Home Compliance StandardsNERC CIP NERC vs. NIST: Choosing the Right Infrastructure Cybersecurity Framework
NERC CIPNIST 800-171 / DFARS

NERC vs. NIST: Choosing the Right Infrastructure Cybersecurity Framework

by RSI Security
written by RSI Security
Vciso

Cybersecurity implementation can be a long and complicated process if your organization hasn’t been built with security as a part of its design. This is why different committees, interest groups, governments, and cybersecurity professionals come together to develop robust cybersecurity frameworks and regulations.

Depending on the industry that your organization is part of, these frameworks and regulations may be known to you as CIS CSC, NIST, ENISA, ISO 27001 ect. With so many frameworks it is hard to know which is best suited to your organization’s needs. Although all frameworks have their merit, some pertain to either specific industries or requirements.

In this blog, we will take you through two frameworks widely used within the United States that pertain to overall cybersecurity infrastructures, NERC CIP and NIST, their differences, and which to implement.

 

NERC CIP and NIST

Before getting in the details of which framework works best for your organization, it is important to have a brief introduction to NERC CIP and NIST, and the industries they are important to.

 

NERC CIP

The North American Electric Reliability Corporation (NERC) is the organization responsible for the secure and reliable functioning of the electric grid of North America. It is the regulatory body for all users, owners, and operators of the Bulk Energy Supply (BES) system which feeds into the electric grid and is internationally recognised as such.

In this context North America includes not only the continental U.S.A. but also those jurisdictions which are interconnected with the U.S. notably; 8 provinces of Canada (Alberta, British Columbia, Manitoba, New Brunswick, Nova Scotia, Ontario, Quebec, and Saskatchewan) and the state of Baja California Norte in Mexico. The NERC Reliability Standards apply in all the above mentioned jurisdictions, and cover a wide range of risk management and compliance areas within the Bulk Power Supply (BPS) system.

 

NIST

The National Institute of Standards and Technology (NIST) is a federal agency and part of the U.S. Department of Commerce (DOC) and its main function is to develop standards and technology which improve the competitiveness of U.S. industry globally. Its mission is to promote and facilitate trade and improve the quality of life through innovation measurements and standards developed within its physical sciences laboratories and through its collaborative efforts with different interest groups.

 

NERC CIP VS NIST Cybersecurity Framework

With a general understanding of what each framework compromises, in this section, we will explore each framework in more detail and the underlying difference between the two.

 

Request a Consultation

 

NERC Critical Infrastructure Protection (CIP)

The NERC developed a set of mandatory standards as a minimum requirement for the security and protection of the BPS system. The Critical Infrastructure Protection (CIP) focuses primarily on Cyber Security requirements which are mandatory for all organizations under NERC’s regulatory control.  These requirements are regularly updated and currently comprise of 11 mandatory and enforceable Standards and a further 5 Standards pending approval. More details on each of the Standards can be found here.

 

11 Mandatory Standards:

 

Standard Identification Category Title
  • CIP-002-5.1a
 Cybersecurity BES Cyber System Categorization
  • CIP-003-8
 Cybersecurity Security Management Controls
  • CIP-004-6
 Cybersecurity Personnel & Training
  • CIP-005-5
 Cybersecurity Electronic Security Perimeters
  • CIP-006-6
 Cybersecurity Physical Security of BES Cyber Systems
  • CIP-007-6
 Cybersecurity System Security Management
  • CIP-008-5
 Cybersecurity Incident Reporting and Response Planning
  • CIP-009-6
 Cybersecurity Recovery Plans for BES Cyber Systems
  • CIP-010-2
 Cybersecurity Configuration Change Management and Vulnerability Assessments
  • CIP-011-2
 Cybersecurity Information Protection
  • CIP-014-2
 Physical Security (Inclusive of all physical security directives)

 

5 Pending and Subject to Enforcement:

 

Standard Identification Category Title
  • CIP-005-6
 Cybersecurity Electronic Security Perimeters
  • CIP-008-6
 Cybersecurity Incident Reporting and Response Planning
  • CIP-010-3
 Cybersecurity Configuration Change Management and Vulnerability Assessments
  • CIP-012-1
 Cybersecurity Communications Between Control Centers
  • CIP-013-1
 Cybersecurity Supply Chain Risk Management

 

NIST Cybersecurity Framework

The NIST Cybersecurity Framework was developed to help U.S. federal entities and critical infrastructure businesses to better understand the cybersecurity landscape and implement strategies against threats to the efficient and secure operation of their organizations. The Framework consists of a set of guidelines, rather than directives, which are designed to help organizations assess cybersecurity risks and to develop a customized approach.

The NIST Cybersecurity Framework is regularly updated through input from the user community and consists of three main components: the Implementation Tiers, the Framework Core, and Profiles.

Implementation Tiers (Lowest to Highest)

  1. Partial
  2. Risk Informed
  3. Repeatable
  4. Adaptive

 

Framework Core

The 5 Functions are the most well known aspects of the NIST Framework mainly due to the easily understood breakdown, listed in order of action. Each of the Functions has its corresponding categories which then break down into their respective sub-categories.

Identify

The Identify function is focussed on understanding the organization’s cybersecurity needs through a thorough assessment of the organization’s core areas of activity in order to identify critical assets and functions; there are 6 in all.

  1. Asset Management -The physical and software assets of the organization, specifically the data, hardware, systems, personnel and facilities crucial in achieving organizational  goals.
  2. Business Environment – The nature of the environment in which the organization operates, especially as it relates to the critical infrastructure sector and the supply chain function.
  3. Governance – The existing cybersecurity policies within the organization, along with their accompanying procedures and processes, should be aligned to the relevant legal and regulatory requirements. This will define and help manage the organization’s cybersecurity risk.
  4. Risk Assessment – The organization’s risk assessment must be based on an understanding of the cybersecurity threats to organizational operations, both internal and external.
  5. Risk Management Strategy – The organization’s risk management strategy should set out the priorities and constraints which will determine their tolerance to cybersecurity risk.
  6. Supply Chain Risk Management – The organization’s risk management strategy as it applies to the supply chain should define the priorities and constraints which inform the tolerance to risk. This will be used to help make informed decisions regarding the risk management of the supply chain.

 

Protect

The Protect function attempts to limit the impact of cybersecurity threats on the organizational  critical functions through the development and implementation of effective safeguards. The Protect function seeks to limit, contain, and otherwise negate the impact of a cybersecurity event through the protection of 6 key areas.

  1. Access Control – Protections must be in place through Identity Management and Access Control within the organization. This includes direct physical access and remote access to assets and associated facilities, which should be limited to authorized persons, entities, and activities only.
  2. Awareness and Training – An important aspect of the Protection function is the Awareness and Training element, which seeks to make staff and organizational partners cybersecurity aware by empowering them  through education and training, which should include role based and privileged user training.
  3. Data Security – Confidentiality, Integrity, and Availability (CIA) of information is a fundamental pillar of data security provision. Using the organization’s Risk Management Strategy, the Data Security protections should remain consistent with the overall cybersecurity approach agreed upon.
  4. Information Protection Processes and Procedures – Information Protection Processes and Procedures must be developed and implemented to maintain and manage the desired outcomes of the Security policies. These processes and procedures are the active elements that detail and coordinate the organization’s activities for the protection of its information systems and assets.
  5. Maintenance – The Maintenance function allows the organization to provide ongoing and regular support for the protection of organizational resources through the performance of both internal and external remote upgrading and repair of physical and non-physical components.
  6. Protective Technology -To remain consistent with organizational policies, any protective technologies used to improve security and systems resilience should be actively managed.

 

Detect

The Detect function outlines the methods which best apply for the detection of a cybersecurity event. This function also allows for the development of those activities which will be implemented to alert the organization of the occurrence of a cybersecurity event.

  1. Anomalies and Events – The quick and efficient detection of anomalous events with the concurrent ability to understand the potential impact of that event.
  2. Security Continuous Monitoring – The implementation of regular monitoring of the security system, both the  information network and physical assets to identify any cybersecurity threats and test the effectiveness of protective measures currently in place.
  3. Detection Processes – Detection processes and procedures must be continually maintained and updated to provide effective awareness of anomalous events.

 

Respond

Once a cybersecurity event is detected there must be appropriate activities with which the organization can respond. The Respond function requires these activities to be developed and then implemented to contain any impact arising from a cybersecurity incident.

  1. Response Planning – A Response Plan must be in place, and its process must be executed whilst a cybersecurity  incident is in progress and also afterwards.
  2. Communications – Response activities based on the Response Plan must be coordinated with all stakeholders as appropriate; this includes relevant federal and state law enforcement agencies.
  3. Analysis – Analysis of the event should be conducted both during the breach and after to determine the likely and actual impact on the organization. Recovery activities should also include digital forensic analysis and reporting on the effectiveness of the activities taken.
  4. Mitigation – Any Response Plan must also include activities which prevent the expansion, or worsening, of an event and to mitigate and resolve the incident.
  5. Improvements – Post-event analysis of the organization’s response activities should be incorporated as lessons learned from current and previous detection and response activities. An ongoing process of improvement through learning from previous incidents and their causes and impacts is desirable.

 

Recover

Once a cybersecurity incident has occurred, the organization must have a plan in place which identifies the appropriate activities for the restoration of lost or damaged services and capabilities, and the ongoing maintenance of the organization’s cyber-resilience. The process of recovery is outlined in 3 areas;

  1. Recovery Planning – The Recovery plan, with its processes and procedures must be followed to restore any systems and assets adversely affected by a cybersecurity incident.
  2. Improvements – The process of continual improvement through incorporating the lessons learned from analysis of previous  cybersecurity incidents must be implemented through the review and updating of pre-existing Response and Recovery strategies.
  3. Communications – All Communications with both internal and external stakeholders, including vendors and other third parties, must be coordinated from a central point authorized by the organization. Coordinated communications should be in place throughout the live incident and during the recovery phase  from a cybersecurity incident.

Profiles

The NIST Framework is designed to be flexible and adaptable to the individual needs of each organization and this is most clearly seen in the Framework Profiles which bring together the elements within the Framework Categories identified by the organization as their desired cybersecurity outcomes.

The organization’s Profile becomes the big picture implementation document which can be used for comparison between the current and desired state of cybersecurity within the organization. The Profile becomes a useful tool for inter-departmental communication and organizational self-assessments around cybersecurity matters.

Broadly presented as 3 areas of interplay, these are;

  • Business interests
  • Threat environment
  • Requirements and controls

By assessing the current state of the organization relative to these 3 areas, it becomes possible for a future or ‘target’ state to be defined and the implementation of an improvement plan.

 

NERC CIP compliance VS NIST Compliance

Owners, operators, and users of the Bulk Energy Supply (BES) system must become compliant with all the NERC Reliability Standards including the NERC CIP Standards and then remain compliant through active engagement with the CIP requirements.

These cybersecurity standards are becoming an increasingly important aspect within the NERC standards framework as the threat of cyber attacks to the efficient and reliable functioning of the BES becomes more evident. This was highlighted in a recent case where a penalty of $10 000 000 was imposed on an unnamed utility company for low quality compliance:

‘Critically, the utility had in place an internal compliance program at the time of the violations. However, NERC determined that the quality of the compliance program was deficient in facilitating compliance with the CIP standards. Moreover, NERC highlighted the both compliance history and a lack of management involvement in creating a culture of compliance as an aggravating factor for penalty purposes.’  Sidley Austin LLP 

The NIST Framework is a voluntary set of guidelines initially developed for federal departments which has been taken up by private businesses and organizations throughout the U.S. and  is internationally acknowledged as one of the world’s best cybersecurity frameworks. It has an active community of contributors whose main motivation is to continually improve the NIST framework which helps make the NIST Cybersecurity Framework one of the most up to date and relevant frameworks available.

NERC CIP NIST
Regulation or Framework Both Framework (Guidance)
Compulsion Mandatory Voluntary
Industry All Involved in BES (Bulk Electric System) Any private organization which wishes to join the framework
Penalties Yes, as it falls under regulation, failure to comply could result in legal/financial penalties No, it is a set of guidelines directed by the wider cyber community

 

Closing Remarks

Choosing the right framework can make a big difference to the ease of implementation and the effectiveness of the guidelines. It is important that the right framework is applied to the relevant industry.

Hopefully, now, you have a better understanding of the differences between the NERC CIP and NIST frameworks, and how they can fit your organization.

At RSI Security we have a wide range of cybersecurity services that can help you with compliance, such as the NERC CIP, book a consultation now to assess your cybersecurity needs!
 

Schedule a Free Consultation

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

What Does DFARS Stand For?

May 3, 2019

Overview of NIST 800-171 Revision 1

January 7, 2021

How to Prepare for CMMC and NIST Assessments

May 30, 2023

NERC CIP Vulnerability Assessment: A Comprehensive Guide

August 6, 2020

How and Why DoD Contractors Must Protect Covered...

November 23, 2021

NIST 800-171 Assessment Methodology Overview

May 11, 2021

Making the Most of Your Nist 800-171 Compliance...

January 15, 2021

What Is Threat and Vulnerability Management For NERC...

November 5, 2018

What Is The Patch Management Process For NERC...

November 5, 2018

What is the Relationship Between FISMA and NIST?

February 19, 2020

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More