How to Spot a Winning NERC CIP Project

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulations often make exacting demands of Fortra Tripwire's customers, requiring them to update or create new change processes and document those processes in order to comply. In any NERC CIP-centered IT\OT project, there are always crucial indicators of success - even before the project gets underway.

Here are the major factors for managers and decision-makers to keep in mind before they begin. The intent is to enable accurate scoping of projects, as well as identifying areas where Professional Services can help. Like Farmers Insurance, "We know a thing or two because we've seen a thing or two," given 10+ years of NERC CIP projects with hundreds of electric utility entities.

What is Success?

First, establish what you're aiming at. In a scenario where organizations are aiming to meet NERC CIP compliance, success is defined as "implementing and adopting new Tripwire data capture and reporting capabilities to support fundamental security and compliance workflows around NERC CIP." For the purpose of this blog, things will be described from the perspective of a Fortra customer who leverages Tripwire's Professional Services team to accomplish their NERC CIP project. Also, bear in mind that other vendor technologies will play key roles in meeting compliance requirements.

1. Organizational Buy-In

The first step is to get organizational buy-in - but not in the way that you think. Having agreement (buy-in) on the project is one thing, but getting your organization on the same page in all mission-critical matters is entirely another, especially in light of heavy workloads and potentially conflicting priorities.

Allocate The Right Resources

First, the company needs to have the human and technical resources readily available. This statement also applies to all the necessary information to complete the project (technical environment, product specifications, project scope, verifiable outcomes).

• Establish a Single Point of Contact | Who owns the project? Who is the customer's single point of contact? They need to have access to executive staff to be able to communicate progress and communicate key stakeholder needs.
• Leverage Technology Owners Effectively | These individuals have busy schedules and often juggle several projects, so be focused on enabling them to address required tasks efficiently. Avoiding "re-dos" due to improper planning or execution is key. "Measure twice, cut once" is the way to go, and good documentation goes a long way here.
• Enable Remote Access to Customer Environments (if possible) | You wouldn't think of this one from a 10,000-foot view, but from the vantage point of the Professional Services consultants at the tip of the spear, this detail could make all the difference in project timelines and efficiency. If the Professional Services contractors (Tripwire) are able to have secure remote access, they can save your team cycles and push ahead on the project while your team is busy with its day-to-day tasks.

Set Realistic Goals

Part of overall buy-in is making sure goals are aligned from the outset. This means making a realistic assessment of the maturity of the organization and what they can hope to accomplish, given where they're starting from. Suppose an organization responsible for Operational Technology (OT) is early in its cyber maturity and has only manual NERC CIP capabilities or processes (or none at all). In that case, extensive NERC CIP outcomes are not impossible, but they are going to take a much higher level of effort due to stakeholder review, buyoff, and adoption of new tools and business processes.  

Likewise, the level of knowledge and experience with Tripwire technology should be considered when setting goals. If a customer is new to Tripwire technology, implementation timeframes will likely be lengthened due to considerable "on-the-job" training on tool best practices.

Asking the hard questions to assess current process maturity and product knowledge helps everyone know what they're getting into.

2. Heightened Environment Awareness

The next step in carrying off your NERC CIP project is to make everyone familiar with critical assets within the environment. Professional Services are going to be looking to:

1. Identify an Asset "Source of Truth'' | Leverage your managed asset inventory for BES (Bulk Electric System) Cyber Assets. Ideally, those contracted to help with your NERC CIP implementation will want to see supported platforms and no older OS/firmware versions. Also, how complex is your known network architecture? Is there a test environment or computers where changes can be validated? All of these things will be used to gauge deployment efforts and complexity.  
2. Identify Infrastructure Change Management Timeframes | There are naturally going to be periodic Change Review Board (CRB) meetings, so make sure this is taken into account when planning implementation activities. Be aware that some critical OT operator workstations may require end-user approval to install or update software.
3. Determine the Customer "Ecosystem'' Impact on the Solution | Your ecosystem (Service Mgmt, Identity Mgmt, System Information/Event Mgmt) can significantly impact how well the Tripwire solution will be assimilated into your workflows. Are there manual processes, or are there integration and automation opportunities in the areas of managing "service account" passwords or change approval and tracking?
4. Identify In-progress and Planned Infrastructure and Ecosystem Changes | What's in the works that could potentially affect plans? How does the moving target affect implementation decisions, timeframes, and future phases?

Many of these things are determined in pre-engagement calls, but others may be discovered mid-project. Be upfront about these foundational elements of your project because they are the gears that keep things running smoothly and allow you to accomplish your ultimate NERC CIP project goals

3. Effective Project Management

Project management is the unsung hero of many a successful NERC CIP implementation and the unknown villain of even more. Says Ted Rassieur, Sr. Manager of Services Delivery  at Tripwire, "Throughout my career, I've been surprised at how few organizations have an actual dedicated project manager running [their initiatives]. Often, it's more like two or three engineers running a project, and the professional requirements for those roles is very different from PM."

This is the missing piece for a lot of projects and where things fall apart. Or where they can be held together if done right.

A designated project manager (or simply effective project management) will break the project down into appropriate milestones and track progress regularly through straightforward status reports, which indicate progress and next steps, as well as identify "blockers" requiring attention. Project tracking and reporting will be implemented from the outset, and measurable milestones in deployment and capabilities will be recorded and fed back to your team, the C-suite, and your Professional Services contractors to keep everyone aligned.

Smooth project management also means keeping the project rolling, even when the unexpected happens. Identifying critical path activities enables continuous progress when you hit roadblocks. This allows the project to keep moving forward on some level, even when certain avenues get held up, as they inevitably do.

Lastly, project management parameters need to be as realistic as they are well-defined. One thing to keep in mind is that implementation and deployment timelines are different from adoption timelines. The first is pretty much under the control of your IT team, executive leaders, and Tripwire Professional Services. The other is up to each individual staff member who will be asked to commit to a new way of doing things.

That is simply another realistic challenge of NERC CIP compliance or any type of regulatory compliance, for that matter. The expectation needs to be set that while teams can do all they can to build the well and lead the horse to water, they should not be held responsible for making it drink. That's a job for training and team culture and a topic for another day.

4. Efficient Implementation

Ideally, customer implementation efforts begin before the Professional Services engagement starts with the following activities.  

• Address as many hardware and software prerequisites as possible before starting Tripwire software deployment.
• Allocate platform resources and open required firewall ports according to Tripwire product documentation and/or Design & Architecture documents.

During the solution deployment and configuration phases, the following best practices will pay huge dividends.

• Leverage customer software deployment tools, where possible, to automate initial agent installation.
• Manage a minimal number of service accounts for Tripwire infrastructure and agentless connections and leverage Global Variables.
• Create Tripwire Enterprise (TE) tags and tagging profiles to address all possible scoping of tasks, policies, reports, and Tripwire State Analyzer (TSA) assessments. This process can be iterative, but it is best practice to start with Platform families and specific BES Cyber Systems.

You can also use your NERC CIP project as on-the-job training with Tripwire resources. If you've attended Tripwire classes in the past, chances are you (and everyone else) could use a refresher. That's why most real training happens during implementation. You get the option; you can build it, or Professional Services can make it and "give you the recipe." It's up to you to determine which option is most efficient for your organization in the long run.

5. Future Success Through Operationalizing

How do you create the ownership and process around managing tool infrastructure and processes for NERC CIP compliance? This is where you establish who is in charge of what and how you'll keep your successful Tripwire implementation going.

First, identify technical owners for Tripwire infrastructure. Who is ultimately responsible for the new Tripwire solution operation, upgrades, deployments, and troubleshooting?

Next, identify stakeholders for NERC CIP process use cases and reporting requirements. Typically, the "data consumers" for the solution are the Compliance and OT Operations teams. These people care about how data is collected, reported and archived when they provision new BES Cyber System resources, perform periodic audits, and manage periodic changes for Microsoft security patches.   And who cares enough about the processes to be put in charge?

After that, identify which steps in the use cases can or should be automated and which steps require manual review. Use discretion; not all that can be automated should be. Some elements require human judgment and manual review, but if your organization is mature in its NERC CIP compliance efforts, you'll already have a sense of what compliance tasks are best automated and which require a human touch.

Lastly, appropriate documentation must be created to support both process stakeholders and technical owners. These are going to be your "single source of truth" in the coming days, although you can always contact your Tripwire Professional Services team to help out. There are three main types of documentation:

5. As-built | Record the technical specifications and solution configuration "as-built." This is essentially a blueprint of what was built and why it was configured in specific ways.
6. SOPs | This is a record of any Standard Operating Procedures (SOPs), like device or host onboarding/decommissioning and password update processes.
7. End-user | These are instructions for your end-users and record how to do every day processes and procedures ("log into Tripwire and click here to generate this report," for instance).

NERC CIP Success: Putting All the Pieces Together

Tripwire can help you execute a NERC CIP project that is bound to succeed. However, all the project intangibles are as important as the solutions themselves, and both pieces are required to make them a value-adding part of your regular compliance strategy. Tripwire has the expert input, technologies, and deployments covered. But sustaining them, supporting them, and creating an environment in which they can thrive - that's up to you.

One way Tripwire has identified to help sustain and keep an implementation on track with best practice is with Tripwire's subscription-based Advisory Service.  Through regularly scheduled monthly sessions, Tripwire consultants can assist with a full spectrum of topics impacting effective usage: implementation, customization, upgrades, and operational enablement.

To learn more, contact us today.