NERC is the North American Electric Reliability Corporation. Their job is to monitor and maintain the standards for the North American “Bulk power transmission.” Essentially, NERC watches over all large electrical power stations and the dispersion of large amounts of electrical power throughout the United States, Canada and Mexico.
Obviously, their job is crucial as most of the things in your house likely run on electricity. NERC is responsible for implementing NERC CIP, which is the Critical Infrastructure Protection plan. In addition, this CIP plan puts NERC in charge of the security and protection of electronic perimeters, as well as cyber assets. Essentially NERC is subject to managing all aspects of security for critical government infrastructure and ensuring the dependability of all bulk power systems within North America, including disaster recovery planning. And here you thought your job was hard.
The amount of responsibilities under NERC CIP compliance is staggering. Not only is NERC CIP required to cover the security and trustworthiness of vital power systems all over North America. It is also charged with ensuring that those power systems all over North America are NERC CIP compliant. In this article, we will break down the benefits of NERC CIP compliance, the NERC CIP Compliance guide, the NERC CIP compliance requirements, among other things. If you’ve ever had any questions about NERC CIP, you’ve come to the right place.
Who Needs to be NERC CIP Compliant?
Anyone who owns, operates or uses bulk power systems must abide by the NERC CIP compliance requirements. That sparks the question, what is a bulk power system? For starters, a bulk power system isn’t your PS4 combined with a giant TV and a surround sound system. You don’t need to need to be NERC CIP compliant for that. No, bulk power systems are a combination of electric power generation plant and high-voltage transmission capabilities. These aren’t the small local power plants you see in your neighborhood but rather the large power facilities that deliver to your smaller local power plants.
What is Required to Become NERC CIP Compliant?
To become NERC CIP Compliant, owners, operators and users of bulk power systems must pass two basic elements of compliance: reliability and security. Reliability refers to the bulk power system’s ability to adequately provide power to customers, at the correct frequency and voltage, essentially at all times. The world runs on power: people pay and expect it to be there at all times. Bulk power systems must be, within reason, prepared for unexpected outages and periods of high demand. The balance between supply and demand must be monitored and met consistently.
The security portion of NERC CIP compliance has changed over the years. Initially, bulk power systems were only required to be prepared for unexpected power interruptions and short circuits due to inclimate weather. Today, however, is a new day with new threats. The danger of terrorist attacks, both physical and virtual, are very real. Vital infrastructure assets would be ideal targets for would-be terrorists. Therefore, to be NERC CIP compliant, systems must now be safeguarded against man made threats. Firewalls, physical security guards and bulk power systems must now be secured to a much higher level.
NERC CIP Compliance Requirements:
Since 2008 the NERC CIP compliance requirements have undergone five updates, leading to the CIP version 5. Here, we will briefly summarize the 11 standards set forth by the NERC CIP compliance guide. It’s important to note that these are the current 11 standards under NERC CIP version 5. There are plans to introduce more standards in the near future.
- CIP-002 BES Cyber System Categorization: This refers to the categorizing and identifying of systems based on their yield and vulnerability. All high level control centers must be identified and grouped. The same is true for all large generation plants and transmission stations. Any other systems with less than 100kV fall into their own category.
- All cyber assets must be identified and programmed with the proper communication interface, which is IP/Serial.
- All cyber assets connected to Bulk Electronic Systems (BES) must also be identified. Their condition must be assessed and labeled.
- CIP-003: Security Management Control: Management must have a documented security policy and program in place. There must be a CIP senior manager in charge.
- CIP-004: Personnel and Training: All employees must be subject to cyber security program training.
- Background checks are mandatory.
- Anyone with access to controls either physical or electronic must have their own unique access codes.
- CIP-005: Electronic Security Perimeters: All perimeters either physical or electronic must be secured.
- Firewalls must be maintained by proper policy and regulations.
- An electronic access point must be established and secured.
- Cyber security protocols are required for all bulk electronic systems and their cyber assets.
- CIP-006: Physical Security Perimeter of BES Cyber Systems: Physical perimeter and access points must be restricted and maintained.
- Control Access to authorized personnel.
- Maintain visual surveillance.
- Keep a log of all entry and exit activity.
- Alarms must be active and functional.
- All BES cyber systems must be active.
- CIP-007: Systems Security Management: All security systems must be up to date and maintained by authorized personnel.
- Minimize IP entry and services.
- Ensure that security patches and other cybersecurity management assets are up to date.
- Install intrusion prevention/detection systems.
- Ensure that anti-virus and Malware are installed and up to date.
- Maintain cyber attack readiness, including alarms.
- Manage individual account and password strength protocols.
- CIP-008: Reporting & response preparations: Any incidents, big or small must be addressed, reported and analyzed.
- Put in place a cyber response team.
- Ensure that track and report programs are in place.
- CIP-009: All BES systems must have a recovery plan: In the case of a cyber attack, a plan must be in place to re-establish the cyber systems for bulk electronic systems.
- Any damaged, destroyed or failed assets must have a recovery plan.
- Proper replacement parts available in storage for both physical and data components.
- CIP-010: Configuration change management and vulnerability: Current configuration for security must be monitored for any unverified changes.
- The baseline configuration should not change unless authorized by the appropriate personnel.
- Any and all changes must be noted.
- Annual security risk assessment to verify the baseline configuration is required.
- Annual security risk assessment for cyber vulnerabilities is mandated.
- CIP-011: Information protection: Data, whether in transit or on servers must be protected and secure.
- Control any and all access to information repositories.
- Maintain secure networks for sensitive data in transit.
- CIP-014: Physical security: The physical of the property must be secure by any and all means.
- Determine the most vulnerable or critical system facilities.
- Assess the area of weakness that aggressors may use as a means of attack.
- Put in physical barriers to maintain a proper perimeter.
- Undergo 3rd party review of physical security precautions.
NOTE: It should be noted that is a brief summarization of NERC CIP compliance standards. Beyond these 11 standards, there are also 45 technical requirements that are much more complicated. Click on the following link if you’d like to review NERC CIP compliance requirements.
Who Needs NERC CIP and Why?
As we mentioned previously, any owners operators or users or bulk electric systems (BES) must comply with the NERC CIP compliance guide. NERC specifically lists entities that use any portion of BES. For those unsure, here is NERC’s compliance and enforcement page.
The why, in a word is, safety. In 2018, just about everything we use runs on some type of power, most of it electric. We may not realize it but without electricity many people’s lives could be at stake. It could be people relying on machines to help them breathe or simply not having air conditioning in the desert during the summer. As of 10 years ago, NERC CIP’s preoccupation primarily dealt with outages and damages relating to storms and other inclimate weather. However, in the past decade NERC CIP has increasingly added standards to protect critical infrastructure assets against man made threats, specifically terrorism.
More and more, due to our dependence on electricity, bulk electric systems have become targets for attacks both of the physical and cyber variety. By damaging or gaining access to critical infrastructure assets, people with bad intentions could do untold amounts of damage. That is why NERC CIP isn’t optional or voluntary, it is legally required to be assessed and approved by their auditors.
What Are the Benefits of NERC CIP Compliance?
While NERC CIP can appear to be cumbersome, there is a reason for all the hoop jumping. Don’t look at NERC CIP as difficult requirements to meet, but rather, an opportunity to improve your existing infrastructure and safety. If done properly, passing the extensive NERC CIP can provide a number of benefits. After passing all the requirements you have:
- Improved operational control
- Upgraded environmental awareness
- Enhanced understanding of costs
- Improved readiness for disruptions
- Refined power-grid protection
The NERC CIP compliance requirements are extensive and naturally can cause some headaches. Nevertheless, the requirements are meant for the good of everyone. While putting in a proper system may be expensive, trying to fit previous systems under the new requirements will likely cost more. The new requirements are designed to create a more efficient, secure and productive system while lowering production costs. The changeover may temporarily drive you up a wall, but once you’ve got end-to-end reliability with your integrated substation network, it should make your life much easier.
What are the Penalties for Non-Compliance & How Does it Work?
NERC CIP is given the power by the U.S.A and Canada to impose fines, sanctions and other punitive actions against any owners, operators or users of bulk electric system found with compliance issues. NERC CIP can fine any of these three groups up to $1 million per day, per violation; that is assuming the penalty is commensurate with the gravity of the violation. Here is a helpful link to NERC’s sanctions guidelines that states how fines are levied. Most often, the seriousness of the fine relates to the overall reliability of the system, amount of cooperation given by the organization, purposefulness of the violation and attempts at concealment.
Tips on Compliance:
To avoid fines and gain compliance here are few quick tips:
- Do a mock audit: Audits are important. In many ways, they hold the financial solvency of your business in their hands. So what do people typically do before important events? They practice. A mock audit gives you a chance to hear the questions you may be asked, what you will need to show etc. Preparedness goes a long way in showing the auditor you have a well-run ship.
- Show your work: Just like math class in school, you can’t just give the answers. You may be able to give the auditor a checked off list but typically that won’t be sufficient. Often they will ask you what were the processes that lead to the checked off list. Auditors need proof of how you checked off all those boxes.
- Listen, don’t argue: When auditors are sent into the field, they are instructed to help entities gain compliance, not search for reasons they aren’t. Any questions or advice they have is not for their benefit and is likely to be sage advice. Remember these auditors see hundreds, if not thousands, of systems. They have a lot of knowledge and information that can be helpful or downright system saving.
- It won’t be perfect: This falls slightly into the previous one, but be prepared for difficulties. Audits are not meant to be easy. Rarely if ever, do audits run smoothly. Thousands of lives are at stake, not to mention the job of the auditor. They will have suggestions. Listen politely and do your best to implement them.
NERC CIP compliance is, unfortunately, an ever-changing target. As we mentioned, new NERC CIP standards are in development and will likely force more changes upon your system. Your best bet at not tearing your hair out is to look at these standards as an opportunity to maximize the efficiency and productivity of your entity. If you’d like some hands-on help with cybersecurity solutions to protect your business, RSI Security is here to help.