Kathryn, you asked Richard "if a Utility were to strive to meet the various NIST references you mentioned, then they would be much more secure and yet also be NERC CIP compliant as a natural output from those security measures?" Not necessarily but you are on the right track with your thinking.
As a former "prosecuting attorney" for WECC litigating against entities that were in violation of the CIP standards, I saw both small and large registered entities seriously violate the standards and struggle with systemic violations of CIP standards. For example, I prosecuted two of the largest utilities in North America for major systemic CIP violations. Each of those entities had thrown millions of dollars at their compliance programs. There were other smaller registered entities with much less invested but much more robust CIP compliance programs that were often used as exemplars in the Western Interconnection. I no longer believe that CIP compliance effectiveness was a result of large budgets. One reason for failures were the gaps and silos within the company where one part of the company was focusing on being compliant with CIP standards, another with NIST, another with SOX, etc. Each part of the company was doing its own thing but as a whole, the company ultimately failed to focus uniformly on the tasks leading to the main goal of all of these regulatory schemes---protection of physical assets, cyber assets, data, etc.
Very generally speaking, you should first continue to ask yourself, what tasks need to be done when trying to identify and protect assets, detect and respond to threats, recovery of cyber or physical asset or data. Second, focus on concepts like identifying and managing assets, understanding your business environment and key players within it, managing and monitoring the governance (regulatory regimes your subject to), assessing risk, etc. Third, once you take those steps, you can better see where particular standards or protocols fit (e.g. CIP, NIST, CIS, COBIT, ISA, ISO, etc.). If you look past the naming conventions, acronyms, numbers, and legalese, you will see that each of these regulatory regimes gives you a task or objective that deals with identification, protection, detection, recovery, etc. Once you draft your policies and procedures with these tasks and objectives in mind instead of simply complying with a standard, you will be much more likely to be secure and also NERC CIP compliant (and SOX complaint, and NIST compliant, etc.) as a natural output of your planning and implementing.
Can you see how you have formed the foundation for real protection and compliance and how this process, though more tedious up front, would be easier to maintain in the long run? How a program like this would take a more holistic look at compliance and protection from a company wide view instead of piecemeal? How a compliance program with these foundations would be more dynamic allowing you to meet future environmental and regulatory changes?
HERE IS A VALUABLE TOOL: NERC working groups already went though and compared the tasks and objectives inherent in NERC CIP, NIST, CIS CSC, COBIT, ISA, ISO and did a “direct line” comparison between them. They gave you a cheat sheet on how to build the foundation for your compliance program and still be compliant with the variety of regulatory regimes you are subject to. Look down at the bottom under “Technical Reference Documents”, then the list under “Approved Technical reference Documents” and then click on the Excel spreadsheet, “Technical Reference Document: Assessing and Reducing Risk Tool.” Once open, look at the tabs along the bottom and select “Cyber Security Framework” Find it here. https://www.nerc.com/comm/Pages/Reliability-and-Security-Guidelines.aspx
Sign in to Participate