Essentials for NERC Critical Infrastructure Protection

Essentials for NERC Critical Infrastructure Protection course empowers students with knowledge of the what and the how of the version 5/6/7 standards. The course addresses the role of the Federal Energy Regulatory Commission (FERC), North American Electric Reliability Corporation (NERC), and Regional Entities, provides multiple approaches for identifying and categorizing BES Cyber Systems, and helps asset owners determine the requirements applicable to specific implementations.

Course Key Learnings: 

• BES Cyber System identification and strategies for lowering their impact rating
• Nuances of NERC defined terms and CIP standards applicability and how subtle changes in definitions can have a big impact on your program
• The significance of properly determining Cyber System impact ratings and strategies for minimizing compliance exposure
• Strategic implementation approaches for supporting technologies
• How to manage recurring tasks and strategies for CIP program maintenance
• Effective implementations for cyber and physical access controls
• How to breakdown the complexity of NERC CIP in order to communicate with your leadership
• What to expect in your next CIP audit, how to prepare supporting evidence, and how to avoid common pitfalls
• How to understand the most recent Standards Development Team’s (SDT) efforts and how that may impact your current CIP program

Skills Gained:

• Understand the cybersecurity objectives of the NERC CIP standards
• Understand the NERC regulatory framework, its source of authority, and the process for developing CIP standards, as well as their relationship to the other BES reliability standards
• Speak fluent NERC CIP and understand how seemingly similar terms can have significantly different meanings and impacts on your compliance program
• Break down the complexity to more easily identify and categorize BES Cyber Assets and Systems
• Develop better security management controls by understanding what makes for effective cybersecurity policies and procedures
• Understand physical and logical controls and monitoring requirements
• Make sense of the CIP-007 system management requirements and their relationship to CIP-010 configuration management requirements, and understand the multiple timelines for assessment and remediation of vulnerabilities
• Determine what makes for a sustainable personnel training and risk assessment program
• Develop strategies to protect and recover BES Cyber System information
• Know the keys to developing and maintaining evidence that demonstrates compliance and be prepared to be an active member of the audit support team.
• Sharpen your CIP Ninja!

Course Content:

Module1: Asset Identification and Governance

Overview

A transition is underway from NERC CIP programs that are well defined and understood to a new CIP paradigm that expands its scope into additional environments and adds significantly more complexity. On day 1, students will develop an understanding of the electric sector regulatory structure and history as well as an appreciation for how the CIP Standards fit into the overall framework of the reliability standards. Key NERC terms and definitions related to NERC CIP are reviewed using realistic concepts and examples that prepare students to better understand their meaning. We will explore multiple approaches to BES Cyber Asset identification and learn the critical role of strong management and governance controls. We’ll also examine a series of architectures, strategies, and difficult compliance questions in a way that highlights the reliability and cybersecurity strengths of particular approaches. Unique labs will include a scenario-based competition that helps bring the concepts to life and highlights the important role we play in defending “the grid.”

Topics

• Regulatory History and Overview
• NERC Functional Model
• NERC Reliability Standards
• CIP History
• Terms and Definitions
• CIP-002: BES Cyber System Categorization
• CIP-003: Security Management Controls

Module2: Access Control and Monitoring

Overview

Strong physical and cyber access controls are at the heart of any good cybersecurity program. On day 2 we move beyond the what of CIP compliance to understanding the why and the how. Firewalls, proxies, gateways, IDS, and more – you’ll learn where and when they help as well as practical implementations to consider and designs to avoid. Physical protection includes more than fences, and you’ll learn about the strengths and weaknesses of common physical controls and monitoring schemes. Labs will re-inforce the learnings throughout the day and will introduce architecture review and analysis, firewall rules, IDS rules, compliance evidence demonstration, and physical security control reviews.

Topics

• CIP-005: Electronic Security Perimeter(s)
• Interactive Remote Access
• External Routable Communication and Electronic Access Points
• CIP-006: Physical Security of BES Cyber Systems
• Physical Security Plan
• Visitor Control Programs
• PACS Maintenance and Testing
• CIP-014: Physical Security

Module3: System Management

Overview

CIP-007 has consistently been one of the most violated standards going back to CIP version 1. With the CIP Standards moving to a systematic approach with varying requirement applicability based on a system impact rating, the industry now has new ways to design and architect system management approaches. Throughout day 3, students will dive into CIP-007. We’ll examine various Systems Security Management requirements with a focus on implementation examples and the associated compliance challenges. We’ll also cover the CIP-010 requirements for configuration change management and vulnerability assessments that ensure systems are in a known state and under effective change control. We’ll move through a series of labs that reinforce the topics covered from the perspective of the CIP practitioner responsible for implementation and testing.

Topics

• CIP-007: System Management
• Physical and Logical Ports
• Patch Management
• Malicious Code Prevention
• Account Management
• CIP-010: Configuration Change Management and Vulnerability Assessments
• Change Management Program
• Baseline Configuration Methodology
• Change Management Alerting/Prevention

Module4: Information Protection and Response

Overview

Education is key to every organization’s success with NERC CIP, and ICS456 graduates will be knowledgeable advocates for CIP when they return to their place of work. Regardless of their role, students can be a valued resource to their organization’s CIP-004 training program and the CIP-011 information protection program. Students will be ready with resources for building and running strong awareness programs that reinforce the need for information protection and cybersecurity training. On day 4, we’ll examine CIP-008 and CIP-009, covering identification, classification communication of incidents, and the various roles and responsibilities needed in an incident response or a disaster recovery event. Labs will introduce tools to ensure file integrity and the sanitization of files to be distributed, how to best utilize and communicate with the E-ISAC, and how to preserve incident data for future analysis.

Topics

• CIP-004: Personnel and Training
• Security Awareness Program
• CIP Training Program
• PRA Evaluation Process
• CIP-011: Information Protection
• Information Protection Program
• Data Sanitization
• CIP-008: Incident Reporting and Response Planning
• Incident Response Plan/Testing
• Reporting Requirements
• CIP-009: Recovery Plans for BES Cyber Systems
• Recovery Plans
• System Backup

Module5:: The CIP Process