The cyber security policy required by CIP-003-9 R1 (Cyber Security — Security Management Controls) is the core of any CIP compliance program. The CIP Senior Manager can use the cyber security policy to map out the governance strategy for the security of the affected assets and for compliance with the CIP Standards. In this article I give my suggestions on leveraging policy to further your management goals, expectations, and aspirations.

Governance

Cyber security and CIP compliance are both processes, not end states. You can never say, “We are fully compliant (or secure).” The best you can say is, “We are fully compliant (or secure), to the best of our knowledge, at the present moment in time.” Think of it like driving your car. You may be cruising along with no traffic, in the middle of your lane and within the posted speed limit. But you cannot take your attention off the road or your hands off the wheel.

This is where governance comes in. Governance is the framework of policies, plans, and processes you use to direct your security and compliance efforts. Governance is how you ensure you keep your hands on the wheel and your eyes on the road.

Policy

I like the definition of policy contained in the “Background” section of CIP-003-6. It is not now and has never been enforceable, but I think it provides a good definition of policy:

“The term policy refers to one or a collection of written documents that are used to communicate the Responsible Entities’ management goals, objectives and expectations for how the Responsible Entity will protect its BES Cyber Systems. The use of policies also establishes an overall governance foundation for creating a culture of security and compliance with laws, regulations, and standards.” [CIP-003-6 Section A.6, Background]

Every CIP drafting team has concurred in the belief that policies are so important that the CIP Senior Manager must annually approve them and may not delegate that responsibility.

Policy organization

CIP-003-9 Part 1.2 requires that you document cyber security policies that address seven topics, one for each section in Attachment 1, plus one for CIP Exceptional Circumstances permitted by Section 5, Transient Cyber Assets.

You are given wide latitude in how you organize your policies. You may have one policy for your entire organization and for all required policy topics. Or you may separate each required topic into its own policy. You may have different policies for different asset types (e.g., control centers, generators, substations).

I recommend that if you have more than one policy, you should have an overall master policy that identifies each individual policy, describes their respective applicability, and describes how, collectively, they cover all required topics for all required assets. This will be of great assistance in organizing multiple policies and in demonstrating your compliance to an audit team.

I suggest that you be as explicit as possible when describing the applicability of each policy. I have seen a case where an organization had a policy covering a generating plant and the generation team assumed the substation policy would cover the generation substation. But the organization’s substation team assumed, since the generation substation was the responsibility of the plant, that the generation policy would cover the generation substation. Hence neither policy addressed the generation substation.

Aspirations vs. compliance requirements

Policies are one of the places where you can aspire to go beyond the minimum requirements of the standard. I highly encourage this. For example, at low impact you are required to test each of your cyber security incident response plans once every 36 months. This is nowhere near enough practice to keep an incident response team trained and sharp, which is what you need during an incident. You can state in your policy that you will have your incident team receive regular training and that each incident response plan will be tested quarterly.

If you fail to meet these aspirations, this is not considered a compliance violation. It is only a violation if you fail to meet the requirement of the standard.

Policy suggestions

Do not just replicate or paraphrase the language of the requirement. For example, don’t say, “All physical access to assets must be controlled” as your physical access policy. Instead say something like, “Access to assets will be granted only on demonstrated and documented need. Access to the control center will be by key card and PIN. Access to substations will be by physical key, with all keys managed by the Key Inventory Management Program.”

Rather than paraphrasing the requirement, this shows how you view the requirement and how you will approach its implementation. Note that no specifics such as vendor names are stated, as those can change with time. Risk to the protected systems is addressed, with higher risk systems receiving greater, and perhaps more expensive, protection. The scope of the implementation is addressed, requiring demonstrated need before access is granted.

Conclusion

The CIP cyber security policy is a tool management can use to articulate goals, objectives, expectations, and aspirations for your organization’s operational cyber security and CIP compliance. In future articles I will explore additional aspects of the CIP cyber security policy.

 

CIP Senior Manager’s Corner

Article summary

Sorry, I don’t have a summary of this article. This entire article is written for you, the CIP Senior Manager. I’ll resume the summaries in future articles.

Lew’s Recommendations

After reading this article I suggest that you review your established policies to see if they need revision. You should ensure all assets are covered, all required topics are addressed, and the policies express your strategic approach to security and compliance.

Consider establishing a process to ensure your policies are being implemented. For example, you could establish a quarterly review where your team looks at a process or procedure and describes how it contributes to your goals as expressed in your policies.

Consider sharing one or more of your policies. Venues where this can be done might include any trade associations you work with, the RF Compliance User Group, or the RF Critical Infrastructure Protection Committee.