The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Post

Assessing and Reducing Risk - NERC Security Working Group

image credit: NERC Security Working Group (SWG) Cybersecurity Framework (CSF) Self-Assessment Tool Survey
Dan Wagner's picture
Digital Transformation Professional Semi-Retired

An Information Security and Risk Management Professional with extensive experience in highly visible positions providing innovative solutions for Digital Transformation, Cloud Security, Privacy...

  • Member since 2021
  • 2 items added with 199 views
  • Oct 21, 2021
  • 200 views

The following reference documents were published this year (6/8/2021) after over a year of vetting and collaborative effort by industry volunteers from the RSTC, Security Working Group (SWG), and representatives from NERC and NIST and includes NERC CIP alignments with various frameworks including NIST-CSF and SP800-53 Rev.4, CIS CSC, COBIT, ISA, ISO.  The spreadsheet is meant to be a "Security and Compliance" Self-assessment & Maturity tool for CIP Requirement Owners within Responsible Entity organizations.  One of the goals in developing this tool and framework alignments was to help address questions that members of the group have experienced from practitioners whom where looking for more details on the how and why about technical controls.

Your access to Member Features is limited.

The documents and instructions are located on NERC's web site: https://www.nerc.com/comm/Pages/Reliability-and-Security-Guidelines.aspx under 'Technical Reference Documents / Approved Technical Reference Documents'

TechRefDoc-Assessing_Reducing_Risk_Self_Assessment_Tool.xlsx
TechRefDoc-Assessing_Reducing_Risk.pdf
 

Executive Summary:

This reference document is comprised of instructions and a risk assessment tool that can help organizations determine their current security and compliance posture. The tool is a Microsoft Excel-based spreadsheet that maps requirements of the CIP Reliability Standards to the National Institute of Standards and Technology (NIST) Cybersecurity Framework2 (hereafter referred to as “the framework”). It can help a responsible entity identify gaps in their current environment and develop an improvement plan for addressing them.
The instructions and tool were the result of a collaborative effort by industry volunteers from the RSTC, Security Working Group (SWG), and representatives from NERC and NIST. The deliverables associated with the reference document underwent a pilot study with SWG members; their recommendations were incorporated into the final version.

 

A 'NERC Security Working Group (SWG) Cybersecurity Framework (CSF) Self-Assessment Tool Survey' was also completed (seen in part in the attached image).  

Dan Wagner's picture
Thank Dan for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Matt Chester's picture
Matt Chester on Oct 21, 2021

Thanks for sharing, Dan. For any utility stakeholders who are lagging behind with considering these frameworks, do you advise this as a document that will get them right up to speed? Or is there a broader primer they should check out before diving into the excel sheet? 

Dan Wagner's picture
Dan Wagner on Oct 21, 2021

It depends on the user; I would have a CIP SME approach this as an opportunity to assess one or more of their current postures on a standard and see if it makes sense.   I would also consider going to the "Implementation Dashboard" tab 'Column D' and looking at the VRF ranking.  This is in worksheet to help entities decide where their greatest risks may be and prioritize which ones they may want to look at first.

As far as a primer the NIST-CSF has lots of primers available and it is included in the worksheet in whole.

 

I hope that helps, please ask more questions.

Dan

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »