ReliabilityFirst > Resource Center Page > The Lighthouse: CIP low impact from the ground up – Part 8.1, Developing your security awareness plan

The Lighthouse: CIP low impact from the ground up – Part 8.1, Developing your security awareness plan

By Lew Folkerth, Principal Reliability Consultant, External Affairs

In this recurring column, I explore various questions and concerns related to the NERC Critical Infrastructure Protection (CIP) Standards. I share my views and opinions with you, which are not binding. Rather, this information is intended to provoke discussion within your entity. It may also help you and your entity as you strive to improve your compliance posture and work toward continuous improvement in the reliability, security, resilience and sustainability of your CIP compliance programs. There are times that I also may discuss areas of the standards that other entities may be struggling with and share my ideas to overcome their known issues. As with lighthouses, I can’t steer your ship for you, but perhaps I can help shed light on the sometimes-stormy waters of CIP compliance.

Photo: Eagle River, Michigan (Lew Folkerth)

Section 1 of NERC Reliability Standard CIP-003-9 (Security Management Controls) Attachment 1 covers cyber security awareness. It states:

“Each Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices (which may include associated physical security practices).”

Awareness is distinct from training, which is structured and often formal. Awareness is about keeping security top-of-mind.

What you must do:

• Develop a plan to provide cyber security awareness reinforcement to anyone with physical or electronic access to physical assets containing low impact BES Cyber Systems. You must reinforce awareness at least annually (15 calendar months).

• Document the reinforcement for compliance and audit purposes. Be sure to include:

o When or under what circumstances the reinforcement was performed;
o How the reinforcement was delivered;
o If possible, the content of the reinforcement; and
o The types or job classifications of personnel who had access to the reinforcement (this does not need to be a list of individuals).

Additional ideas to raise cyber security awareness could include:

• Feature a cyber tip in your pre-job safety briefings.

• Get creative – create cyber security posters or quizzes, even a “phish of the month” club.

• Put awareness messages on screen savers.

• Use training sites in an informal manner – there are some companies that specialize in short, awareness-like training that you could use.

The key is to make it stick. If your team can’t remember the last time they heard about cyber security, it’s time to rethink your approach.

I’ll cover Sections 2-6 of CIP-003-9 Attachment 1 in forthcoming issues of The Lighthouse: CIP Low Impact from the Ground Up series.

CIP Low Impact Series Homepage