Transitioning to NERC CIP Version 5

The North American Electric Reliability Corporation (NERC) has initiated the transition to Critical Infrastructure Protection (CIP) Version 5. The new standards offer improvements over the current Version 3 requirements. The Energy and Utilities team at Baker Tilly specializes in compliance readiness, program management, audit support, and mitigation planning for NERC Reliability standards. To find out where you are and where you need to be, perform a self-assessment using the following questions:

1. Do you have any Critical Assets and/or Critical Cyber Assets under CIP Version 3?

As a registered entity, you likely have something implemented for Version 3. However, what you have implemented can range from extremely minimal with a null list of Critical Assets and Critical Cyber Assets, to extremely robust with thousands of Critical Cyber Assets.

Your current CIP Version 3 program will definitely have an impact on your preparedness for Version 5. Wherever possible, your Version 3 program and compliance culture can be leveraged to prepare for Version 5.

2. Will you have any BES Cyber Assets and BES Cyber Systems under Version 5?

If you know you won’t have any High or Medium Impact Bulk Electric System (BES) Cyber Assets or BES Cyber Systems under Version 5, you are two steps ahead of many entities. Not only have you already assessed the impact of Version 5 on your organization, you already know that the controls you’ll be required to implement will be minimal. You are in great shape for Version 5!

Of course, not every registered entity is in this enviable position. Your entity may not have taken the steps to identify the scope of Version 5’s impact and the systems and assets that will require protection. Alternatively, your entity may understand that you will have Medium or High Impact BES Cyber Assets or BES Cyber Systems, but you may still have a daunting series of transition steps ahead of you.

3. If you have BES Cyber Assets and BES Cyber Systems under Version 5, have you identified them?

You may already know that the answer to this question involves two distinct activities. Identifying BES Cyber Assets is one step. This is a consideration of each individual asset’s impact on BES reliability. This is not the same activity as identifying BES Cyber Systems. The identification of BES Cyber Systems is, potentially, an iterative process, and it’s definitely a strategic one. Your entity will want to achieve efficient compliance by effectively protecting appropriate devices. Many entities are somewhere in the middle of this process, while some haven’t even started.

4. Will you have more or fewer assets/systems to protect under Version 5 than Version 3?

The transition for your organization may look very different from the transition of the entities around you. Your entity may be obligated to implement more protections for fewer devices.

5. Have you completed your gap analysis for the required controls?

If you have any BES Cyber Assets or BES Cyber Systems at all, a gap analysis will be necessary. A Version 3 CIP program, no matter how robust or complex, will not be sufficient for Version 5 compliance.

6. Do you have your transition activities planned?

After your entity has completed its gap analysis, the transition activities can be identified and scheduled. This should not be left to estimates, guesswork, or rough timelines. This is an area that requires precision and detailed inventories/assessments. Compliance activities missed during the transition could lead to uncomfortable discoveries during audit—missed devices, forgotten bookending activities, or insufficient control implementations.

This is also a process that requires decisions, project management, and, potentially, the purchase and implementation of new infrastructure. This is likely the most important step in Version 5 preparedness.

7. Do you plan to document your internal controls for participation in the Reliability Assurance Initiative while you implement your Version 5 controls?

Regardless of your CIP compliance efforts, having your IT controls documented is critical to understanding the risk to your infrastructure, assets, and information. Along with CIP compliance, having your internal controls documented is critical to taking advantage of the Reliability Assurance Initiative (RAI). If your entity has some or all of its internal controls documented, that’s a big head start. If not, this is where Baker Tilly can help with understanding how to scope and execute this complex and time-consuming task. Done correctly and maintained, IT control documentation can be an invaluable reference for any IT department.

8. Are your internal controls documented and mapped to the CIP Standards?

Even if your entity has documented its internal controls, they may not be mapped to the requirements in the CIP Standards. While this is not a required activity, the faster your auditors can find the answer to “how is your organization ensuring compliance with this requirement,” the faster your audit will be over and the more clearly you can defend your program. This mapping will also help you understand how changes to the requirements, Compliance Application Notices, and Compliance Analysis Reports will impact your ability to be compliant and any new controls you may need to implement. It also makes completing your Reliability Standards Audit Worksheets much easier and faster. If your Subject Matter Experts are like many, they had a full time job before CIP compliance. Who doesn’t want to free up more of their time?

9. Do you have a document/evidence map for the CIP Standards?

Again, this isn’t a required step, but it can make your audit prep, audit response, mitigation activities, and RAI participation much easier. Once your internal controls are identified and documented, this is the next step to being able to understand your whole compliance program at a glance. This can also help identify streamlining opportunities for your processes and find cross-functional dependencies on the same documents. In other words, when one group makes improvements, they won’t create a compliance risk for a different group.

You now have a better idea of where your entity is with the upcoming transition to Version 5. Contact a member of our Energy and Utility team today to discuss how your organization will comply with the requirements for the new standards.