Security Awareness Blog

Ready or not⦠here comes NERC CIP Version 5

Ted GutierrezEditor's Note: Ted Gutierrez is the ICS & NERC CIP Product Manager at the SANS Institute. Below he discusses the impact of NERC CIP Version 5 and how utilities can best prepare for it.

Can you believe it's been nearly four years since the first balloting of NERC CIP Version 5? Those of us who have been on the NERC CIP roller coaster for a while know what a ride it's been! The hairpin twists and turns that these standards have taken and the attempts by both industry and the regulators to explain, interpret and implement has been quite an adventure. Regardless of how you feel about the standards and if they will actually achieve the intended objectives, they are coming!

NERC CIP Version 5 is on track to finally become enforceable on April 1, 2016 for Bulk Electric System owners and operators (a.k.a Responsible Entities) with High and Medium Impact BES Cyber Systems. Entities with only Low Impact BES Cyber Systems are preparing for an April 1, 2017 enforcement date. Most folks I've talked with are still in the process of implementing their CIP V5 projects and are franticly scrambling to complete those projects in time to allow for a ?learning window' that will give new CIP users a chance to adapt to operating under new policies and procedures.

One project that is undoubtedly on every entity's list of CIP V5 projects is the updating or completely replacing of their CIP V3 training program. All earlier versions of the CIP standards included requirements to have a cyber security training program for persons with authorized cyber or unescorted physical access to in-scope CIP assets. But there were only four topics that were required to be covered in the program. Compare that to CIP V5 which greatly expands the training requirements and depending on how you read the standards and the Guidelines and Technical Basis sections, requires training on up to 49 topic areas! Entities are still able to develop a program that identifies training specific to individual roles and responsibilities but are also free to develop a single program for all who need CIP training. Now is a great time for entities to reevaluate their approach to CIP training and to weight the benefits and disadvantages of custom vs. off-the-shelf training and in-house vs. outsourced development.

With these training challenges in mind, we've developed an entirely new CIP V5 computer-based training program that is customizable to help you meet your NERC CIP V5 training requirements. The program consists of 12 modules that address the 49 required topic areas plus an overview module on CIP-014-1 physical security requirements. The modules were developed by SANS with input from an Advisory Board consisting of CIP practitioners from electric utilities, Independent System Operators and a former NERC auditor, were designed to meet most CIP V5 training needs. Each module provides an opportunity to link to your internal cyber security policies and procedures making the program highly customizable.

So with plenty other things to worry about as you prepare for CIP V5 let SANS, the industry leader in cyber security training, make your CIP training requirements one less thing to lose sleep over. To learn more about the SANS CIP Version 5 CBT offering, join me and my colleagues Mike Assante and Tim Conway for a free webcast on July 15, 2015 where we'll continue the discussion about the challenges and strategies of NERC CIP Version 5 Training or for a sneak peek at the program and a full-length sample, visit: http://www.securingthehuman.org/cipv5

BIO: Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & NERC CIP Product Manager at the SANS Institute. Ted was formerly the Director of Operations Technology & NERC Compliance at Northern Indiana Public Service Company (NIPSCO) where he was responsible for compliance to NERC 693 and CIP standards and the support of the related operations technology systems. Ted has over twenty-five years of experience working in the electric utility, information technology and manufacturing industries.