5 Best Practices for NERC CIP Compliance

Compliance teams in charge of verifying network configurations are meeting the dual challenge of highly technical and dynamic environments. On one hand, networks are becoming larger and more complex. On the other hand, organizations are continuously evolving their technology, use cases, and personnel. As a result, disruptions can impact the ability of compliance teams to ensure that their regulatory framework is properly followed. In this post, we are providing 5 of the top best practices we gathered over the past few years as we developed solutions for cybersecurity and network compliance teams.

5 Best Practices to Achieve NERC CIP Compliance

1. Ensure that network device configuration files are backed-up and versioned

One of the key building blocks of a network compliance program is the ability to go back in time and understand precisely how firewalls, routers, and switches have been configured and modified. This means setting up a backup system to keep a copy of network device configuration files at least once a day. It also requires defining file storage and data retention policy to organize and timestamp every configuration version for at least a year. An efficient backup system will enable compliance analysts to search and retrieve records when preparing for an audit.

2. Verify that network topology diagrams and asset categorizations are up-to-date

We cannot protect what we do not know and accurate knowledge about an organizations network starts with a complete asset inventory. Once the inventory has been created, a process should be put in place to periodically update it. This also applies to the network topology diagram which should clearly indicate where critical equipment is located and how networks are segmented into different access zones. A network map is crucial to enabling the compliance team to gain the same clear understanding of configurations in order to work efficiently with the security and networking teams.

3. Build baseline access policies that include rule justifications

Many organizations have a process to add new rules to firewalls, but they lack an efficient process to remove them. As a result, rulesets become bloated after a few years and nobody dares to clean up old rules for fear of breaking something. The solution is for the compliance team to define baseline access policies that correctly implement internal controls and respect regulatory requirements. This way, network engineers have a reference to use when evaluating changes and compliance teams can easily check for deviations from the baseline. It is also important to include rule justification directly in the baseline record so one can understand the business reasons for specific accesses.

4. Monitor baseline changes over time

Once baselines have been defined, a process should be put in place to continuously or at least periodically monitor changes. It is recommended that compliance teams use a system that is independent of the IT change management process in order to verify changes externally. Our advice is to leverage read-only configuration monitoring solutions that compliance analysts can easily use without having to add to the workload of the IT and networking team.

5. Track progress towards cyber resiliency

Finally, compliance teams should support the goal of their organization to become cyber resilient. This means gaining the ability to recover from and adjust rapidly to cyber risks. In practice, once a compliance framework has been established, the compliance team should organize periodic meetings with other stakeholders to review progress towards implementing resiliency techniques and to ensure everyone remains aligned.