NERC CIP-008-5, Part 2.1, requires a Responsible Entity to:

"Test each Cyber Security Incident response plan(s) at least once every 15 calendar months:

  • By responding to an actual Reportable Cyber Security Incident;
  • With a paper drill or tabletop exercise of a Reportable Cyber Security Incident; or
  • With an operational exercise of a Reportable Cyber Security Incident."

Since you probably won't be responding to an actual Reportable Cyber Security Incident every year, you will need to perform a paper drill or operational exercise. It can appear difficult to design fresh scenarios to keep your Subject Matter Experts (SME) interested while testing essential skills. This article will provide tips to help you.

Tip #1: Make it fun. A playful scenario and atmosphere increases SME focus and learning. If the experience is different than the other day-to-day SME tasks, SMEs will contribute more to the experience and get more out of it. 

Tip #2: Brainstorm the scenario. This is an extension of making the experience fun. If you've been through a drill where what you expect would happen did happen, you know it's not very fun. The best drills should have the following:

  • A bad actor or actors with a tragic backstory fueling their motive, an opportunity to take action, and the means to perform the action. Remember all bad actors believe on some level what they are doing is justified or else they wouldn't be doing it.
  • A vulnerability (real or plausible) in your system the bad actor can exploit.
  • A twist or perfect storm where a technology does the unexpected combined with people who are unavailable or misbehaving.

The scenario and objectives should be written down before hand. Only limited details should be released to the participants at first. Then, over time, more details should be revealed as they would be in a real situation. The scenario script should be read out loud by a person with a dynamic voice. A handout should be given to SMEs for reference and note taking.

Tip #3: Have refreshments. This will increase participation and improve the compliance and security culture.

With these three tips, you'll be better prepared to plan, execute, and document the test of your Cyber Security Incident Response Plan each CIP year (15 calendar months). Proven Compliance Solutions has helped other entities plan, execute, and document these tests, and it can help you and your organization as well.

NERC CIP supply chain management will be upon us in the near future. FERC issued Order 829, http://elibrary.ferc.gov/idmws/common/OpenNat.asp?fileID=14313640, on July 21, 2016, which requires NERC to file a CIP supply chain Standard (or amend an existing Standard) with FERC by September 2017.

What does this mean for the electric utility industry? The new (or amended existing) Standard must address these topics:

  • Software integrity and authenticity;
  • Vendor remote access;
  • Information system planning; and
  • Vendor risk management and procurement controls

This feels a lot like it might turn out like CIP-014 where FERC wanted the industry to do something, so it created a Standard which could be applied lightly or with great intensity. Entities will probably have to cover the above topics in their plan, but they will probably have the flexibility to decide how to implement and to what degree.

A big challenge with this concept is that a large portion of the security work must be done by third party suppliers, while the NERC Standards are not applicable to those parties, but to the registered entities. Another challenge is that of single-source providers. If a third party is the only provider of a widget and they don't want to play by the rules, there must be provisions that it's OK to use that third party because it's better to maintain operations.

Stay tuned in the coming months for a draft Standard, comments, and voting.

There has been some confusion as to when entities need to complete CIP Version 5 testing. Well, it's actually CIP-004-6, but let's just call it CIP v5 as that's what the new group of Standards are commonly called. 

There have been some reports, such as in this article by Curricula, that entities must re-train on CIP v5 topics by July 1, 2016 or else they will be in violation. They argue that because v5 introduces new topics, if a person was training on v3 topics in January 2016 and is not retrained by July 1, 2016, they will have missed some v5 training topics.

A review of the NERC Petition for CIP v5 submitted to FERC on January 31, 2013, page 654 of the PDF, page 3 of Appendix B - Implementation Plan, reveals that CIP-004-5, Part 2.3 is not due until 12 calendar months after the Effective Date, which would be by July 31, 2017. This is a screenshot:


I checked with WECC CIP auditors this morning. Their audit approach is in line with the Implementation Plan and is similar to their approach on personnel risk assessments (PRA). If a PRA is completed prior to July 1, 2016, it is grandfathered in and another wouldn’t be needed until seven years from the last one. Similarly, if a person received CIP v3 training prior to July 1, 2016, that training would be good for another 15 calendar months. Any person newly receiving CIP access on July 1, 2016 or after would obviously be required to have CIP v5/6 training prior to gaining access.

This highlights the importance of being close to auditors in your Region.


Reliability First, a Regional Entity tasked with compliance audits and enforcement, recently revealed more details on the highest penalty ever levied on an electrical registered entity for violations not related to an event. The penalty was for $1.7 million.

The largest penalty to date is the $25 million whopper issued to Florida Power & Light Co. (FPL) for the February 2008 blackout where millions of people in South Florida lost power for several hours. That was for actual society impact. This penalty was for the risk of actual impact; nothing bad actually ever happened, but the risk was high. The Ukraine attack probably didn't help decrease this fine. The December 2015 cyber attack caused 225k customers to be without power for several hours and is the first publicly acknowledged power outage caused by a cyber attack in the history of the world. That event has caused increased awareness of the importance of cyber controls, such as CIP, and the appetite for stronger fines and sanctions for non-compliance.

The entity in violation was not specifically named because it was CIP related, and potential cyber vulnerabilities could attract attackers. However, there is much to be learned from this situation.

  • RF conducted a CIP audit in 2011 and found 19 violations. RF conducted another audit in 2014 and found 36 CIP violations (only 43 CIP Requirements existed). The entity submitted Mitigation Plans in between those audits, but obviously they didn't sufficiently address the root causes.
  • RF found the entity thought of compliance separate from security. The compliance department lacked the sufficient authority and power to effect change - a sign of a poor culture of compliance. This led to issues such as 3 Physical Security Perimeter doors being altered so they didn't lock so people could enter without the "burden" of security.
  • RF found the entity didn't have the proper expertise to identify and fix issues. This could have been prevented by increasing internal resources or engaging outside help.
  • RF found the entity had abnormally high business silo difficulties. This led to issues such as having separate training, personnel risk assessment, and access provisioning/revoking programs (9 different violations in this case). This exists to some extent at all companies by nature, but this company lacked the correct coordination and central oversight to minimize it.
  • The entity didn't file Mitigation Plans until 8 months after the 2014 audit, and it filed plans that didn't properly mitigate the issues. The entity was late completing milestones, and was found by RF to not have completed 4 plans it said it did.
  • The RF president met with the entity's president, prompting change in senior leadership awareness, resource amounts, and organizational structure.

We have all seen these issues in some form or other - in some degree or other. They aren't unique to any one company but shared by all. This is a good reminder of the financial and reputational blows that can come from non-compliance. Many companies are working with Proven Compliance Solutions for help in establishing solid, achievable compliance programs as well as perform gap analyses, mock audits, and deliver training.

See https://www.rfirst.org/Pages/Newsletter.aspx for the May June 2016 Reliability First newsletter (pg. 7-8).

See https://www.ferc.gov/media/news-releases/2009/2009-4/10-08-09.asp for $25 million fine details.




SANS and the E-ISAC released a report on the 2015 Ukraine power outage. This has garnered a lot of attention as it is the first known, or publically acknowledged, power outage caused by hackers. On December 23, 2015, about 225,000 customers lost power for several hours.

Bad actors got in by sending targeted emails, also known as spear phishing emails, to Ukraine power company personnel. Phishing is an attempt to get sensitive information by pretending to be a trustworthy source. Spear phishing is targeted phishing. Think of phishing as casting a wide net, while spear phishing is targeting only a select number of people.

Hackers sent these emails about six months prior to the outage, appearing to be from a reputable source with Excel and Word attachments containing BlackEnergy 3 malware. We all love to open Excel and Word documents, right? Once opened, users were encouraged to enable macros, something we also like to do, which allowed the install of BlackEnergy 3. This allowed attackers to steal login credentials and then remotely login and open breakers to cause the power outage.

There are many morals to the story, but the one of interest here is that spear phishing is perhaps the greatest threat to a good cyber security program. If someone opens a malicious attachment, your anti-virus tools may or may not catch it. The best defense is a well informed and disciplined user.


  • Don’t open attachments from untrusted senders
  • If you see an unusual email from a trusted sender, call them to verify they really sent it to you. Trust your instincts. You'll notice something off in the spelling, tone of voice, or the action they want you to take

Our Services