With cybersecurity presenting dynamic and evolving challenges for the bulk power system, a new set of tools aims to help NERC registered entities navigate their increasingly complex job requirements.
Developed by NERC’s Reliability and Security Technical Committee (RSTC) with the National Institute for Standards and Technology (NIST), the tools provide a more convenient reference between the Critical Infrastructure Protection (CIP) reliability standards and NIST’s Framework for Improving Critical Infrastructure Cybersecurity (CSF).
The new Mapping of CIP Standards to NIST Cybersecurity Framework (CSF) document, released last month, was inspired by a recent joint exercise by NERC and NIST to remap the CIP standards’ requirements to the CSF. This exercise came about because of concerns raised by regulated utilities whose leadership wanted to use NIST’s framework but weren’t sure how to integrate it with their compliance activities.
“What we heard at NIST … was that organizations were being encouraged to adopt the [CSF],” Avi Gopstein, program manager at NIST’s Smart Grid and Cyber-physical Systems Program Office, told ERO Insider. “But because that’s a risk management framework rather than a requirements framework, it’s not precisely clear [about] the very specific actions that could conform to the CIP requirements while satisfying the cybersecurity framework subcategories.”
The level of detail involved in both systems made the task of integration highly challenging for an individual entity to undertake on its own. NIST’s framework comprises 108 subcategories, while the CIP standards contain 43 separate requirements. Moreover, both are constantly under adjustment: just last month NERC’s Board of Trustees sent CIP-004-7 (Cyber security — personnel and training) and CIP-011-3 (Cyber security — information protection) to FERC for approval. (See “Standards Actions Approved,” NERC Board of Trustees/MRC Briefs: Aug. 12, 2021.)
NERC and NIST have done similar remapping exercises before; the last was in 2015 and attempted to match version 1.0 of the CSF to the then-current CIP standards. The latest effort builds on that project, incorporating version 1.1 of the CSF adopted in April 2018 and the most recent updates to the CIP family.
Taking the form of a Microsoft Excel spreadsheet, the new mapping tool presents readers with three tabs:
-
-
- NIST CSF 1.1 to CIP v5 — shows the CIP standards that correspond to each subcategory of the CSF, including a row for each unique mapping between a CIP standard and a CSF subcategory. Subcategories may appear in more than one row.
- CIPv5 to CSF 1.1 XREF — reverses the mapping of the previous tab. CIP standards may span multiple rows if they contain multiple requirements.
- Pivot — the same information as the second tab, but in a configurable format allowing users to expand or minimize each CIP standard and choose additional information to view, such as function, category and subcategory.
-
In addition to NERC and NIST, the ERO Enterprise and the RSTC’s Security Working Group provided input on the proposed remapping over the last several months, delivering valuable insights on the way the document could be improved for everyday use.
“Someone in industry would be able to look at this mapping and say, ‘Okay, I am complying to the NERC CIP requirements; how can I mature my compliance, my security and my risk management?’” said Daniel Bogle, NERC’s senior CIP assurance adviser. “This way, they can look at one document and start that ball rolling to mature, not just their compliance program, not just their security program, but also their risk and business maturity overall.”
In light of the rapidly evolving nature of the cybersecurity landscape that entities face, NIST and NERC hope to maintain the mapping on a more active basis than in the past. Unlike previous versions of the mapping tool that incorporated informative references — “practical suggestions for how organizations can achieve the desired outcome of each subcategory” — the guidance for the new mapping tool directs users to NIST’s Online Informative References Program, which provides the same information in a more dynamic fashion.
“This mapping actually leads us to a reference library that is more up to date than a single snapshot in time, [like] through a traditional publication approach,” Gopstein said. “This takes you to the living library, where the relationships are maintained, but the guidance and information can be updated.”