Building a Unified Cybersecurity Program: Tackling Multiple Standards
In today’s energy and infrastructure sectors, some organizations face the challenge of navigating several cybersecurity frameworks, such as NERC CIP, TSA Pipeline Security Directives, and FERC D2SI for dam safety. While these standards share common goals—protecting critical infrastructure and ensuring cybersecurity resilience—managing them separately can lead to inefficiency and confusion.
The Challenge of Fragmented Compliance
Many entities tackle each framework independently, creating distinct processes for NERC CIP, TSA Pipeline Security, and FERC D2SI. This siloed approach causes overlapping efforts, increases complexity, and makes it difficult for teams to know whether they’re meeting one or multiple standards with a single control. Worse, this confusion complicates audit preparation, where regulatory bodies require separate documentation for compliance.
A Unified Approach With a “High Water Mark”
One approach NST’s clients have used successfully is a “high water mark” strategy. This means building a cybersecurity program that meets the strictest requirements across frameworks that consist of higher-risk items. For example, if NERC CIP has the most rigorous controls for a common element, organizations can design their programs to meet this threshold. By doing so, they can also cover the less stringent elements of other frameworks, such as TSA Pipeline Security and FERC D2SI.
However, this approach doesn’t mean ignoring other standards. By focusing on areas where frameworks overlap, like vulnerability management, organizations can unify processes across departments, enhancing their compliance posture without duplicating effort.
Maintaining Clear Separation for Audits
While a unified program is essential for efficiency, it’s critical to maintain clear separation for reporting. NST helps our clients ensure that controls are appropriately segmented, so that each regulatory body reviews only the relevant evidence. For instance, FERCD2SI’s reporting requirements for dam safety should remain distinct from NERC CIP performance records, even though both can be governed by a single Incident Response Plan.
Mapping and tagging controls to relevant standards allows teams to trace specific activities to the required frameworks. This way, organizations can quickly pull the right data for audits without blurring lines between standards.
Efficient Reporting with Unified Programs
NST’s clients have used centralized cross-functional control mapping to log and document all cybersecurity activities. Mapping allows for the tracking of data for each regulatory body, which supports compliance without generating redundant or confusing documentation. By maintaining clear audit trails, organizations can support their compliance posture while responding quickly and confidently to regulatory audits.
Balancing Unification and Separation
The balancing act between unifying a cybersecurity program and keeping compliance activities distinct is delicate but achievable. By taking a “high water mark” approach, companies can simplify their processes while still meeting the highest standards required across multiple frameworks. The key is to build a robust, unified program that covers all critical cybersecurity controls while ensuring that activities are documented, tracked, and reported separately in a way that satisfies each framework's unique requirements.
In 2017, the release of FERC’s Division of Dam Safety and Inspections (D2SI) prompted a renewable energy utility to request NST’s assistance in developing a cybersecurity program. With the utility already in compliance with the NERC CIP Standards, NST developed a single cybersecurity program accommodating the most rigid requirements between the two frameworks. The integration of controls between standards lessened the burden of maintenance, minimized duplication of effort, and allowed for SMEs to more easily understand and demonstrate compliance with both sets of guidelines simultaneously.
The development of formal documents requires carefully crafting narratives and using words and phrase that align with the specific words of the individual requirements in the standards. For example, “physical perimeters” was identified as a term to address the need fora NERC CIP-006 “Physical Secure Perimeter” and D2SI’s requirement to “Provide physical security and access controls to cyber assets.”
For some requirements, there will be the need to address a single Standard. For example, it was necessary for the organization to identify a “CIP Senior Manager” to address CIP-003, and by association the FERC D2SI subject facilities, in the absence of an explicit corollary in the latter Standard. Thus, some documents have sections that address only one of the two Standards.
In 2021, a large multinational utility requested NST’s assistance in developing a program compliant with controls across multiple cybersecurity frameworks. The utility, subject to contractual obligation, needed the program to simultaneously support:
· NERC CIP,
· ISO 27001,
· ISO 27019,
· IEC 62443-4-1,
· IEC 62443-3-2, and
· The utility’s corporate compliance policy.
To ease the burden of tracking so many different controls, NST developed a mapping across all the standards to identify and compare “high water marks”, allowing the utility to prioritize the most rigid requirements. This mapping improved clarity between frameworks and simplified the identification of gaps. With the mapping in place, NST conducted a Gap Assessment to analyze the utility’s compliance posture across all in-scope standards. The results informed the subsequent creation of a project plan which incorporated NST’s observations on:
· Compatibility of proposed or current infrastructure/systems/tools to support compliance,
· Resources/FTE allocations required for long-term program maintenance,
· Timeline and milestones for compliance program development, and
· Cross-standard/common features for solution design decisions.
During a long-term engagement, a large electric and natural gas utility needed NST’s support to develop a patch management program compliant with both NERC CIP and TSA’s Security DirectivePipeline. Though NERC CIP mandated a monthly review of newly released patches, the TSA Directive allowed the utility to choose the length of discovery cycle.Though much of the installed software and applications were shared between both networks, the utility struggled with juggling multiple obligations at once. As such, NST recommended that the utility adopt the CIP-specified time frame of once every 35 days into their OT Gas SCADA network. While the periodicity maybe more often than what TSA audit teams expect, the adoption allowed the utility to avoid the duplication of effort and simplified the patching program. The solution improved efficiency and enabled personnel to focus on other responsibilities and required both the generation and gas pipeline teams to remove silos and communicate with one another.
