Achieving Auditable Compliance with NERC CIP Reliability Standards

Beginning in 2010, energy producers and distributors face a looming challenge – to become “auditably compliant” with the Critical Infrastructure Protection (CIP) standards by the July 1, 2010 deadline. Developed by NERC, an independent, not-for-profit organization whose mission is to ensure the reliability of the bulk power system in North America, and given the force of law by the Federal Energy Regulatory Commission (FERC) in early 2008, the standards are intended to compel energy companies and utilities to focus more heavily on cyber-security.

The overriding goal of the CIP standards is to protect the bulk electric system from cyber attacks, including attacks from within the utility (i.e., insider threats). The eight standards include establishing programs for managing access to cyber assets, documenting which personnel are authorized to access cyber assets, and creating plans and processes for electronic and physical security of assets, among other things. The deadline to become “auditably compliant” by July 2010 provides the real “teeth” to the mandate, requiring organizations to undergo audits and provide documented evidence of compliance or non-compliance with the standards.

While the NERC CIP standards are more prescriptive than some regulatory mandates, they do leave many implementation details up to the affected organizations. Put another way, NERC defines “the what” but not necessarily “the how” of getting compliant. This factor makes it critical that organizations think strategically and holistically about their approach to NERC CIP and follow three important guidelines:

  1. Take a risk-based approach that focuses controls on the most critical cyber assets and avoids boiling the ocean;
  2. Automate compliance processes for consistency and repeatability, and to control costs; and
  3. Don’t forget the people component in “people, process, and technology” – communications and information sharing between stakeholders is key.

Because controlling access to critical infrastructure is one of the highest priorities for complying with the CIP standards, identity governance will be a key component of any organization’s compliance strategy. Identity governance provides an automated approach to strengthening access controls and delivering evidence of those controls for audit purposes. By offering a framework for automating compliance, facilitating business and IT collaboration, and taking a risk-based approach, identity governance helps organizations to achieve sustainable, auditable compliance with the standards’ requirements.

To help organizations plan and implement a cost effective, risk-based approach to NERC CIP compliance, SailPoint is presenting a free webinar with Corporate Integrity’s Michael Rasmussen on February 10th. We’ll review the CIP standards, what’s needed and how identity governance can help companies achieve the next level of compliance. Following the webinar, we’ll also provide access to a free whitepaper that walks companies through the eight CIP standards focused on IAM, and provides a roadmap for how to best comply with each.

UPDATE: The webinar is now available on-demand. Feel free to view at your leisure and share the link with your colleagues! We also have a white paper that you can download.