‍The Beginning

NST began work in 2023 with an analysis of the utility’s Reliability Standard Audit Worksheets (RSAWs) and Evidence Request Tools (ERTs) for CIP-002, -003, -006, -009, and -011. The analysis consisted of review for completeness, legibility, and demonstration of compliance. NST followed this engagement by interviewing SMEs to address gaps in provided documentation, as well as to gain further understanding into the utility’s processes and overall compliance posture.

Subsequently, NST commenced a Gap Assessment and Mock Audit across all remaining applicable CIP standards. NST conducted the subsequent data requests and analyses in a manner consistent with the appropriate Regional Entity’s audit process, including “Level 1” and “Level 2” data requests, RSAWs, and performance records. Informed by the data requests, NST initiated SME interviews in a “show me the evidence” style typically used during a CIP audit to prepare SMEs for the most intense form of questioning possible. NST also mimicked other aspects of a real audit, such as calling for a caucus to interrupt the flow of evidence and asking for information irrelevant to the current requirement being assessed to further test the resolve of the utility’s SMEs to remain focused on the demonstration of compliance for their area of expertise and avoid responses that might expose unrelated parts of the CIP program to scrutiny.

Next Steps

During the Mock Audit, NST identified gaps in the utility’s firewall management as part of their CIP-005 program. As such, the utility requested that NST perform a review of their firewall rulesets with emphasis on CIP-005 R1 and R2. Provided with the firewall rulesets and configurations in conjunction with justifications for enabled rules, NST used a commercial network parsing tool, Python plugins, and manual line-by-line scrutiny of Access Control Lists (ACLs) to evaluate the rulesets and highlight all potential paths into and out of an ESP. This validation of Interactive Remote Access (IRA) through the firewall allowed NST to identify:

• Overly permissive rules,

• Inconsistent or overly permissive network and service object groups,

• Enabled rules with insufficient or missing business justifications, and

• Enabled rules with comments indicating temporality, testing, or need of review.

With the results of the firewall ruleset review, NST developed recommendations to improve efficiency, clarity, and sustainability, as well as to enhance device hardening and overall security posture. NST and the utility collaborated to develop an actionable remediation plan to improve compliance with CIP-005.

On-going Support

NST continues to support the utility through a semiannual (2x per year) checkup to ensure that firewall rulesets and configurations continue to adhere to both security and compliance obligations.

‍