Title: CIP Compliance Training Workshop
1CIP Compliance Training Workshop
2Workshop Introduction
3CIP Background
- The NERC CIP Standards are nine sets of
requirements for protecting the reliability of
the bulk electric system. - This workshop focuses on CIP standards -002
through -009. We are required to comply with
these standards as of 12/31/2009.
4CIP-001 - Sabotage Reporting
- CIP-001 requires we to provide
- Guidelines for employees on indications of
possible sabotage. - Procedures for reporting incidents to specific
authorities. - Our compliance with CIP-001 was established as
of June 2007. Printed procedures for reporting
incidents should be present in plant control
rooms. - CIP-001 is outside the scope of this workshop.
5Where we are 2009 accomplishments
- Defined risk-based methodology and used it to
identify our critical assets (CAs) and critical
cyber assets (CCAs) - Enclosed CCAs within required physical security
perimeters - Inventoried components of critical cyber assets
and established electronic security perimeters to
protect them - Identified and certified employees who have
unescorted access to CCAs - Delivered training and initiated awareness
program - Created policies and program documents as
required by CIP-002 through CIP-009
6Purpose of this workshop
- Explain required CIP policies, programs, and
procedures - Identify the Intranet NERC CIP page as the source
of published documents - Discuss details of implementing standards
CIP-002 through -009 at your facility - Describe each of your roles and responsibilities
for compliance - Identify the kinds of evidence you need to save
to be prepared for NERC audits - Show the CIP SharePoint Evidence Repository that
you will use for posting evidence - Answer questions and discuss procedures as needed
7Compliance roles for plant staff
Plant Managers responsible for overall CIP
compliance at their facilities CIP coordinators
coordinate compliance activities and
participate in annual reviews of policies and
programs Critical cyber asset administrators
ensure compliance with CIP standards in operation
of CCAs
7
8CIP-002 CIP-009 framework
9QA
10Policies, Programs, and Procedures
Policies
Programs
Procedures
- Policies affirm that we will comply with the CIP
Standards. - Programs explainat an enterprise levelhow we
will comply with the CIP requirements. - Procedures provide details on the steps employees
must follow to conform with the programs.
10
11Example Critical Cyber Asset Information
- The CIP Cyber Security Policy simply states that
in accordance with CIP-003, we will identify,
classify, and protect information associated with
its critical cyber assets. - The Critical Cyber Asset Information Protection
Program defines CCAI, explains how it should be
identified and collected, and states that a
checkout procedure must be in place for employees
to access that information. - Within that program is a CCAI Checkout Procedure.
Additional procedures could be developed at each
location to further spell out the steps required
to conform to the Critical Cyber Asset
Information Protection Program.
Policies
Programs
Procedures
11
12NERC CIP Compliance Monitoring
- NERC uses these processes to monitor and enforce
compliance with CIP through the Regional Entities
(RFC, NPCC, WECC) - Self certification
- Self reporting
- Spot checks
- Compliance audits
12
13QA