CIP-003-8: Cyber Security Awareness for Grandma

(Originally posted on April 11, 2020)

CIP-003-8 has now been effective for 11 days!

I hope you prepared well and the transition was smooth.

I am writing this under quarantine and I’m sure many of you are reading this are under quarantine.

It seems the best way to remain safe from Covid-19 is learn about the symptoms, incubation period, and the way the virus spreads.

In other words, becoming aware of the coronavirus.

This brings me to CIP-003-8 R1.2.1.

Also known as Cyber Security Awareness.

One of the best ways to prevent an incident is to educate your employees.

This happens to be a NERC/CIP requirement which must be reinforced every 15 months.

How do you achieve cyber security awareness? NERC doesn’t specify how this is to be accomplished.

Let’s break it down so Grandma can understand it.

Does your security policy mention anything about cyber security awareness? Do you have a security policy?

The cyber security awareness requirement can be satisfied with::

·         emails

·         online training

·         hanging up a poster in a common area

·         classroom training

Get creative. Change it up. Leverage your enterprise security team.

Remember to gather evidence.

What kind of evidence? Here’s a start:

·         type of awareness: poster, email, classroom training

·         date(s) of awareness

·         name of the Bulk Electric System (BES) asset

·         names of employees, departments, groups attending

Keep it in a safe place for 3 years to meet the retention requirement.

15 months later you do it all again.

That’s all for today.