NERC CIP Audits: Top 10 Common Mistakes

I spent quite a while on the road while working at NERC for about seven years. I believe at one point I had over 130+ nights stayed during a single year. One of the many roles I had while at NERC was as a compliance program auditor for NERC CIP audits and compliance investigations. I picked up some common mistakes I have seen from entities across the entire country and would like to share them with you.10) Redacting documentation and evidenceThe goal of the auditor is to help your entity demonstrate compliance to the NERC CIP standards, not to find areas of non-compliance.I have been on audits where the entity would not even allow the auditors to view evidence by themselves – it had to be on an entity-owned machine with limited access and documents that were mostly blacked out information. All this did was extend the audit another week, and created a starting point for more questions.Please help the auditors by making evidence accessible and useful.9) Speaking through lawyersWhile having lawyers is very important for any dispute, settlement, or compliance program process, they aren’t always the best to be the front line on answering questions. For example, you don’t want your corporate attorney to answer technical questions on how your ESP are designed and configured.8) Show your workA lot of times I would see an entity provide evidence of results. Sometimes you will hear auditors ask to see how you got to your results. A great example here is a Cyber Vulnerability Assessment or CVA.One time, I remember hearing an entity perform their CVA, and get a pile of results/action items to fix. They then showed a piece of paper that said “Results” and had a completed check mark. When the auditors asked how they completed some of these tasks, or if they could see the steps they went through to get this result, the entity had no answers. They couldn’t even confirm that all of the CVA findings were fixed because they didn’t have documentation for themselves.7) Know your going to be auditedYou will be audited. I cannot believe how many times I would walk into an entity and find out they had never performed a mock audit with their staff. They didn’t know the types of questions they would be asked, the evidence to produce, or the responses they should prepare for.6) Scrambling for documentationA perfect example here was during training and awareness records. The CIP training standards dictate that authorized staff with unescorted physical or electronic access to BES Cyber Assets, otherwise known as BCAs, must go through a NERC CIP compliance training program.Any of your staff, contractors, vendors, and even cleaning crew might fall into scope of this requirement. Make sure you have records of all of this going back during the audit scope, so you are not scrambling during the audit.5) Arguing during the exit presentationAct professional – there is a big difference between arguing and disagreeing. Whether you disagree with a finding or not, the time and place is not during the exit presentation. Many times I would see entities yell at the auditors during the exit presentation, and say they’re wrong.4) Arguing over every word in the standardDuring CIP Version 3 audits, I have seen words like significant, annual and other non-defined terms used in every possible way you could imagine. Of course, some of that has been cleaned up for CIP V5, but you get the point. If you do have an undefined term, ensure you define it somewhere in your internal documents to show the audit team what you mean.3) Listen to CIP auditors adviceI have worked with the CIP audit and compliance teams in every region across North America. Your auditors, in fact, have a lot of experience. They have seen more implementations, configurations, environments and procedures than you could ever imagine.Listen to them if they talk about best practices or advise on some thoughts for additional approaches towards demonstrating compliance. Sometimes it can really help open your eyes to a different point of view.2) Not rewarding your staffLet’s face it – no matter how prepared you are for an audit, it’s still a very intense process. Your staff is stressed out, and have been looking to find evidence in every nook and cranny of the past several years. Give them a break, reward them with a day off if possible or something fun to do as a thank you for all of the hard work they put in.1) Be polite and patientWhen an auditor asks for information, they are usually just trying to get an understanding of your environment. This isn’t a court hearing. The audit team is just trying to gain an understanding of the entire picture because they don’t know your environment as well as you do.They may also not be familiar with certain acronyms, diagrams and other procedures at your organization. Take your time and explain them, since they will help tell your story of compliance. Nick


About the Author: Nick Santora is the CEO of Curricula, a cyber security education company located in Atlanta, GA. Curricula provides cyber security awareness training and NERC CIP compliance training solutions using an innovative story based learning approach. You can follow Curricula on Twitter @Curricula or check out their website at www.GetCurricula.comEditor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.Title image courtesy of ShutterStock

Leave a Reply