Training Course: Understanding NERC-CIP

Description

The latest revision of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards retires some existing requirements, add new requirements, and introduce new terms, definitions, and classifications related to securing critical cyber assets. Designed for participants already familiar with the NERC-CIP standard, this class reviews all active requirements while focusing on the new and modified regulations introduced in latest NERC-CIP version, in a manner and depth that will facilitate compliance.

Audience

Bulk Electrical System (BES) asset owners and operators concerned with NERC-CIP compliance. Operations, security personnel, and support staff who need to understand the changes embodied in the latest version of NERC-CIP . All persons involved with NERC-CIP compliance, auditing, and support.

Duration

1 Day

Objectives

  • Become thoroughly acquainted with the changes inherent in the latest update (v5) of the NERC-CIP Standards
  • Be familiar with all active requirements
  • Become familiar with the new format and structure of active requirements
  • Understand which Standards are being retired and the related implications
  • Understand the new Standards being introduced and the related implications
  • Understand the synergy between NERC CIP Requirements and IT and ICS security
  • Understand the new Bright Line criteria for identifying critical cyber assets
  • Understand the new critical cyber asset classfication rules
  • Understand all new and revised definitions embodied within the active Standards
  • Have reviewed compliance timelines for the new Standards

Setup

  • Internet access

Text

  • Course Workbook

Prerequisites

  • Familiarity with the North American Bulk Power Generation, Distribution & Delivery Systems.

Outline

Topic 1:     Introduction

  • Welcome
  • What is NERC CIP?
  • Motivation
  • NERC CIP Compliance Violations
  • Course Objectives
  • Course Overview
  • CIP Standards Conventions
  • Basic NERC CIP Concepts and Terms
  • Understanding a NERC CIP Standard
  • Quiz

Topic 2:     ICS Security Concepts and Terms

  • Malware
  • Vulnerabilities, Threats, and Attacks
  • Vulnerabilities and Threats
  • Countermeasures
  • Policies and Procedures
  • Risks and Risk Management
  • Risk Analysis and Mitigation
  • Defense in Depth
  • Security Domains
  • Security vs. Convenience
  • The Difference between Security and Compliance
  • Security Goals
  • Security Resources
  • Quiz

Topic 3:     CIP Requirements: Subject to Enforcement

  • Overview
  • CIP-002-5.1a    Cyber Security — BES Cyber System Categorization
  • CIP-003-6    Cyber Security – Security Management Controls
  • CIP-004-6    Cyber Security – Personnel & Training
  • CIP-005-5    Cyber Security – Electronic Security Perimeter(s)
  • CIP-006-6    Cyber Security – Physical Security of BES Cyber Systems
  • CIP-007-6    Cyber Security – System Security Management
  • CIP-008-5    Cyber Security – Incident Reporting and Response Planning
  • CIP-009-6    Cyber Security – Recovery Plans for BES Cyber Systems
  • CIP-010-2    Cyber Security – Configuration Change Management and Vulnerability Assessments
  • CIP-011-2    Cyber Security – Information Protection
  • CIP-014-2    Physical Security
  • Quiz

Topic 4:     Summary Review

  • Risk Management
  • Policies and Procedures
  • Governance
  • Management
  • Permissions Management
  • Monitoring and Logging
  • Testing
  • Configuration Management
  • Physical Security
  • Communications
  • Incident Response
  • Intrusion Detection / Prevention
  • Account Management
  • Change Management
  • Disposal and Destruction
  • Asset Management
  • Access Control
  • Backups
  • Anti-Virus Software
  • Authentication
  • Continuity Planning
  • Education
  • Employee Awareness
  • Firewalls
  • Information Classification
  • Internal Controls
  • Network Architecture
  • Operations
  • Patch Management
  • Threat Management
  • Password Policy

Appendix     Quiz Answers

Appendix     Developing Policies and Procedures