Without the foundation of well-thought standards and procedures to protect your company, you are putting it at risk. For some companies, it can be difficult to figure out which standard is the best for them. Luckily the North American Electric Reliability Corp. (NERC) provides standards that help with exactly that. It helps you prepare for any possible cyber threat coming your way. And you do not have to struggle to understand what each standard asks of you.
There are about 40 rules and almost 100 sub-requirements to the NERC Critical Infrastructure Protection (CIP) standards. Fortunately, we made it simple for you in the article below. There is a compiled list of recently updated standards, with explanations on its expectations of your cybersecurity system.
To learn more about critical infrastructure protection standards you need to research and be able to comprehend what you read about. Read more about CIP standards and how to implement them below.
What Does NERC CIP Stand For?
CIP stands for Critical Infrastructure Protection and it was created by and enforced by the North American Electric Reliability Corp. (NERC). Since cybersecurity attacks on company infrastructures are on the rise it is important to maintain these standards. Understanding these standards does not have to be difficult.
One may think that these standards deal only with technology but its focus is on the procedures and policies that are in place. The NERC CIP consists of 11 standards that are for protection against cybersecurity attacks. Not only does it offer protection but it offers the opportunity to create help protection plans and habits within your company.
NERC CIP Standards
This Critical Infrastructure Protection (CIP) standards change frequently and are constantly being reviewed to be the most accurate of cybersecurity standards. It’s important for you and your company to keep an eye out for any updated standards.
So, how many CIP standards are there? There are about 11 standards that help with the reliability of your cybersecurity system though the NERC plans on introducing more in the future.
Within the standards, there are references to “critical assets” and “responsible entities”. Critical assets can include virtual machines, virtual storage, control systems, and data systems. You can’t forget about hardware platforms that run those virtual machines and storage.
Whereas responsible entities are: transmission owners, transmission operators, transmission service providers, reliability coordinators, balancing authorities, interchange authorities, generator operators, generator owners, and load servicing entities.
Although it is not referred to in the run-throughs of the standards you can find the reference on the official website. If you want to provide your company’s security system with the best protection then be sure to follow these CIP standards.
BES Cyber System Categorization (CIP-002-5.1a)
‘BES’ stands for Bulk Electric Systems and CIP Standards require you to recognize and group your BES systems by its priority. Along with the categorization you will need to be able to decide which of these assets are the most vulnerable or hold the most dependency on your company or website.
Following this standard will help when you submit to the NERC Compliance Registry while also helping with observation objectives.
Security Management Controls (CIP-003-6)
This standard is in place for you to state the most necessary security management controls for your company. It’s important to follow this standard because it gives your company the protection it needs from any threats and ensures accountability.
Some things mentioned within CIP-003-6 are leadership policies, exceptions, access control, change control as well as cybersecurity policies. By being mindful of these policies your company can be impacted positively.
Personnel and Training (CIP-004-6)
This standard places its focus on the training and security measures taught to your employees. It is important to have screenings and apply risk assessments to prevent any liabilities that may come from your own system or employees.
Another precaution you should follow is to have a list of access lists that are only accessed through credentials. This list should have information such as your service providers and contractors.
This procedure also requires a check-up annually with documents that are able to review and update the training and programs provided.
Electronic Security Perimeters (CIP-005-5)
This standard was made so that there would be a primary focus on your perimeter and on the efforts to deal with any vulnerabilities that may be encountered virtually. Your perimeter should be protected at all costs since it holds all of your cybersecurity assets.
Some of the key components that can be included in this standard are: having anti-malware updates, having patch updates, encryptions, using and installing an (EAP) extensible authentication protocol, and having a multi-factor authentication in place.
Physical Security of BES Cyber Systems (CIP-006-6)
This standard deals with the physical security perimeter and helps to implement a physical program. The goal of the physical perimeter program is to create controls that help with controlling and protecting your systems.
Not only do you need to create controls but you also need to address the security zones of your system. Requirements of this standard are the following: protection of your systems, physical access controls, physical monitoring, physical access logging, and maintenance of your security program.
System Security Management (CIP-007-6)
This standard is not too complicated to understand. It simply asks that you create, put a plan into effect, and maintain procedures for your security system. Not only do you make sure to accomplish those things but you must also document any security measures.
Along with the documentation of the security measures you have to include the accounts of test procedures, ports and services, potentially damaging software prevention and patch management
Incident Reporting and Response Planning (CIP-008-5)
This CIP standard focuses on the security breaches made and being identified, responded, and reported as well. You will want to create an incident response plan that includes the roles, responsibilities of those involved in the plan, and actions as well.
The details of security incidents should be within the incident response plan as well and reported to whoever may be in charge. Your plan will need to be updated and tested for how applicable it still is annually.
Recovery Plans for BES Cyber Systems (CIP-009-6)
As in the title, this standards focal point is on the recovery plan of your security system. Your recovery plan should line up with the requirements of BES Cyber Systems. Some of the requirements are change control, backup and restoration processes, and finally backup media.
Configuration Change Management and Vulnerability Assessments (CIP-010-2)
A change management and vulnerability assessment is a valuable standard the CIP has in place. It prompts you to detect as well as prevent any changes made that were unauthorized. This ensures that any possible changes made to the system will not put it into jeopardy and prevent any misoperation.
Information Protection (CIP-011-2)
This standard is quite simple. It is in place to make sure that the information contained within your cybersecurity system cannot be leaked. Important company information that has been leaked can compromise or even cause instability.
Physical Security (CIP-014-2)
This standard asks for the identification of transmission stations and substations. Not only is the identification of those stations important but their protection as well. If these stations are rendered beyond repair due to any physical attack. It could result in certain instability within your cybersecurity system.
With constant developments and advancements in technology today so it is important to upkeep your defensive lines. Your company’s confidential information should be protected by the best standards available.
Though with larger companies it can be difficult to require all of the necessary resources to maintain the standards listed.