In my previous entry on NERC CIP compliance, I mentioned a few patterns that have emerged in addressing NERC CIP standards with IAM technologies.  I also mentioned the importance of developing an IAM roadmap and executing on quick wins to demonstrate that your organization is making moves towards compliance.   In this article, I'd like to highlight a great first quick win that your organization can practically make a reality in less than 6 months.

CIP-004-1 R4 is all about Revoking Access (Deprovisioning) and Reviews (Recertification). Read for yourself:

R4. Access — The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets.
R4.1. The Responsible Entity shall review the list(s) of its personnel who have such access to Critical Cyber Assets quarterly, and update the list(s) within seven calendar days of any change of personnel with such access to Critical Cyber Assets, or any change in the access rights of such personnel.  The Responsible Entity shall ensure access list(s) for contractors and service vendors are properly maintained.  
R4.2. The Responsible Entity shall revoke such access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets.

 Based on the above, a hybrid approach of automation and governance for recertification and deprovisioning will be your best bet towards demonstrating an effective quick win.

Automate, Automate, Automate...Recertification

Recertification (aka Access Reviews, aka Attestation) is the recurring process of reviewing accesses by managers on both the business and IT sides of an organization.  Most corporations accomplish this through the use of spreadsheets and paper-based forms, which is typically inefficient and inaccurate - although if handled meticulously, can satisfy auditors. On the other hand, if it is required to review accesses every 3 months (as by NERC CIP standards) with stiff penalties if you miss something, it's time to look for a system to automate this.

Attestation Automation of Recertification activities has a multitude of benefits. It not only eases the tough job of managing all of the data manually, but over time, it can provide your compliance officer with some great views of the data that auditors love.  It can make sure you don't forget critical aspects of your recertification approach, as well as give you historical data regarding from your recertification cycles.


Automate Deprovisioning If You Can, although Governance is a Great Runner-Up

Deprovisioning is the process of removing a user's access to a specific system.  As shown in CIP-004-1 R4 above, there are stringent requirements to remove access if a person is terminated for cause (24 hour time limit), and less stringent requirements to remove access (7 days) otherwise.

Automating Deprovisioning is typically accomplished through a provisioning platform.  "Connectors"Deprovisioning are configured to take action against the target system.  It also typically provides a user interface that can be used by a manager or authorized user to remove a user's access.  The result is immediate revocation of the user's access in all integrated systems.

Sometimes, automating deprovisioning can become a rather complex task if the NERC CIP Critical Assets are closed proprietary systems.  In this case, custom connectors will need to be developed which could add risk and time to a project plan.  In this case, we suggest a closed-loop deprovisioning approach.

Close-loop deprovisioning integrates with target systems (or data feeds of identities froclosed-loop deprovisioningm target systems) in read-only mode.  When a manager requests a de- provisioning action to take place, the system simply e-mails the appropriate system administrator with instructions to manually remove the terminated user's access rights.  The system regularly pulls data from the target system to validate if the requested action was taken.  If not, policies can be configured to escalate or nag the appropriate people to ensure that the action was taken.  It can keep track of any violations that may have occurred, which is something auditors like to see. 

Last Words

Most clients we speak to have between 10-20 NERC CIP applications in their environment. It is very attainable to automate the recertification process for these applications in addition to implementing a closed-loop deprovisioning system within 6 months, end to end.  In my next entry on this subject, we'll dive a little deeper on some of the nuances of such a project, as well as some practical first steps you can take.


If you are interested in setting up an IAM Workshop to help your organization get in line with NERC CIP regulations, here are a few things you could do: (1) Watch this webinar on IAM and NERC CIP, (2) Read this paper to learn how to define the appropriate stakeholders in your organization, and (3) Complete this IAM Discovery Workbook and Questionnaire


Ash Motiwala

Ash Motiwala

I’ve been in the identity space for most of my career, and I’m still passionate about it. Anyhow, a CTO is supposed to be the person who sets technical vision for the company, but honestly – Identropy has way too much brainpower for a single person to do that. Instead, I get my hands dirty with the customer development process, lend a helping hand wherever its needed, and I have the privilege to talk identity with some of the brightest minds in this space every day.