsible entities to develop and implement recovery plans for their critical cyber assets that can be used to restore them to a secure and operational state after a disruption.

CIP-010: Configuration Change Management and Vulnerability Assessments. Establish and maintain procedures to manage changes to BES cyber system configurations, conduct regular vulnerability assessments, and track and remediate identified vulnerabilities.

CIP-011: Information Protection. Requires responsible entities to establish and maintain a program to protect BES Cyber System Information by implementing one or more of the specified protections.

CIP-012: Cyber Security Incident Response. Create and implement a Cyber Security Incident Response Plan to address any incidents that could impact the reliable operation of the BES.

CIP-013: Supply Chain Risk Management. Develop and implement a plan for managing the risks associated with the use of supply chain vendors and related third-party services.

CIP-014: Physical Security. Develop and implement a physical security plan for high-impact BES Cyber Systems that includes security controls to protect against physical security threats.

Take a Deep Breath and Push Forward

It feels like there’s an overwhelming amount of work that goes into preparing and executing a NERC CIP audit. Remember: the goal of the audit is to provide evidence that shows your compliance and identify areas for improvement.

As long as you keep up with maintaining your documentation, gather your evidence early, seek help where you need it and follow a solid process. Just follow the steps, and focus on making your evidence clear and easy to understand; it’s nothing your team can’t handle!