NERC CIP-003 and CIP-008 Incident Response Exercise

NERC and the Regions require that the initial CIP-003-6 Low Impact Cyber Security Incident Response exercise be completed by April 1, 2017. Proven Compliance Solutions (PCS) helped its clients perform these by facilitating table top exercises. The result was better understanding of Incident Response Plans and improved inter-departmental communication for the entities.

Performing exercises often reveals lessons learned. Also, performing exercises keeps procedures fresh in the mind of Subject Matter Experts (SME) who may have to follow procedures late at night or on weekends when they may not expect to do so.

PCS has found the most difficult thing for entities to do is to plan a meaningful scenario. Often the scenario is scheduled with appropriate SMEs who arrive at the meeting and look to the meeting organizer for what to do next. They read through the Incident Response Plan and talk through a few light scenarios. While this could be considered compliant if proper notes are documented to capture the exercise, the value increases if realistic, involving scenarios are planned in advance.

To plan scenarios, entities could ask themselves the following questions:

  • Which business units and SMEs should participate?
  • What are our attack vectors? How might an attacker actually affect our CIP systems?
  • Is the attack just electronic or will it have a physical security component?
  • At what point should the scenario require communication from the person/group who sees it to the Incident Response Team?
  • At what point should the Incident Response Team notify the Electricity Information Sharing and Analysis Center (E-ISAC)?
  • Will CIP systems need to be contained, eradicated, and restored?

The same exercise performed for CIP-003-6 can also be used for CIP-008-5 for High/Medium Impact systems if the same Incident Response Plan and response teams are used.

With a meaningful scenario, entities get more value from the Incident Response exercise. If your entity did not complete a Low Impact exercise by April 1, it is best to complete one right away and file a report with your region. PCS can assist entities with these efforts.

Our Services