Understanding the differences and making a smoother transition from CIP Version 3 to CIP Version 5
Much buzz as been flying around the air waves this past month regarding NERC’s release of CIP version 4. Most of this discussion is centered on two major concepts I have seen with nearly every security standard. One involves the concern over meeting requirements of one version of the standard with an expectation to turn around and meet the next version shortly afterward. This causes additional and often unnecessary financial strains to meet security requirements. The second involves determining the scope of affected components. During conversations with clients, the biggest concern regarding the changes from Version 3 to 5 is focused on CIP-002, asset classification. The following graphic provides a very high level overview of what guidance is provided for system scoping and identification from Version 3 to Version 4 and Version 4 to Version 5.
Purely from a system identification and scoping perspective, Version 5 does a great job of clarifying what systems and facilities must be addressed. However, after further investigation, I found that NERC would not accept Version 5 impact categorization until the standard is approved by FERC. It is nice to see the regulation and control of these standards; however it is equally frustrating to guide systems to compliance with one standard, then have to turn around and comply with the next, highly tweaked version projected to occur within one year. This becomes a classic case where developers of standards understand the cyber risks, but fail to understand the cost impact to organizations in addressing these issues. Business impacts are not even considered in their development.
Due to the vague nature of Version 3 regarding scoping of systems, the impact of converting from one version of CIP to the next can be substantial to implementing organizations. Unfortunately, this step alone will only give an idea of what assets exist within the infrastructure. It is only one step of many to meeting the requirement. Worse yet, this will be performed and a few months later will have to be performed again.
But what if your organization were able to identify components against Version 5 and “reverse engineer” those critical assets back into Version 4? You can perform this asset identification and categorization once, while meeting both versions of the standard. Although you will still need to be compliant with Version 4, there is no reason you cannot add a few extra columns to your asset inventory and begin identifying your assets using Version 5.
With a closer look, all aspects of Version 4 are included within the Version 5 scoping guidance. The largest difference most organizations will experience is the additional categorization of these assets into a High, Medium or Low Impact Rating. So what is it that makes Version 4 unique? Version 4 introduces a “bright-line” criterion which aims to provide definitive guidance for identifying critical assets. For example, in Attachment 1 of CIP-002-4, item 1.6 identifies “Transmission Facilities operated at 500kV or higher” as a critical asset. This is very definitive when attempting to consider systems and facilities in scope of NERC requirements.
In CIP-002-5, item 2.4 identifies “Transmission Facilities operated at 500 kV or higher” as a critical system, but goes one step further and tags it with a Medium Impact Rating. In both scenarios, the cyber assets must be protected. In both scenarios, the same system is in scope of the NERC requirements. So why not approach this problem with the solution of completing a single inventory which addresses both requirements. This can be accomplished by simply documenting the Version 5 requirement in line with the Version 4 requirement.
An organization’s solution may be as simple or complicated as they like. My recommendation would be to start with a simple spreadsheet. Identify all of your critical assets as defined by CIP-002-4. In theory, this exercise shouldn’t take a lot of effort. However throw caution to the wind as CIP-002-3 required organizations to provide their own critical assets with minimal guidance. Chances are good that your specific organizational requirements do not align well with the CIP-002-4 requirements. I would urge you however to revisit the efforts put into defining critical assets, as you already have a foundation to work from.
Once all critical assets have been documented in the spreadsheet, add three columns. Label these as “High”, “Medium”, and “Low”. Using the CIP-002-5 guidance, place an “X” (or a character of your choosing) into the respective columns which map against the upcoming standard. For example, if you have a system supporting the transmission facility previously mentioned, place an “X” in the “Medium” column. By performing your work this way, you will successfully identify critical assets in alignment with the bright-line criteria for CIP-002-4 as well as comply with the risk-based asset identification outlined in CIP-002-5.
Obviously there are other differences with NERC CIP changes as discussed earlier. Requirements are becoming more thorough and granular, which continues to strain the critical infrastructure. However, failing to secure these systems is also a major concern. NERC is attempting to provide a balancing act between evolving threats and business requirements. If you don’t believe this is a real threat, I would recommend reading this article from CNNMoney.
The threat is real and you will need to know what assets are out there and require protection. Seek industry partners who are cyber security experts. Ensure those experts understand your need for control systems and that removing those systems from networks may not be an option. Feel free to ask for help and clarification where you do not understand the requirements or industry best practices. Finally, ensure you make a good business decision based on measurable risk. All of these items are easily achievable when using the right security focused business partner.