The North American Electric Reliability Corporation (NERC) Security Reliability Program (SRP), established in 2010 as the Sufficiency Review Program, provides a review of a registered entity’s security program, including both physical security and cybersecurity. Since the inception of the SRP, NERC has conducted more than 30 SRP visits, which are voluntary and conducted in a non-audit environment. NERC has modified the SRP in recent years to reflect changes in standards, as well as to address emerging security issues. In 2013, the Federal Energy Regulatory Commission (FERC) approved Version 5 of the Critical Infrastructure Protection (CIP) standards, which removes the Risk-Based Assessment Methodology (RBAM) requirement from the CIP standards (effective April 1, 2016). Given these changes, NERC updated the 2014 SRPs to include an expanded scope of issues that pertain to the transition from a Version 3 RBAM approach to a Version 5 bright-line approach, the transition to the new and modified technical requirements contained in the Version 5 CIP standards, and a focus on reviewing the security programs at registered entities. The SRPs will continue to include the following elements: detailed briefs on CIP standards, including the transition to the Version 5 CIP standards; a review of the technical aspects of the requirements; an overview of the Aurora vulnerability; and suggested cybersecurity and physical security best practices.
SRP visits focus on a review of industry’s implementation of security programs in support of the CIP standards. But rather than limiting attention to Version 3 compliance in a retrospective review, the SRP visit also helps registered entities address transitioning from Version 3 to Version 5 in a prospective view. While compliance with Version 3 and its RBAM methodology remains mandatory until March 31, 2016, many registered entities are concerned about how to transition their compliance and security efforts to Version 5 to meet the April 1, 2016, compliance deadline. Version 3 has very few specific or technical requirements placed on the content of the RBAM, so registered entities are exploring how to best manage the transition process to Version 5 while remaining compliant with Version 3. The SRP is a voluntary program that provides educational and outreach benefits to the registered entity about various Bulk Electric System (BES) industry topics in an open and non-audit environment. Regional Entity representatives are invited to participate in SRP discussions (at the registered entity’s discretion); however, no content from those discussions may be used during a subsequent audit or compliance action unless it represents an imminent threat to the BPS. NERC staff, Regional Entity representatives, and outside consultants sign nondisclosure agreements (NDAs) to ensure strict confidentiality of all discussions and materials. The discussions held during an SRP visit are educational to registered entity, NERC, and Regional Entity staffs and are intended to equally support infrastructure security efforts and compliance with the CIP standards. Key goals of an SRP visit are to increase the focus on future activities and issues related to compliance initiatives within the CIP standards and to focus on security initiatives at registered entities. The technical and procedural transition from Version 3 to Version 5 continues to be an important component of an SRP visit. In addition, the visit focuses on implementation approaches to security and compliance. An SRP visit also includes open dialogue with NERC and Regional Entity staff on a variety of security- and standards-related topics of interest to the registered entity. While NERC staff highlights a list of issues to discuss, registered entities are encouraged to develop their own questions or concerns for the SRP. In 2013, some of these discussions focused on specific alternative architectures and technologies, physical security protections, Region-specific issues, the Electricity Sector Information Sharing and Analysis Center (ES-ISAC) portal, recent cyber threats and vulnerabilities, Aurora mitigation efforts, Technical Feasibility Exceptions, facility walk-throughs, and Reliability Standard Audit Worksheets (RSAWs). An SRP visit is not intended to be the complete answer to a CIP compliance program or the implementation of a robust security program, nor is it intended to perform detailed security assessments. An SRP visit is not an audit, and nothing uncovered during an SRP visit can be used in a subsequent compliance finding or enforcement action unless it represents an imminent threat to the BPS. An SRP visit is also not considered to be a substitute for researching and implementing secure and compliant solutions for BES facilities or equipment subject to compliance with the CIP standards. The SRP team may make suggestions or recommendations based on SRP discussions and industry trends, but these suggestions, in isolation, will not guarantee compliance or security. Rather, the registered entity should use these recommendations as starting points for further analysis, discussion, and implementation.
SRP Methodology The contents of an SRP visit are flexible and are designed to meet the specific needs of a registered entity. SRP visits consist of presentations and discussions selected from a list of both “Core Topics” and “Entity Elective Topics.” The Core Topics are common to all SRP visits, while the Entity Elective Topics may be chosen from a prepared list, or may be requested by the registered entity. The specific agenda for the SRP visit is set during the scheduling phase of the process. An SRP visit starts with an opening presentation and introduction from the team, then the registered entity provides a company overview presentation. At the conclusion of each day, the SRP team reviews the progress of the day’s discussions and may provide daily feedback to a registered entity representative. Following the opening presentations, the team and the registered entity participants discuss the Version 5 bright-line criteria, including how the registered entity can migrate from the Version 3 RBAM to the Version 5 bright lines with minimal impact to the registered entity. Following that, the team reviews the Version 5 standards and their potential impacts during the transition process, including a discussion of some technical differences between Version 3 and Version 5. Then, the registered entity receives relevant briefings (e.g., Aurora brief, ES-ISAC portal review, cybersecurity threats and vulnerabilities review, physical security, transition study lessons learned) and engages in a Q&A session. The SRP team encourages registered entity participants to ask questions throughout the entire visit to establish in-depth interactive discussion but allocates time at the end of the SRP to address additional questions. The schedule for an SRP visit is routinely adjusted based on the specific interests the registered entity outlines and to account for the work schedules of various participants. The schedule and content of the SRP visit is flexible, and the schedule is often modified to meet the specific needs of the registered entity. Schedule adjustments include reducing the length of the SRP visit to be one or two days in length, expanding it to accommodate remote site visits (e.g., transmission station, generating plant), omitting topic areas that are not of interest to the registered entity, or adding additional topics and discussions that are of particular interest to the registered entity. Specific schedule adjustments are discussed and agreed upon during the SRP visit scheduling process. An SRP concludes with an executive management exit presentation that captures high-level recommendations and SRP review team compliance observations relative to the maturity of the registered entity’s compliance initiatives. The SRP team drafts a brief report (consisting of the responses to the questionnaire and the exit presentation slide deck) and maintains this information for trending and review purposes only.
Technical CIP Review – Overview of the CIP Version 5 standards, including development history, bright lines, technical issues, and ongoing standards development activities.
Reliability Assurance Initiative (RAI) Program – Discussion on the applicability of RAI concepts to the CIP standards.
Physical Security Review – Physical review of control room and, optionally, transmission or generation environments, along with an update on the new physical security standard requirements.
ES-ISAC/Aurora – Update on current cybersecurity and physical security threats, ES-ISAC capabilities, and Aurora mitigation efforts and activities.
Entity Elective Topics
A new feature of the 2014 program includes time set aside in the schedule for the registered entity to select presentations from a list of prepared topics. The topics were selected because they were previously raised during Q&A opportunities in prior SRP visits, or they are based on perceived or anticipated questions. While many topics are of a technical and implementation basis, others relate to auditing practices and techniques. Still others deal with programs and initiatives that NERC is developing or implementing outside of either a CIP or general audit and enforcement environment. The current list of topics incudes: 1. Cloud and virtual environments
2. Current threats and vulnerabilities
3. NERC transition study lessons learned
4. Identifying and responding to cybersecurity incidents
5. Evidence management
6. Test environments
7. NERC Event Analysis and cause coding
8. Enterprise vs. operations security
9. Physical security best practices
10. Cyber vulnerability assessments
11. Password best practices
12. Firewall review process
13. Patch management
14. Internal auditing and risk management
15. Sampling methodologies
16. Generally Accepted Government Auditing Standards (GAGAS)
17. Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) Suggestions for additional topic areas are welcome; please provide them well in advance of an SRP visit to allow NERC staff ample time to research and prepare the presentation.
How Much Does it Cost?
The cost to participate is negligible. The only costs are the registered entity’s personnel preparing for and attending an SRP visit and optionally providing refreshments and working lunches for the attendees. NERC and Regional Entity time and travel expenses are covered by their own organizations.
For Further Information
For further information, or to schedule an SRP, please contact the SRP team at SRP@nerc.net.
Comments from Previous Participants:
“We were indeed apprehensive going into the SRP, but quickly recognized your group had no hidden agenda and was only there to help us toward an improved CIP Program; doing the right thing if you will. You quickly set us at ease, and slowly helped us to understand the specifics of what FERC and NERC were looking for and the good and bad points within our RBAM and Conclusions… A VERY GOOD experience for our company, and many thanks to you and your Team!!” –Larry Rodriguez, Entegra Power Group
“The CIP Sufficiency Review proved to be a great opportunity to engage both NERC and WECC on my company’s specific CIP practices. Our SMEs committed a lot of their time to the Review and received some very good feedback.” –Tim Kelley, Sacrament Public Utility District
“The SRP outreach team exceeded my expectations in not only providing CIP standards review and feedback that aided in bolstering our current compliance efforts, but also relaying best risk management practices to mitigate exposures our staff had not thought of. The thorough review of our existing policies and Risk Based Assessment Methodology reinforced in our staff the complex and changing environment surrounding cyber security.” –Richard Malloy, Idaho Falls Power
“Scott Mix from NERC and Bob Yates from Reliability First went above and beyond the scope of the Sufficiency Review Program when time permitted by reviewing additional areas of our Cyber Security Program and answering a wide range of questions asked by Hoosier staff… Hoosier Energy highly recommends other registered entities participate in this program.” –Bob Solomon, Hoosier Energy
“Austin Energy hosted a Sufficiency Review team in November 2012. Our experience was quite good. All of the Austin Energy Subject Matter Experts who attended the sessions provided positive feedback and indicated they thought their involvement in the process was worthwhile and beneficial. I would highly recommend a Sufficiency Review to any organization interested in learning more about CIP compliance.” –Andrew Gallo, Austin Energy
“In April 2013 the NERC Sufficiency Review team executed a review focused on the developmental history of the CIP standards, and topics on CIP-005-3, CIP-007-3, and CIP-009-3. The NERC team was very knowledgeable and provided a fresh perspective on approaching cyber security and compliance. The establishment of a positive engagement atmosphere was achieved by eliminating the restraint of a compliance monitoring or enforcement aspect from the discussion enabling an open exchange specific scenarios and questions. I recommend this program as a valuable experience to persons involved in the NERC cyber security program.” –Jonathan Appelbaum, The United Illuminating Company
“Our company conducted a NERC Sufficiency Review in 2013. We took advantage of this program to review our current approach to CIP compliance under version 3 of the standards and as a venue for discussing possible approaches to compliance with the new CIP versions 4 & 5. The current corporate approach to compliance isolates several of the company's business lines from the CIP standards under version 3. The NERC SRP was an excellent opportunity to expose the other company business lines to the implications of CIP compliance, approaches to properly identify & protect critical assets as well as discuss the pros & cons of various methods & tools for implementing an effective & compliant program across the company as we look forward to an expanded compliance program under CIP version 5.” –Chuck Abell, Ameren