The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of standards aimed at regulating, enforcing, monitoring and managing the security of the Bulk Electric System (BES) in North America. These standards apply specifically to the cybersecurity aspects of BES. The CIP standards provide a cybersecurity framework to identify and secure critical assets that can impact the efficient and reliable supply of electricity of North America's BES.
The CIP program coordinates NERC's efforts to improve the security of the North American power system. NERC CIP includes the United States, several provinces in Canada and one state in Mexico.
The NERC CIP standards govern critical infrastructure of all entities that materially impact the reliability of BES. These entities include owners, operators and users of any part of the system.
These standards carry the force of regulations, meaning they are required by law. That's why these standards are also known as NERC CIP requirements. All entities that fall under the purview of NERC CIP must comply with these standards.
The NERC CIP standards require utility companies in North America to establish and adhere to a baseline set of cybersecurity measures. The goal is to ensure that appropriate security controls are in place to protect BES and its users and customers from all threats that may affect its timely and effective functioning. These threats may include cyber attacks, cyber vandalism or acts of cyberterrorism.
Entities must identify critical assets and regularly perform a risk analysis of those assets. They must also define policies for monitoring and changing the configuration of critical assets and for governing access to those assets.
In addition, NERC CIP requires the use of firewalls to block vulnerable ports and requires the use of cybersecurity monitoring tools. Organizations are also required to enforce IT controls to protect access to critical cyber assets. In addition, they must deploy systems to monitor security events and implement comprehensive contingency plans to respond to cyber attacks, natural disasters and other unplanned events that may affect the functioning of BES.
To ensure the delivery of consistent and effective power to all recipients, NERC and its regional bodies take compliance seriously. Therefore, NERC's Compliance Monitoring and Enforcement Program tracks, assesses and enforces the uniform compliance of covered entities via regular audits and spot checks.
All North American covered entities must comply with NERC CIP standards. Failure to comply may result in monetary fines, sanctions or other actions. Penalties may vary from country to country since NERC is a transnational organization.
The fundamental standards and substandards under NERC CIP specify the requirements that utilities must follow to identify critical assets, create control mechanisms, enforce the logical and physical security of their systems, and recover any affected assets following a cybersecurity incident.
Ten such standards are explained below.
This standard is aimed at identifying and categorizing BES Cyber Systems, also known as BES Cyber Assets. The goal is to ensure that these assets are appropriately protected from compromises that could result in faulty operations or BES instability.
Categorization involves grading various BES Cyber Systems based on the impact of any interruption on reliable electricity supply. Rather than the cause, it is the length of interruption that matters.
Under this standard, Cyber Assets are broadly categorized as the following:
The goal of this standard is to establish clear accountability to protect North American BES Cyber Systems. Accountability is achieved by delegating authority and identifying a senior manager to develop policies around consistent and sustainable security management controls. The standard also includes provisions regarding emergency situations.
This standard focuses on the training of staff and contractors. Its purpose is to reduce the exposure of BES to cyber risks from personnel. The training consists of two parts:
The intent of this standard is to protect BES Cyber Systems from misoperation and instability. It also focuses on controlling network access to critical assets. Therefore, it requires entities to create Electronic Security Perimeters (ESPs) around Cyber Assets in order to create a virtual barrier through which data flows can be monitored.
Assets located outside the ESP must enter the network through a specified Electronic Access Point. Entities must monitor and maintain network segments, employ data encryption and control all remote access, especially by vendors and other third parties.
This standard addresses operational and physical controls for a physical security plan, visitor control program, and maintenance and testing program:
This standard defines the technical, operational and procedural elements to secure all systems within ESPs, including critical and noncritical Cyber Assets.
These elements include the following:
This standard prepares entities for cyber incidents and provides guidelines on how to respond to them with a cybersecurity incident response plan. It helps with the identification, classification, response, reporting and documentation of incidents related to critical cybersecurity assets.
It addresses three core areas of compliance:
This standard addresses how entities can recover from a cybersecurity incident that has affected the functioning of BES cybersecurity systems. It ensures that a recovery plan is in place and that entities are following established plans for disaster recovery and business continuity.
The standard covers multiple aspects of incident recovery:
This standard outlines the security policy requirements to prevent and detect any unauthorized changes to Cyber Systems. The goal is to achieve fundamental and ongoing protection through system configuration controls and active vulnerability testing.
It specifies three compliance areas:
This standard specifies the requirements to identify information that could impact the functioning of BES if it is maliciously misused, compromised or stolen. It also specifies protocols for information protection and BES Cyber Asset reuse and disposal.
See how true IoT security in the energy industry requires continuous compliance; how regs create a blueprint for industrial controls, IoT and IIoT; and what NERC CIP is and IT's role in critical infrastructure protection.
02 Mar 2022