Most Utilities I talk to kept April 1, 2016 as their internal NERC CIP V5 deadline even though they received a reprieve to July. Congratulations are in order for most as internal compliance dates were achieved. What I’m hearing is that they were able to cobble together their cyber assets and attributes in various ways such as listing them manually in a spreadsheet, tediously writing scripts to pull data and monitor ports, and taking screen shots locally on a device. Many documented a change management process but have not operationalized it – meaning the policy can’t be automatically enforced.
There is a better way to do this moving forward. Operationalizing a configuration and change management process not only helps to sustain the NERC CIP program, but it’s just good security hygiene.
The reason the NERC CIP standard exists is to improve the overall security posture of the critical infrastructure. Identifying the cyber assets, capturing how they are configured with respect to security, monitoring the assets, and enforcing a rigorous change process on those assets will reduce the security risk.
WizNucleus can help. Cyberwiz-Pro (CWP) creates the configuration baseline by automatically pulling data from the devices through the CWP agent, or by integrating with other agents, such as Tripwire. The baseline, housed in a relational database, is kept current through a change management workflow engine designed specifically for the critical infrastructure. It’s easy to pull audit-ready reports on the assets.
Using CWP for Configuration and Change management not only improves security and builds a sustainable NERC CIP program, but also improves the daily operations for the IT and OT operations staff.