Updated mapping between NIST CSF and NERC CIP standards to bolster compliance and security programs

A recent NIST cybersecurity white paper outlined a mapping initiative between the NERC CIP standards and the NIST Cybersecurity Framework (NIST CSF) to handle the cybersecurity challenges in the electricity sector. The mapping can help organizations to mature and align their compliance and security programs and better manage risks, in addition to showing which cybersecurity framework subcategories can help organizations achieve a more mature CIP requirement compliance program while improving their security posture and potentially reducing the organization’s security and business risk.

The mapping spreadsheets show which subcategories and the informative references by extension can help organizations achieve a more mature critical infrastructure protection requirement compliance program, according to the white paper. Along with the compliance maturity, the user gains additional resources on how to improve their security posture and potentially reduce their organization’s security and business risks.

Along with compliance maturity, the document provides additional resources on how to improve an organization’s security posture and potentially reduce its security and business risks.

The NERC’s standards-driven cybersecurity requirements and NIST’s framework for assessing and mitigating cybersecurity risk are complementary in nature. NERC and NIST personnel have partnered to update the mapping between NERC CIP and the CSF to provide confidence to organizations seeking to secure their electric system infrastructure and operations. The NIST CSF delivers guidance on how both internal and external stakeholders of organizations can manage and reduce cybersecurity risk.

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards have been designed to mitigate the risk of a compromise that could lead to misoperation or instability in the bulk electric system (BES), according to the document. Their scope is restricted to BES cyber systems that would impact the reliable operation of the BES. The reliability standards cover topics like the identification and protection of BES cyber assets, defining logical isolation perimeters, personnel and training, BES cyber system security management, disaster recovery planning, physical security, and supply chain risk management.

An initial mapping between the CSF v1.0 and NERC CIP Standards (both Versions 3 and 5) was completed in late 2014 by the NERC Control Systems Security Working Group, which was part of the former NERC Critical Infrastructure Protection Committee, according to the white paper. Since that time, both the NERC CIP Standards and the CSF have been updated, and a new mapping was needed.

Building on the 2014 effort, NERC and NIST updated the mapping to reflect the CSF v1.1 and latest NERC CIP Reliability Standards, the white paper said. In the spring of 2020, the NERC Compliance Input Working Group—now known as the Security Working Group (SWG) that is a part of the Reliability and Security Technical Committee, reviewed the mapping and provided recommendations for improving the resource.

In the final mapping, there are three distinctive spreadsheet tabs. The NIST CSF 1.1 to CIP v5 is oriented toward the CSF subcategories. This tab shows the NERC CIP Standards that map to each subcategory of the CSF Core, according to the white paper. A row is included for each unique mapping between a NERC CIP Standard and a CSF subcategory. Each row also includes a justification for the mapping, provides mappings to relevant Cybersecurity Capability Maturity Model (C2M2) practices, and lists industry recommended implementation guidance. The C2M2 maturity model focuses on the implementation and management of cybersecurity practices associated with IT and operational technology (OT) assets and the environments in which they operate.

In the CIPv5 to CSF 1.1 tab, the XREF reverses the mapping focusing on NERC CIP Standards, and lists the CSF subcategories that align with each NERC CIP standard requirement. A NERC CIP standard may span multiple rows if it contains multiple requirements, the white paper said.

The ‘Pivot’ tab shows the same information as the ‘CIPv5 to CSF 1.1 XREF,’ tab but is configurable. Users can expand or minimize each NERC CIP standard. They can also choose additional information to view, including function, category and subcategory information from the Cybersecurity Framework, C2M2 maturity indicator levels for each subcategory, or guidance from the first tab.

The mapping intends to help an organization mature its compliance and security programs, as they should be aligned. Subject matter experts are developing a companion tool to facilitate industry use of the NERC CIP-to-CSF mapping, the white paper said. The tool uses the mapping to help organizations self-assess their current security and compliance posture and develop an improvement plan for addressing identified gaps. The tool is the result of a collaborative effort by industry volunteers from NERC’s Reliability and Security Technical Committee Security Working Group and representatives from NERC and NIST.

Last month, industrial cybersecurity company Dragos identified that ICS threats from specific activity groups (AGs) are demonstrating new interest from hackers in the electric sector, as three out of the four new AGs that Dragos discovered last year, and eleven out of fifteen in total, have been observed targeting the electric utility industry.

Apart from these threats, a cybersecurity expert has asked the Federal Energy Regulatory Commission (FERC) to direct the NERC to conduct a comprehensive survey of all registered entities in the bulk power systems (BPS) to determine what Chinese equipment or systems are currently in use in the BPS, and how they are being used. The equipment identified can be also used in many other critical infrastructure sectors, including water and wastewater systems, pipelines, oil and gas, and manufacturing, according to Joe Weiss, the expert, who made a submission of his motion to intervene and comment, in a FERC complaint on the buying of critical equipment from the People’s Republic of China in the U.S. BPS and the electric grid.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.