NERC User Guide – Investigations

Investigations can further assist in gathering vital information about security events, and provide basic information about an environment and the processes and activities within it. NERC-CIP investigations can be part of a change control process in identifying configuration changes and trying to understand their nature of to determine whether or not they are appropriate, along with their implications for NERC-CIP compliance.

Investigations can also be run to leverage defined user lists and examine any suspicious or potentially malicious activities surrounding accounts within the environment. Custom investigations can be configured in addition to those included within this module.

Log Requirements

The NERC-CIP: Config/Policy Change Detail and other investigations cover all log sources in your environment, but specifically require logs from anti-malware systems, servers, workstations, security enforcing devices, file integrity monitors, VPN devices, backup monitoring, access control systems, remote authentication devices, and vulnerability detection systems. Once configured correctly, investigations allow IT and security operations to not only deep dive into potential security events but also to learn more about and continuously improve your overall compliance and cyber security program. Access control systems can work with a defined Vendor Account List to help facilitate the monitoring of third-party accounts within the environment.

Actions

Investigations are used to pull additional details from log sources related to events of interest. The NERC-CIP: Configuration or Policy Change Detail investigation can be used to monitor changes made to configure log sources throughout an environment and confirm that the proper change control procedures are being followed. Management should incorporate these investigations into their periodic reviews to better understand events in the environment and their impact on compliance and security.