What is NERC CIP, and IT's role in critical infrastructure protection?

Under the NERC CIP, power generators and suppliers must prove NERC compliance on critical infrastructure protection provisions by the end of the second quarter. Will you be ready?

Terms like smart grid and cybersecurity are getting a lot of attention these days. At their intersection is a body...

you may not have heard much about: the North American Electric Reliability Corporation, or NERC.

More on this topic

NERC is responsible for establishing security standards for the region's power grid, which has become a potential target for cyberterrorism. NERC's Critical Infrastructure Protection (CIP) plan and power suppliers and generators must start proving compliance with all provisions of NERC by the end of the second quarter. Read more about what NERC means for your organization in this SearchCompliance.com FAQ.

What is the NERC CIP?

The North American Electric Reliability Corporation is a nonprofit corporation tasked with ensuring the reliability and security of the bulk power transmission system in North America (the U.S., Canada and part of Mexico). NERC is a federally designated Electric Reliability Organization that develops and enforces reliability standards and requirements for planning and operating the collective bulk power system. NERC standards have been accredited by the American National Standards Institute and cover elements such as resource and demand balance, transmission, personnel and training, emergency preparedness and the design and maintenance of facilities, including nuclear power facilities.

The NERC Critical Infrastructure Protection plan comprises more than 100 NERC Reliability Standards, and sets requirements for protecting critical assets used in the bulk electric system and the systems that support those assets. NERC CIP consists of nine standards covering the security of electronic perimeters, physical security of critical cyber assets, personnel and training, security management, disaster recovery and more.

The Federal Energy Regulatory Commission approved the Security and Reliability Standards proposed by NERC in 2008, making those standards, including CIP, mandatory for users, owners and operators of the bulk electric power system. Initial compliance auditing began in June 2009, with covered entities able to prove compliance with all provisions of NERC by the end of the second quarter this year.

More on this topic

  • Jerry Freese: Make Critical Infrastructure Protection a Priority
    Read what security expert Jerry Freese thinks about Critical Infrastructure Protection.

Who must comply with the NERC CIP?

NERC's standards, including those governing critical infrastructure, apply to a range of entities that "materially impact" the reliability of the bulk power system. In general, these entities are owners, operators and users of any portion of the bulk power system. More specifically, NERC talks about entities that serve specific functions in the electric power network, such as generator owners and generator operators, as well as transmission owners and transmission operators (providers that own or operate the wires that connect the generators and transmission networks to customers). There are some exceptions, too, mostly having to do with the amount of power an organization is generating or transmitting. A full list of covered functions and entities is available from NERC's compliance registry.

What role does security play in the NERC CIP?

Though nominally directed at "critical infrastructure," the NERC CIP is all about management of cyber assets (IT infrastructure) -- the systems that support the operation of the bulk electric system. Because much of the infrastructure supporting the bulk electric power system is IP-based, the NERC CIP standards provide guidelines for the identification and management of critical cyber assets, as well as the security (both physical and cyber) of those assets. And, while many of the disaster scenarios facing the electric grid concern natural disasters like hurricanes and floods, increased attention in recent years on cyberattacks on utilities has raised the specter of terrorist- or state-sponsored attacks on the electric grid.

More on this topic

  • Experts alarmed over U.S. electrical grid penetration
    Experts say the government should act quickly or face the consequences of having the nation's infrastructure crippled by cyberterrorists.

What is required by the NERC CIP?

In many ways, NERC CIP assessments resemble those used in other industries: covered entities are required to identify critical assets and to perform a risk-based assessment of those assets on a regular basis (CIP-002-01). Policies for monitoring and changing the configuration of critical assets need to be defined, as do policies governing access to internally and externally facing critical assets (CIP-003-01). A logical perimeter needs to be established around critical cyber assets, including the use of firewalls to block vulnerable ports and attack monitoring tools such as intrusion detection and prevention systems (CIP-005-01). In addition, organizations need to enforce controls on physical access to critical cyber assets (CIP-006-01). Systems for monitoring security events need to be deployed (CIP-007-01), and organizations must have comprehensive emergency response plans for cyberattacks (CIP-008-01), natural disasters and other unplanned events (CIP-009-01).

Of course, the demands of operating critical infrastructure are very different from the requirements of a typical enterprise network. Firms like Industrial Defender Inc., which focus solely on serving critical infrastructure providers, note that while data integrity and confidentiality are important, system availability is the most important consideration for utilities and other critical infrastructure companies. That tends to change both the types of security technologies that are deployed and the way in which they are used post-deployment. The use of technologies like antimalware and vulnerability scanning and patch distribution tools needs to be carefully monitored to prevent disruptions in the availability of critical cyber assets. A variety of tools and technologies exist that can ameliorate these concerns, from application whitelisting to maintain system integrity to managed security services such as firewall monitoring, vulnerability scanning, log management and security information and event management by providers with expertise working with critical infrastructure.

What are the penalties for noncompliance?

Penalties for not complying with the NERC CIP are levied by NERC (as the ERO), or by regional entities that have been delegated by NERC to act as enforcers. These penalties can include the levying of fines as well as sanctions or other actions against covered entities -- power owners, operators and users of the bulk electric system.

Given that NERC is a transnational organization covering both the U.S. and Canada, the exact penalties vary from country to country. In the U.S., the Federal Power Act permits NERC or regional entities to impose civil penalties of up to $1 million per day, per violation, so long as the penalty is proportional to the seriousness of the violation. NERC's Sanctions Guidelines Document lays out some of the factors that the organization uses to determine the seriousness of the violation, including the risk it poses to the overall reliability of the bulk electric system, deliberate violations, the cooperation received from the organization in reporting or responding to the violation, any attempts to conceal the violation, the quality of the organization's overall compliance program and so on.

Paul F. Roberts is a senior analyst at The 451 Group in New York. Let us know what you think about the story; email [email protected]. Follow @ITCompliance for compliance news throughout the week.

Dig Deeper on Industry-specific requirements for compliance