Electrical utilities are responsible for just about everything we do. This presents a tremendous burden on those who operate those utilities. One way these organizations offer assurance is through the audit process. While audits can generate tremendous anxiety, good planning, and tools can help make the entire process go smoothly. Moreover, these can also help to achieve positive results.
At the recent Tripwire Energy & NERC Compliance Working Group, we asked two long-time industry professionals how they approach and conquer NERC CIP audits. A Manager of Infrastructure Security and a Senior Technology Administrator that share more than four decades of experience in the electrical utility profession provided the following insights for all security professionals across the industry.
The Importance of Constant Preparation
One of the organization is scheduled for a NERC CIP audit in 2024, and they are in the process of upgrading many of the servers and databases in their organization. The Manager of Infrastructure Security indicated that the process is better with the right internal teams and using help from a trusted partner, such as Tripwire’s Professional Services team. Two years ago, they implemented Tripwire State Analyzer (TSA) into the environment, and they are eager to see the upgrades that will integrate into Tripwire Enterprise (TE).
The Senior Technology Administrator recently completed a CIP audit as well. His organization uses the Tripwire Enterprise Integration Framework (TEIF) to help with their analysis. One of the recommendations he makes for passing a CIP audit is to keep your policies, rules and allowlists as clean and up-to-date as possible. If there's software that hasn't been in the environment for years, remove it from the allowlist. Deprecated technologies should also be removed from any allowlists.
Overcoming Challenges
One significant challenge that both leaders expressed is the ability to find the right balance of allowing the correct applications, services, and ports without being too broad. Another important exercise is to conduct mock audits before the actual CIP audit to reveal and decide upon what the threshold should be for achieving that balance. Doing that takes a lot of effort, but it is worth it. Every report and integration should have auditing in mind.
“The biggest challenge always is security: security of the grid, security of the data, and security of the Tripwire system. Nobody aspires to compliance for the sake of compliance. You're doing the compliance work because it leads you to a much more secure posture. Security is always at the forefront of everything we're doing and continues to be a paramount concern.”
- Senior Technology Administrator for the IT Compliance
Energy and Utility Company
Can Compliance Be Fully Automated?
Both Tripwire customers agreed that automation cannot be fully relied upon to implement changes. Any time a new software package is released, it must be reviewed by a subject matter expert who can determine its value to the organization and any hidden impacts it may present. The Senior Technology Administrator refers to this as “getting human eyes on it. Like most changes, it is wiser to assume first that it is disallowed rather than allowed.”
The Manager of Infrastructure Security agreed, adding that the nature of the change will also determine the level of scrutiny required. Sometimes, the automating tools create false results that take longer to research than if the package was examined manually. He stated, “too much automation comes when you've implemented more solutions than you can support. You can't guarantee the reliability of the information that you're collecting or providing. There are too many opportunities to get things wrong or lose trust in the processes. Automation should balance providing the necessary information and automating processes to validate that the data is still good. Error reports, dashboards, and reporting are key to validating that the information is not wrong or corrupted. Make sure that as you're automating your processes, you've got those validations in place on the backend to ensure that your processes are working to keep up on things.”
The Importance of Personalization
Too often, an organization will deploy a new system into an environment without making it personalized to the organization. The Senior Technology Administrator recommends renaming everything to make it specific to the organization. Creating and using a naming standard can benefit everyone who needs to work on that system. The Manager of Infrastructure Security emphasized the importance of inter-departmental relationships, as well as fostering solid partnerships with reliable vendors. This is especially important considering the third-party tools that are required for all organizations.
“Don't be afraid to ask questions and challenge yourselves with how to use the tools in different ways.”
- Manager of Infrastructure Security
Energy & Utilities Company
If you would like to learn more about how Tripwire can help monitor your environment, easing your efforts towards NERC CIP compliance, visit us here.
Achieving Resilience with NERC CIP
Explore the critical role of cybersecurity in protecting national Bulk Electric Systems. Tripwire's NERC CIP Solution Suite offers advanced tools for continuous monitoring and automation solutions, ensuring compliance with evolving standards and enhancing overall security resilience.