NERC CIP Training Requirements

Nick Santora | June 19, 2015

As we get closer to the CIP Version 5 effective date, we still get asked questions about what NERC CIP training requirements are needed in CIP-004 Version 5? We actually get asked questions for all kinds of things CIP, but as you may already know, we are your CIP training experts!

First, I wanted to point out the entire purpose of this CIP training program. CIP-004 Training and Awareness requirements are there to minimize the risk against a compromise that could lead to misoperation or instability in the Bulk Electric System (BES) from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems. Makes sense right?

I wanted to review the requirements needed for CIP training, which is located in CIP-004. These requirements are formally referred to as R2.1, R2.2, and R.2.3 in the CIP standards. Lets take a look at the different requirements and what is required of entities to comply to CIP V5.

What is required to develop the CIP training program?

We get asked this question all the time. What makes a great NERC CIP training program? Just like any thing else; time, effort, and expertise all play a role in the development of any program. Without all 3, your program will most likely fail in some way or another. How do I know this? I have seen dozens and dozens of these programs across the country in every region. The good ones had significant time and resource commitments and usually ended up with no PVs. The bad ones, well you can guess what happened in those situations. In future articles we will go into more details about the successes and failures of CIP training programs. For now, just know that the more time you put in, the more you get out.

We are taking a look at the requirements for CIP-004-6. Although at the time of writing, these have not been formally approved by FERC, we are taking a proactive approach to showing you what will be required. The only difference you will see is the addition of new objectives in 2.1.9.

CIP Training Requirements

The minimum requirements needed for CIP-004 R2.1:
  • 2.1.1. Cyber security policies;
  • 2.1.2. Physical access controls;
  • 2.1.3. Electronic access controls;
  • 2.1.4. The visitor control program;
  • 2.1.5. Handling of BES Cyber System Information and its storage;
  • 2.1.6. Identification of a Cyber Security Incident and initial notifications in accordance with the entity’s incident response plan;
  • 2.1.7. Recovery plans for BES Cyber Systems;
  • 2.1.8. Response to Cyber Security Incidents;
  • 2.1.9. Cybersecurity risks associated with a BES Cyber System’s electronic interconnectivity and interoperability with other Cyber Assets, including Transient Cyber Assets, and with Removable Media.

So what this means is that you must teach, at a minimum, these objectives. Do not just simply copy and paste the standards. You will most likely get a violation for not following the requirement because the requirements do not state to teach everyone on all of the CIP standards. 2.1.9 actually requires some innovative new approach on how all of the interconnected systems in your environment are critical to being protected. The electronic interconnectivity risks also need to be explained.

Part R2.2 requires that you complete the training PRIOR to granting authorized electronic access or authorized unescorted physical access to the applicable Cyber Assets. So this means that prior to someone electronically or physically accessing a BES Cyber Asset (BCA), ensure they complete their CIP training and you document that training. Make a special note of prior here, not days or weeks after someone gains access to your BCAs.

Remember this requirement applies to electronic or unescorted physical access to applicable Cyber Assets. That means your staff, management, contractors, vendors, and even cleaning crew! Thats right, anyone that has access to these applicable systems are required to take this training.

Part 2.3 simply requires that you do this every year. But remember, annual has been removed from the standards and now every 15 months is the requirement. We like to call that a CIP year. Really, the annual review is still there, the standard now allows you to have some buffer room in case someone was on vacation or you had to catch up with a certain group to ensure they were re-trained.

What will NERC CIP auditors look for?

A typical audit approach might be to pull an operator aside during the on-site audit. The CIP auditor might ask if your operator/staff can recall anything from their CIP training. They are not looking for specifics here, they are looking for a general understanding that the staff has gone through the training and can demonstrate any learnings from that training. This will give insight to the auditor to the effectiveness of the training which will help with the rest of the audit.

The other typical audit approach will be to review CIP training records. What will be reviewed are the access records for individuals required to take training including PRAs, electronic access, training, physical access, and other applicable documented records. The auditor will then compare these records to make sure the dates align to demonstrate compliance. I highly recommend you perform this type of review on a continuous basis to ensure your processes and procedures for review are working and effective. Things change, people move jobs and roles. Make sure you training and access records are up to date because the auditors will ensure they are.

These are some of the basics for NERC CIP training requirements under NERC CIP V5. If you want more information about CIP V5 or any of the training requirements contact us to request a demo of the Curricula CIP Training Program.

Author: Nick Santora
  • Nick Santora

CISSP, CISA, Chief Executive Officer of Curricula.