A NERC CIP Quick Win = Recertification + Closed Loop Deprovisioning

Tweet

 

In my previous entry on NERC CIP compliance, I mentioned a few patterns that have emerged in addressing NERC CIP standards with IAM technologies.  I also mentioned the importance of developing an IAM roadmap and executing on quick wins to demonstrate that your organization is making moves towards compliance.   In this article, I'd like to highlight a great first quick win that your organization can practically make a reality in less than 6 months.

CIP-004-1 R4 is all about Revoking Access (Deprovisioning) and Reviews (Recertification). Read for yourself:

R4. Access — The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets.
R4.1. The Responsible Entity shall review the list(s) of its personnel who have such access to Critical Cyber Assets quarterly, and update the list(s) within seven calendar days of any change of personnel with such access to Critical Cyber Assets, or any change in the access rights of such personnel.  The Responsible Entity shall ensure access list(s) for contractors and service vendors are properly maintained.  
R4.2. The Responsible Entity shall revoke such access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets.

 Based on the above, a hybrid approach of automation and governance for recertification and deprovisioning will be your best bet towards demonstrating an effective quick win.

Automate, Automate, Automate...Recertification

Recertification (aka Access Reviews, aka Attestation) is the recurring process of reviewing accesses by managers on both the business and IT sides of an organization.  Most corporations accomplish this through the use of spreadsheets and paper-based forms, which is typically inefficient and inaccurate - although if handled meticulously, can satisfy auditors. On the other hand, if it is required to review accesses every 3 months (as by NERC CIP standards) with stiff penalties if you miss something, it's time to look for a system to automate this.

Automation of Recertification activities has a multitude of benefits. It not only eases the tough job of managing all of the data manually, but over time, it can provide your compliance officer with some great views of the data that auditors love.  It can make sure you don't forget critical aspects of your recertification approach, as well as give you historical data regarding from your recertification cycles.

Automate Deprovisioning If You Can, although Governance is a Great Runner-Up

Deprovisioning is the process of removing a user's access to a specific system.  As shown in CIP-004-1 R4 above, there are stringent requirements to remove access if a person is terminated for cause (24 hour time limit), and less stringent requirements to remove access (7 days) otherwise.

Automating Deprovisioning is typically accomplished through a provisioning platform.  "Connectors" are configured to take action against the target system.  It also typically provides a user interface that can be used by a manager or authorized user to remove a user's access.  The result is immediate revocation of the user's access in all integrated systems.

Sometimes, automating deprovisioning can become a rather complex task if the NERC CIP Critical Assets are closed proprietary systems.  In this case, custom connectors will need to be developed which could add risk and time to a project plan.  In this case, we suggest a closed-loop deprovisioning approach.

Close-loop deprovisioning integrates with target systems (or data feeds of identities from target systems) in read-only mode.  When a manager requests a de- provisioning action to take place, the system simply e-mails the appropriate system administrator with instructions to manually remove the terminated user's access rights.  The system regularly pulls data from the target system to validate if the requested action was taken.  If not, policies can be configured to escalate or nag the appropriate people to ensure that the action was taken.  It can keep track of any violations that may have occurred, which is something auditors like to see. 

Last Words

Most clients we speak to have between 10-20 NERC CIP applications in their environment. It is very attainable to automate the recertification process for these applications in addition to implementing a closed-loop deprovisioning system within 6 months, end to end.  In my next entry on this subject, we'll dive a little deeper on some of the nuances of such a project, as well as some practical first steps you can take.