NERC CIP Standards: What You Need To Know

RSI Security

6 years ago

Although usually taken for granted, Critical Infrastructure connects east to west, north to south, and ensures businesses and homes can operate on a daily basis. With the news reports of hurricanes, mudslides, and fires, it’s easy to think that natural disasters are the main threat against such infrastructure. However, cyber attacks increasingly threaten the functionality of Critical Infrastructure. Even in the cybersecurity world, the top priority tends to lean toward information security. To draw more attention to the vulnerabilities of Critical Infrastructure and to improve industry cyber security standards, the North American Electric Reliability Corporation (NERC) formulated a Critical Infrastructure Protection (CIP) plan. The NERC-CIP standards work to improve the security and infrastructure protection of North America’s power bulk system by protecting physical and cyber assets.

NERC CIP Background Check

NERC emerged in 1968 to provide standards for the Critical Infrastructure industry and eventually morphed into a joint effort between Canada and the U.S. The initial push for such oversight stemmed from the 1965 power outage that hit the U.S. and Canada, causing 30 million people to lose power.

The sudden realization that one tripped transmission line could impact so many people spurred the creation of the first industry standards. However, since NERC’s inception, the rise of computers and electronic mechanisms utilized in Critical Infrastructure operations has increased significantly. Consequently, NERC formulated the CIP guidelines, specifically focused on the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System (BES) in North America. NERC also expanded its tasks and now conducts CIP audits and event analysis.

To understand the implication of these standards, it’s important to fully grasp the breadth of the Critical Infrastructure industry. The Department of Homeland Security (DHS) classifies 14 sectors as Critical Infrastructure: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors/Materials/Waste, Transportation, and Water/Wastewater Systems. The NERC CIP reliability standards of today have a much broader scope and address numerous threat scenarios — from internal vulnerabilities to sabotage to terrorism.

NERC-CIP Standards Overview

In their entirety, NERC standards protect Bulk Power Systems, Critical Assets, Cyber Assets supporting Critical Assets, and Critical Cyber Security Assets. However, CIP narrows down NERC’s broad scope and focuses efforts solely on Cybersecurity Assets. CIP standards have gone through numerous versions, as each update seeks to address new technological advances or best practices. Since the first CIP version (V1) which went into effect in 2008, CIP has progressed and is now on V5. While past versions addressed Critical Assets definitions, annual review processes, and visitor security measures, V5 targeted communication devices.

The current version outlines 14 standards (CIP-001-CIP-014). Each reliability standard goes into great depth (i.e., definition, applicability, compliance) and attempts to address as many potential security threats as possible. To make the information a bit more digestible, the points below summarize the overall goal of each standard, some examples, and the departments to which the standard is applicable (as listed in CIP’s guidelines, although the categories cover broad swaths of employees).

1. Reporting (CIP-001)

CIP standards require that all disturbances or unusual occurrences be reported to management, government, or another applicable regulatory body. In particular, this guideline focuses on sabotage. Every infrastructure entity must have a system in place for reporting or investigating potential sabotage situations (e.g., insider threat). Furthermore, employees must be well-informed as to how these systems work.

Who does this affect? – Reliability coordinators, balancing authorities, transmission operators, generator operators, load serving entities.

2. Identification (CIP-002)

CIP-002 addresses the identification of Critical Cyber Assets. As mentioned above, the goal is to protect Bulk Electric Systems (BES) by strengthening underlying technological security. Furthermore, the identification is arguably one of the most important standards, as such definitions carry out many of the subsequent CIP standards. CIP recommends utilizing risk-based assessment methods to determine what assets fall under the Critical Cyber Assets categorization. For example, an entity may identify BES facilities and their relative impact (i.e., high, medium, low), outline which systems are vulnerable/utilize programmable communication methods, and then link such systems with the BES facilities.

Who does this affect? – Reliability Coordinator, Balancing Authority, Interchange Authority, Transmission Service Provider, Transmission Owner/Operator, Generator Owner/Operator, Load Serving Entity, NERC, Regional Reliability Organizations.

3. Controls (CIP-003)

CIP requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets. Controls must include: emergency procedures, accessibility (to procedure guidelines), a frequent review process (minimum yearly basis), a manager, documentation of changes, information protection policies, limited access (designating personnel), and a clear cyber security policy. A first step would be to designate a CIP Manager who will act as the liaison both internally, between departments, and externally, with audit committees, as well as help formulate a future NERC-CIP compliance plan.

4. Personnel & Training (CIP-004)

As its name alludes, this standard requires that all personnel or persons on the premises receive a security designation (e.g., authorized unescorted physical access). It is important to know who possesses physical or electronic access at any given moment as it provides clarity for the auditing process and improved efficiency when conducting investigation after a breach. Entities should also conduct thorough background checks on all potential employees as well as reviews of current employee activity.

5. Electronic Security Perimeter(s) (EPS) (CIP-005)

Entities must implement firewalls to protect electronic perimeters behind which all Critical Cyber Assets will reside. Furthermore, entities must identify and assess access points. NERC requires thorough documentation of this process, including the identification of access points and all electronic systems monitoring access (e.g., requests, grants, alerts). NERC further provides example cases to help entities transition to CIP compliance. Lastly under this standard, enterprises must complete, at a minimum, a yearly Cyber Vulnerability Assessment.

6. Physical Security Perimeter(s) (PSP) (CIP-006)

Physical access requirements encompass log activity, entry/exit monitoring, monitoring unauthorized visitors, and alarm systems. For example, entities should note the following in a PSP report: key card access (i.e., where it is used/not used), lock types, security personnel, computerized/video/manual logging (e.g., security cameras, guest sign-in), maintenance logs/testing, and other relevant devices Moreover, all ESP Critical Assets must be within the PSP. NERC-CIP recommends establishing a 6-wall PSP and, for those cases where that is not possible, other precautions must be implemented and documented. All such considerations must be shaped around protecting BES Cyber Assets.

7. Systems Security Management (CIP-007)

This standard simply refers to the general upkeep, testing, and review of all systems. Vigilant monitoring of IP ports/services, firmware, detection programs, antivirus/malware, and passwords (along with detailed documentation) will satisfy the parameters of this requirement.

8. Incident Response/Response Planning (CIP-008)

Compliant entities must formulate an incident response plan. At a minimum, plans must detail procedures to classify events, outline roles/tasks of employees in the event of a breach (e.g., reporter, manager, etc.), designate a chain of communication, perform a yearly review/update process, and implement a testing method. The overall goal is to outline, test, and revise response plans, so in the event of an attack, all such methods will run smoothly and mitigate the damage.

9. Recovery Plans (CIP-009)

Entities must, on an annual basis, write, review, and update a disaster recovery plan. Specifications should include: what defines a “disaster”/ the extent of damage, outline responders’ responsibilities, and detail backup systems and procedures (e.g., storage, data, and configuration). All such backup systems must also be tested on an annual basis.

10. Configuration Change Management and Vulnerability (CIP-010)

Standard 10 seeks to avoid any unauthorized changes to systems, whether it be an infected system update or a change in vulnerability risk-based assessment requirements. Any changes must be documented to prevent doubt as to the nature of the change or upgrade. Consequently, it is important to always have a baseline configuration.

Who does this affect? – Balancing Authority, Distribution Provider, Generator Operator/Owner, Interchange Coordinator/Authority, Reliability Coordinator, Transmission Owner/Operator, Distribution Provider

11. Information Protection (CIP-011)

Entities must ensure that data in transit remains protected (e.g., encrypted) and is delivered only to those with the proper authorization (e.g., access codes). Updating access controls on a regular basis will help mitigate unauthorized access. Under this stipulation, entities must also dispose of sensitive data thoroughly.

12. Communication (CIP-012)

To implement the above standards, entities must designate control centers and channels of communication. However, NERC highlights that any such channels (e.g., phones or computers) must be secured prior to transmitting valuable information over them.

Who does this affect? – Balancing Authority, Generator Operator/Owner, Reliability Coordinator, Transmission Owner/Operator

13. Supply Chain Risk Management (CIP-013)

This standard requires that all third parties involved (e.g., communication providers) be vetted, whether they provide a physical service or a cyber tool (e.g., software). In other words, whenever an entity contracts a third party for a task, it must clearly document the specific task, duration, and employees involved.

Who does this affect? – Balancing Authority, Generator Operator/Owner, Reliability Coordinator, Transmission Owner/Operator, Facilities (as designated by NERC-CIP)

14. Physical Security (CIP-014)

Last but not least, CIP specifies physical security measures to be used at facilities with Critical Cyber Assets. This standard overlaps with the PSP standard (Standard 6) but approaches the issue from a more macro level. Attack vectors must be assessed and facilities ranked by critical importance (rather than focusing on room-to-room security). Installing cameras, alarms, fencing, and barriers are recommended, as well as reviewing any third-party physical access.

NERC-CIP Compliance

NERC-CIP conducts spot check audits, periodic audits, and triggered investigation audits. Consequently, it is important for entities to practice self-assessment/self-certification on a regular basis. For NERC Check Audits, an evaluation may occur anytime, within 30 days, after NERC’s initial notification. In contrast, NERC’s Periodic Audits occur less frequently, anywhere in a 3-year time span. Finally, NERC may conduct an Investigative Audit triggered by an inquiry or alert of wrongful practices. If this occurs, the entity in question may not be notified. Additionally, a few times every month, NERC publishes a Standards, Compliance, and Enforcement Bulletin, which highlights updates, analysis, and any new areas of concern regarding Critical Infrastructure.

In terms of enforcement, NERC has the power to issue directives and place sanctions on non-compliant entities. As the breadth of Critical Infrastructure is quite large, NERC relies on Regional Entities to enforce NERC-CIP standards. Specifically, Regional Entities are responsible for monitoring compliance of the registered entities within their regional boundaries, assuring mitigation of all violations of approved Reliability Standards and assessing penalties and sanctions for failure to comply. Furthermore, NERC ranks violations on a Violation Risk Factors scale, which separates risks from low to high, pairing the non-compliance consequences with the level of risk at a facility. If lapses in compliance are identified, entities are designated a time-span (which varies) to implement fixes, at the end of which they will be re-evaluated.

Need help?

As you can see, there are many benefits of being NERC-CIP compliant. The above summary by no means captures all nuances of NERC’s CIP standards; rather, it provides a brief summary for understanding how to begin NERC-CIP compliance. If you are unsure if NERC-CIP cybersecurity solutions applies to you or you need help improving your NERC-CIP compliance plan, contact RSI Security today.