Access to a stable power source is a central component of our daily lives in the modern United States. Power generation, transmission, and delivery has been designated critical infrastructure in the United States, and as such is subject to heightened regulatory scrutiny and security requirements.
One of the most important regulatory bodies ensuring the security of our critical power infrastructure is the North American Electric Reliability Corporation (NERC). NERC is a not-for-profit corporation that has been granted regulatory authority over the bulk power delivery system in the United States. Maintaining compliance with NERC regulatory standards is an ongoing requirement for entities that fall within the scope of the bulk power system. In this article, we’ll break down what NERC is, what NERC does, and outline how entities within the bulk power system can achieve Nerc compliance through a Nerc compliance program.
What is NERC?
The North American Electric Reliability Corporation (formerly the North American Electric Reliability Council) was created in 1968 as an organization that promoted voluntary compliance with rules designed to enhance the stability and security of the bulk power system in North America. Compliance with NERC standards and rules remained voluntary until mid-2006. The role of NERC changed substantially with the enactment of the Energy Policy Act of 2005.
The Energy Policy Act of 2005 tasked the Federal Energy Regulatory Commission (FERC) with designating an independent oversight body as an Electric Reliability Organization (ERO). On July 20th 2006, NERC was designated as the ERO for the United States. As of June 18, 2007 compliance with NERC Reliability Standards became mandatory and legally enforceable.
While NERC was created in the United States, NERC itself is an international regulatory entity. The bulk of oversight provided by NERC covers the United States, but portions of bulk power systems in Canada and Mexico are also under the purview of NERC. NERC is subject to oversight authority by both FERC and Canadian governmental authorities. Integration of bulk power systems between the United States, Mexico, and Canada necessitate treating security as an issue affecting North America as a whole.
Due to the crucial role that power generation, transmission, and delivery play in both an economic and national security context, the scope of NERC’s oversight and regulatory capacity extends beyond the borders of the United States.
The designation of NERC as an ERO with regulatory oversight of the bulk power system followed the largest power blackout in the history of the United States. In 2003, a blackout hit the Northeastern United States and parts of Canada affecting nearly 50 million people. This massive blackout resulted in 11 deaths and approximately $6 billion dollars in economic damage. Ultimately, the cause of the blackout was determined to be a downed tree, combined with a failing alarm system, which led to a cascade of failures throughout the power grid in the region. This event highlighted both the vulnerabilities of the power grid and the need for mandatory regulatory compliance monitoring for power delivery providers.
What Are NERC Reliability Standards?
There are 14 NERC standards to be aware of. NERC assesses the reliability of the bulk-power system in two ways; adequacy and operating reliability. First, NERC seeks to ensure that the bulk-power system functions adequately. This means that NERC assesses whether the bulk-power system can provide adequate power to meet demand. In order to ensure adequacy, operators of bulk-power systems must take appropriate steps to moderate supply and demand for their area to provide adequate service. System operators may need to rely on voltage reductions (brownouts), rolling blackouts, or planned service interruptions to do so. The key for adequacy is system operators exercising appropriate levels of control over their part of the grid.
The second component of how NERC defines reliability is through oversight of operating reliability. This aspect covers any system disturbance that results in the unplanned interruption of power to customers. Here, NERC differentiates between localized disruptions, which are considered to be an interruption or disturbance, and disruptions that affect a larger area, which are known as cascading blackouts.
In order to ensure that bulk-power systems are adequately hardened against uncontrolled or unforeseen outages, NERC publishes regulations known as Reliability Standards. NERC Reliability Standards are provided by region. The NERC Reliability Standards for the United States can be found here.
The NERC Reliability Standards cover a wide range of operational components for bulk-power systems operators, including Critical Infrastructure Protection (CIP), Emergency Preparedness and Operations (EOP), Facilities Design, Connections, and Maintenance (FAC), and Protection and Control (PRC). In total there are 14 separate categories of NERC Reliability Standards that bulk-power systems operators must comply with.
NERC CIP Standards
All of the categories of NERC Reliability Standards provide the framework for implementing important safeguards that protect the bulk-power delivery system. Of these, one of the most crucial Standards are set forth in the NERC Critical Infrastructure Protection. NERC CIP Standards regulate how bulk-power systems prepare for cyber and physical threats that can affect the reliability of the bulk-power system.
There are 11 current CIP Standards that are legally enforceable. Understanding these is essential for achieving nerc cip compliance. The complete list of NERC CIP Standards can be found here. In order to provide a better understanding of the scope of the NERC CIP Standards, we’ll give a brief overview of what each of the 11 CIP Standards cover.
This overview can serve as an introduction to a nerc cip compliance checklist. This will also give bulk-power system operators an idea of the compliance requirements set forth by the NERC CIP standards. The extent of regulatory requirements set forth in the NERC CIP highlights the importance of consulting with a third-party security assessor to ensure that compliance has been achieved and maintained through cyber security solutions.
CIP-002-5.1a – BES Cyber System Categorization
The first CIP Standard, BES Cyber System Categorization, is provided to outline who is covered by the CIP Standards and ensure that they appropriately categorize bulk-power system components according to how detrimentally the failure of a component or asset would affect the bulk-power system.
“BES” refers to Bulk-Electrical System, which consists of Elements and Facilities necessary for the reliable operation of the bulk-power system. CIP-002 sets forth requirements for “functional entities”, or those entities covered by the scope of CIP Standards, to categorize key cyber components and assets of their system in order ensure that they are appropriately protected according to regulatory requirements. The current BES Cyber System Categorization can be found here.
CIP-003-6 – Security Management Controls
The CIP-003 provides security management controls that ensure appropriate cybersecurity controls are in place to protect Bulk-Electrical Systems operations. This CIP Standard builds on the BES Cyber System Categorization, where each cyber asset or component is categorized as either a high, medium, or low-impact component according to their importance to the bulk-power system as a whole.
The CIP-003 functions together with the other CIP Standards. Each functional entity must attain approval every 15 months for cyber security policies that are set forth in other CIP Standards. For example, each functional entity must attain regular approval for the physical security of BES Cyber Systems set forth in CIP-006. Similarly, the implementation of each CIP Standard must be verified and approved on an ongoing basis.
CIP-004-6 Personnel & Training
The CIP-004 sets forth requirements for the ongoing training of personnel that work for, or have access to, the cyber systems of functional entities. Human assets are one of the core strengths of critical infrastructure systems, yet remain an ongoing area of risk for cyber threats. The CIP-004 outlines training and education requirements for personnel to ensure that cyber systems within the bulk-power system are adequately protected.
The CIP-004 contains a number of requirements for functional entities. Functional entities must conduct criminal background checks on employees in order to provide an adequate risk assessment. Training for personnel of covered entities must cover a wide variety of cybersecurity topics, including a review of cybersecurity policies, incident response plans, physical and electronic access controls, and the handling of cyber system information.
Each Nerc compliance program requirement also has measures in place that verify that the required action has been taken. For example, Table R5 governs Access Revocation. The requirement is that a process must be in place to revoke access to cyber systems for individuals, such as in the case of termination. This access must be revoked within 24 hours according to the CIP-004 Standards.
In order to demonstrate compliance with this requirement of NERC CIP, the functional entity must have dated logs or workflows showing that access has been revoked, or must be able to produce logs showing that the individual no longer has access to cyber systems.
CIP-005-5 Electronic Security Perimeter(s)
The CIP-005 requirements set forth guidelines for the implementation of an electronic security perimeter to guard against cyber threats and external intrusion. This includes requirements that all cyber assets must be connected within an electronic security perimeter, all external connections must travel through an approved electronic access point, access permissions must be implemented and enforced, and systems must be in place to detect malicious communications.
Additionally encryption requirements for remote access must be in place, and multi-factor authentication must be used. The CIP-005 also outlines requirements for dial-up connections. Establishing an electronic security perimeter is essential to securing bulk-power assets, particularly with the rise in external cyber threats to the power grid.
CIP-006-6 Physical Security of BES Cyber Systems
The CIP-006 sets forth requirements for the physical protection of the cyber assets of the bulk-power system. The requirements include policies meant to restrict access to physical assets, implement physical access controls, monitor unauthorized access, implement an alert system, continually monitor physical access controls, keep extensive logs of physical access, and maintain the physical access control systems over time.
CIP-007-6 System Security Management
The CIP-007 outlines operational, technical, and procedural requirements for all entities covered by NERC regulations. In particular, CIP-007 covers things like how input and output ports are configured and can be accessed, the implementation of a patch management system, the use of malicious code detection software, and a variety of password requirements. The requirements embedded in CIP-007 represent industry recognized best-practices for system security management.
CIP-008-5 Incident Reporting and Response Planning
CIP-008 outlines incident response and reporting requirements for NERC compliance. Adequate incident reporting and response is a crucial component of any comprehensive cybersecurity strategy. Notable components of the CIP-008 are the requirement to conduct incident response tests once every 15 months, as well as the requirement to report any cybersecurity incidents to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC). Compliance with the requirements of CIP-008 necessitate a positive organizational posture toward cybersecurity threat assessment and incident response.
CIP-009 Recovery Plans for BES Cyber Systems
The CIP-009 outlines requirements for the backup, storage, and recovery of cyber systems and assets within the bulk-power system. The CIP-009 requirements represent industry recognized best-practices for creating a recovery plan that emphasizes redundancy, resilience, and minimal system downtime. Systems must be in place to preserve and restore data quickly and efficiently in the event of an incident.
CIP-010-2 Configuration Change Management and Vulnerability Assessments
Vulnerability assessments are an important component of any comprehensive cybersecurity strategy. As such, the CIP-010 sets forth requirements for functional entities for monitoring their cyber systems. Specifically, the CIP-010 requires organizations to create a baseline configuration for their systems, and then test systems at regular intervals to determine if they have deviated from the accepted baseline. Changes to the baseline configuration must be approved and documented, with regular security audits done to ensure compliance over time.
CIP-011-2 Information Protection
The CIP-011 requires organizations to put procedure into place that enable them to identify BES Cyber System Information. Once identified, this sensitive information must be adequately protected, stored, transmitted, and disposed of according to NERC requirements. Personnel must be adequately trained to identify BES Cyber System Information.
Functional entities are allowed to use their asset management system of choice, but must be able to demonstrate to NERC that they can identify BES Cyber System Information and take appropriate steps to meet the regulatory requirements of CIP-011.
CIP-014-2 Physical Security
The NERC CIP-014 outlines requirements for functional entities to protect the physical security of their facilities and control centers. This includes requirements for risk assessments from an external organization, and a comprehensive incident response plan and associated training.
Concluding Thoughts
As is clear by this brief NERC CIP checklist, the regulations that bulk-power system entities must comply with is extensive. Achieving and maintaining compliance with NERC guidelines is mandatory, legally enforceable, and required to protect this critical component of infrastructure.
Pending regulatory changes to NERC CIP are awaiting approval, making NERC CIP compliance an ongoing effort for bulk-power system entities. Additionally, as new technologies and components are added to the bulk-power system, covered entities must be equipped to identify and protect cyber assets according to CIP regulatory requirements. For this reason, most companies turn to professionals to ensure that their cyber security solutions are in good hands.
