The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority that ensures the security of bulk power systems (BPS) across all of North America. NERC’s primary responsibilities include defining and enforcing standards that safeguard against physical, cyber, and other threats. These protections keep power flowing to all North American populations.
Without the foundation of well-thought standards and procedures to protect your company, you are putting it at risk. For some companies, it can be difficult to figure out which standard is the best for them. Luckily the North American Electric Reliability Corp. (NERC) provides standards that help with exactly that. It helps you prepare for any possible cyber threat coming your way. And you do not have to struggle to understand what each standard asks of you.
The North American Electric Reliability Corporation (NERC) is a non-profit international regulatory authority that monitors large electric power stations and ensures the safety of Bulk Electric System (BES) in America, Canada and parts of Mexico.
Given the increased sophistication of cybercriminals, it’s important to not only protect the physical assets of organizations, but also the data and information assets. A breach of any of these assets can have catastrophic effects on the safety of both IT infrastructure and human lives.
What does NERC CIP stand for and how does it apply to cybersecurity? Find out everything you need to know from the experts at RSI Security.
Who Needs NERC CIP and Why?
Every owner, user, and operator of the Bulk Electric System (BES) must comply with the NERC CIP compliance guide.
This is essential to ensure the security of both human lives and critical public infrastructure. The cost and risk of a mass power outage can be devastating. For instance, a breach in cybersecurity that affects power outage can be fatal. Hospitals tending to patients who are surviving on electricity-powered mechanics for air may lose those patients and even shut down.
A major concern also involves the threat of cyber terrorists who wish to target the bulk electric systems to cause a large scale disaster. Without NERC CIP standard operation, a breach in cybersecurity can have adverse effects on critical assets like control systems, data acquisition systems, and networking equipment.
Benefits of NERC CIP Compliance
Being compliant with the NERC CIP Standards comes with benefits for owners, operators, and users of Bulk Electric Systems (BES). Read on to see these benefits.
Audit Ready Electronic Security Perimeter
A good benefit of being NERC CIP compliant is that it makes your organization’s Electronic Security Perimeter (ESP) audit-ready. ESP is used to protect against electronic security intrusions.
Cyber Asset Security Management Risk
Being compliant with what NERC CIP stands for, your organization gains the benefit of cybersecurity management by providing a cybersecurity framework for the protection of your organization’s critical cyber assets. This reduces the risk of cyber-attacks and loss of important data and information which once lost may be irrecoverable.
Customer Trust and Organizational Reputation
By complying with the NERC CIP standards, the necessary structure to combat cybercrime is in place. This cuts down the risk of unwanted attacks which can be injurious to your Bulk Electric System (BES).
In the long run, the level of customer trust increases, and your organization’s reputation follows suit.
Implementation of Information Security Program
Data management is essential to the existence of your organization. Being NERC CIP compliant gives you access to information security programs to help manage your data and information.
Effective Incident Response Planning
Having a sophisticated cybersecurity network is great, but it won’t mean much if your IT personnel are not up to scratch.
With compliance to NERC CIP standards, your organization has access to high-class knowledge and skills to address issues like data loss and service outages that put daily work at risk. This gives your organization an edge over cyber attacks.
NERC CIP Services
Given the real threats of Cyber-attack NERC CIP services offer regulations that can keep these threats at a minimum. Three of these services are:
With NERC CIP standards, comprehensive measures are put in place to greatly minimize the risk of a catastrophic cyber-attacks on the Bulk Electric System (BES).
By leveraging the rigorous regulations of NERC CIP with your internal security efforts, you tie up loose ends and make life difficult for malicious elements looking to breach your cybersecurity system.
Bearing in mind that hackers are continually upping their game to wreak havoc, your organization needs to stay proactive to prevent being caught unawares. By keeping a proactive approach, your organization can examine possible scenarios that can give rise to a cybersecurity breach and put adequate measures in place to nullify them.
Owners and operators of bulk electric systems are required to carry out risk analysis that will put them on the same page with acceptable standards.
Given the significant risk that may occur to the economy, human health, and safety of people impacted by a cyberattack on the bulk electric systems, organizations are constantly putting measures in place to prevent a nightmare.
It’s therefore of immense benefit to both owners and the general public to adopt a standard operation to govern all bulk electric systems.
Overview of NERC CIP Standards
Listed below are the eleven NERC CIP Standards that all bulk power stations must adhere to. Keep in mind, however, that there are other important requirements listed in the NERC CIP compliance guide:
CIP 002: BES Cyber System Categorization
This involves the categorization of the BES system based on their impact and vulnerability. This is important so that appropriate measures can be applied to ensure reliable operations of the BES Cyber System.
CIP 003: Security Management Control
This process provides for a clear line of authority such that every Bulk Power Station must have a documented security policy in place which stipulates that managers do not have undocumented authority
CIP 004: Personnel and Training
All employees must be subject to cybersecurity program training. This also demands that everyone with access to the BES cyber system must be authorized for such access.
CIP 005: Electronic Security Perimeter (ESP)
All perimeters must be secured either physical or electronic. This provides a layer of defense for network-based attacks and assists in containing any successful attacks.
CIP 006: Physical Security of BES Cyber System
This ensures that the BES cyber system is always monitored and restricted from unauthorized physical access by employing Physical Access Control Systems (PACS).
CIP 007: System Security Management
All security must be up to date and maintained by authorized personnel. This is achieved by monitoring security vulnerabilities in software, detecting unauthorized access and ensuring all authorized individuals are authenticated before gaining access.
CIP 008: Incident Reporting and Response
This procedure allows for a robust incident response capability necessary to detect incidents, minimize loss and destruction, and restore computing services in record time.
CIP 009: Recovery Plan for BES Cyber System
In the case of a cyber-attack, having a recovery plan in place is a lifeline against a crisis situation. The ability to establish cyber systems after a security breach is what this process achieves.
CIP 010: Configuration Change Management and Vulnerability Assessment
This process prevents unauthorized modification to the BES cyber system. Annual security assessment for cyber vulnerabilities is also mandated.
CIP 011: Information Protection
Data, whether in transit or on the server must be protected and secured. In the event of a disposal of the BES system, due process must be followed to prevent unauthorized access to the BES System information.
CIP 014: Physical Security
This procedure is in place to uncover potential threats, weaknesses, and risks that could occur in the event of an attack on physical assets. This also ensures that there is a plan to protect assets from physical attacks which should be verified by an independent third party.
Regardless of the threat of cybercriminals who are looking to infiltrate your cyber assets, you don’t have to lose your sleep. All you need are the services of experts to secure your cyber assets and be on per with the NERC CIP standards. This is where RSI Security comes in.
RSI Security offers a full range of cybersecurity services that provide reliable and scalable cybersecurity resources. With a wealth of experience working with organizations like yours, RSI Security has in-depth knowledge of your cybersecurity needs and NERC CIP standards.
We are very interested in partnering with you. Contact us today to enjoy all the marvelous services we offer.
NERC is the North American Electric Reliability Corporation. Their job is to monitor and maintain the standards for the North American “Bulk power transmission.” Essentially, NERC watches over all large electrical power stations and the dispersion of large amounts of electrical power throughout the United States, Canada and Mexico.
Although usually taken for granted, Critical Infrastructure connects east to west, north to south, and ensures businesses and homes can operate on a daily basis. With the news reports of hurricanes, mudslides, and fires, it’s easy to think that natural disasters are the main threat against such infrastructure. However, cyber attacks increasingly threaten the functionality of Critical Infrastructure. Even in the cybersecurity world, the top priority tends to lean toward information security. To draw more attention to the vulnerabilities of Critical Infrastructure and to improve industry cyber security standards, the North American Electric Reliability Corporation (NERC) formulated a Critical Infrastructure Protection (CIP) plan. The NERC-CIP standards work to improve the security and infrastructure protection of North America’s power bulk system by protecting physical and cyber assets.
Security threats against utilities have been a constant focus for bulk power systems (BPS) for decades. After a massive outage in August 14, 2003, 50 million people in the Northeastern United States (U.S.) and parts of Canada were left without power for most of the evening. The problem that federal authorities dealt with in the aftermath of the blackout was how to handle those responsible for the blackout. Since there was an absence of federal regulations related to a blackout of this magnitude and no federally mandated processes that BPS operators needed to follow, it was impossible to fine those responsible.
The electric utility industry is built on a foundation that requires an ultimate level of security to operate effectively. As hackers multiply and their level of sophistication increases rapidly, the electric utility industry must also evolve its cybersecurity defense capabilities. A recent survey of 140 North American electric utilities found that 88% of respondents expect cyberattacks to increase within the next 2 to 3 years. That figure is meteoric and most likely slightly distressing for those bulk power system (BPS) operators that haven’t gotten up to speed on patching their software vulnerabilities quite yet.
Access to a stable power source is a central component of our daily lives in the modern United States. Power generation, transmission, and delivery has been designated critical infrastructure in the United States, and as such is subject to heightened regulatory scrutiny and security requirements.
One of the most important regulatory bodies ensuring the security of our critical power infrastructure is the North American Electric Reliability Corporation (NERC). NERC is a not-for-profit corporation that has been granted regulatory authority over the bulk power delivery system in the United States. Maintaining compliance with NERC regulatory standards is an ongoing requirement for entities that fall within the scope of the bulk power system. In this article, we’ll break down what NERC is, what NERC does, and outline how entities within the bulk power system can achieve Nerc compliance through a Nerc compliance program.
Flashback to August 14, 2003 when North America experienced its worst blackout to date with more than 50 million people losing power in the Northeastern and Midwestern United States and parts of Canada. Less than 3 years prior to this massive blackout, the North American Electric Reliability Corporation (NERC) had been appointed as the electric utility industrys primary point of contact with the U.S. government for national security and critical infrastructure protection issues. After nearly eight (8) months of investigations into the record-breaking blackouts, NERC found that the prevention of future blackouts could be done through making Reliability Standards mandatory and enforceable through the U.S. federal government.