What did I learn by going thru a NERC CIP audit? A lot…
Lesson 1 - NERC CIP auditors are not normal auditors. They are industry veterans from various aspects of the utility industry, and they know their stuff. They also know the standards inside and out.
Lesson 2 - Be prepared. This goes hand-in-hand with lesson one. If you do not know what you are talking about, they are going to figure that out very quickly. Make sure everyone involved in the audit is in the sessions they need to be, and available to be called in if needed. Review your data request answers and evidence.
Lesson 3 - If you fixed something outside the audit period, it doesn’t count.
Lesson 4 - If you fixed something, you better have documented it appropriately or it doesn’t count.
Lesson 5 - Proof read your documentation, policies, and other evidence multiple times before you submit it. If your wording is off, a copy/paste is wrong, or you cite the wrong standards it will confuse the auditors. If they are confused, you are going to spend a fair amount of time explaining what you meant to say. If you have to explain it to them, are your policies good enough from employees to understand?
Lesson 6 - Do not use ‘passed’ on your vulnerability assessment lightly. If you performed the check for compliance, simply say the check was completed and provide the appropriate evidence. We were advised to use ‘completed’ instead of ‘passed.’
Lesson 7 - Remove your notes and other excess information from the vulnerability assessment sheet. I neglected to do this which caused me a bit of pain when the auditors encountered a note reading “Nobody seems to know what this is for” on a firewall rule. Additionally, we included the entire firewall rule set instead of just the rules related to the electronic security perimeter (ESP), which caused a bit of confusion for the auditors.
Lesson 8 - Restrict the vulnerability assessment results you present the auditors with to CIP-005, CIP-007, and CIP-010 only. You may choose to do a normal security risk assessment across the entire SCADA infrastructure, but this should be scrubbed down to a NERC CIP specific VA report before submission to the auditors.
Lesson 9 - If you use Active Directory in any way to authenticate/authorize access into or within the electronic security perimeter, then it will be considered an EACMS and reviewed accordingly. Many shops will setup a SCADA specific AD environment to prevent NERC CIP scope creep.
Lesson 10 - They auditors are going to find something…that is what they do. Your job is to ensure you have minimized the impact of whatever they find, and to demonstrate you are the subject matter expert(s) that you claim to be. Do not take it personally.