Cybersecurity implementation can be a long and complicated process if your organization hasn’t been built with security as a part of its design. This is why different committees, interest groups, governments, and cybersecurity professionals come together to develop robust cybersecurity frameworks and regulations.
Depending on the industry that your organization is part of, these frameworks and regulations may be known to you as CIS CSC, NIST, ENISA, ISO 27001 ect. With so many frameworks it is hard to know which is best suited to your organization’s needs. Although all frameworks have their merit, some pertain to either specific industries or requirements.
In this blog, we will take you through two frameworks widely used within the United States that pertain to overall cybersecurity infrastructures, NERC CIP and NIST, their differences, and which to implement.
NERC CIP and NIST
Before getting in the details of which framework works best for your organization, it is important to have a brief introduction to NERC CIP and NIST, and the industries they are important to.
NERC CIP
The North American Electric Reliability Corporation (NERC) is the organization responsible for the secure and reliable functioning of the electric grid of North America. It is the regulatory body for all users, owners, and operators of the Bulk Energy Supply (BES) system which feeds into the electric grid and is internationally recognised as such.
In this context North America includes not only the continental U.S.A. but also those jurisdictions which are interconnected with the U.S. notably; 8 provinces of Canada (Alberta, British Columbia, Manitoba, New Brunswick, Nova Scotia, Ontario, Quebec, and Saskatchewan) and the state of Baja California Norte in Mexico. The NERC Reliability Standards apply in all the above mentioned jurisdictions, and cover a wide range of risk management and compliance areas within the Bulk Power Supply (BPS) system.
NIST
The National Institute of Standards and Technology (NIST) is a federal agency and part of the U.S. Department of Commerce (DOC) and its main function is to develop standards and technology which improve the competitiveness of U.S. industry globally. Its mission is to promote and facilitate trade and improve the quality of life through innovation measurements and standards developed within its physical sciences laboratories and through its collaborative efforts with different interest groups.
NERC CIP VS NIST Cybersecurity Framework
With a general understanding of what each framework compromises, in this section, we will explore each framework in more detail and the underlying difference between the two.
Request a Consultation
NERC Critical Infrastructure Protection (CIP)
The NERC developed a set of mandatory standards as a minimum requirement for the security and protection of the BPS system. The Critical Infrastructure Protection (CIP) focuses primarily on Cyber Security requirements which are mandatory for all organizations under NERC’s regulatory control. These requirements are regularly updated and currently comprise of 11 mandatory and enforceable Standards and a further 5 Standards pending approval. More details on each of the Standards can be found here.
11 Mandatory Standards:
| Standard Identification | Category | Title |
|
Cybersecurity | BES Cyber System Categorization |
|
Cybersecurity | Security Management Controls |
|
Cybersecurity | Personnel & Training |
|
Cybersecurity | Electronic Security Perimeters |
|
Cybersecurity | Physical Security of BES Cyber Systems |
|
Cybersecurity | System Security Management |
|
Cybersecurity | Incident Reporting and Response Planning |
|
Cybersecurity | Recovery Plans for BES Cyber Systems |
|
Cybersecurity | Configuration Change Management and Vulnerability Assessments |
|
Cybersecurity | Information Protection |
|
Physical Security | (Inclusive of all physical security directives) |
5 Pending and Subject to Enforcement:
| Standard Identification | Category | Title |
|
Cybersecurity | Electronic Security Perimeters |
|
Cybersecurity | Incident Reporting and Response Planning |
|
Cybersecurity | Configuration Change Management and Vulnerability Assessments |
|
Cybersecurity | Communications Between Control Centers |
|
Cybersecurity | Supply Chain Risk Management |
NIST Cybersecurity Framework
The NIST Cybersecurity Framework was developed to help U.S. federal entities and critical infrastructure businesses to better understand the cybersecurity landscape and implement strategies against threats to the efficient and secure operation of their organizations. The Framework consists of a set of guidelines, rather than directives, which are designed to help organizations assess cybersecurity risks and to develop a customized approach.
The NIST Cybersecurity Framework is regularly updated through input from the user community and consists of three main components: the Implementation Tiers, the Framework Core, and Profiles.
Implementation Tiers (Lowest to Highest)
- Partial
- Risk Informed
- Repeatable
- Adaptive
Framework Core
The 5 Functions are the most well known aspects of the NIST Framework mainly due to the easily understood breakdown, listed in order of action. Each of the Functions has its corresponding categories which then break down into their respective sub-categories.
Identify
The Identify function is focussed on understanding the organization’s cybersecurity needs through a thorough assessment of the organization’s core areas of activity in order to identify critical assets and functions; there are 6 in all.
- Asset Management -The physical and software assets of the organization, specifically the data, hardware, systems, personnel and facilities crucial in achieving organizational goals.
- Business Environment – The nature of the environment in which the organization operates, especially as it relates to the critical infrastructure sector and the supply chain function.
- Governance – The existing cybersecurity policies within the organization, along with their accompanying procedures and processes, should be aligned to the relevant legal and regulatory requirements. This will define and help manage the organization’s cybersecurity risk.
- Risk Assessment – The organization’s risk assessment must be based on an understanding of the cybersecurity threats to organizational operations, both internal and external.
- Risk Management Strategy – The organization’s risk management strategy should set out the priorities and constraints which will determine their tolerance to cybersecurity risk.
- Supply Chain Risk Management – The organization’s risk management strategy as it applies to the supply chain should define the priorities and constraints which inform the tolerance to risk. This will be used to help make informed decisions regarding the risk management of the supply chain.
Protect
The Protect function attempts to limit the impact of cybersecurity threats on the organizational critical functions through the development and implementation of effective safeguards. The Protect function seeks to limit, contain, and otherwise negate the impact of a cybersecurity event through the protection of 6 key areas.
- Access Control – Protections must be in place through Identity Management and Access Control within the organization. This includes direct physical access and remote access to assets and associated facilities, which should be limited to authorized persons, entities, and activities only.
- Awareness and Training – An important aspect of the Protection function is the Awareness and Training element, which seeks to make staff and organizational partners cybersecurity aware by empowering them through education and training, which should include role based and privileged user training.
- Data Security – Confidentiality, Integrity, and Availability (CIA) of information is a fundamental pillar of data security provision. Using the organization’s Risk Management Strategy, the Data Security protections should remain consistent with the overall cybersecurity approach agreed upon.
- Information Protection Processes and Procedures – Information Protection Processes and Procedures must be developed and implemented to maintain and manage the desired outcomes of the Security policies. These processes and procedures are the active elements that detail and coordinate the organization’s activities for the protection of its information systems and assets.
- Maintenance – The Maintenance function allows the organization to provide ongoing and regular support for the protection of organizational resources through the performance of both internal and external remote upgrading and repair of physical and non-physical components.
- Protective Technology -To remain consistent with organizational policies, any protective technologies used to improve security and systems resilience should be actively managed.
Detect
The Detect function outlines the methods which best apply for the detection of a cybersecurity event. This function also allows for the development of those activities which will be implemented to alert the organization of the occurrence of a cybersecurity event.
- Anomalies and Events – The quick and efficient detection of anomalous events with the concurrent ability to understand the potential impact of that event.
- Security Continuous Monitoring – The implementation of regular monitoring of the security system, both the information network and physical assets to identify any cybersecurity threats and test the effectiveness of protective measures currently in place.
- Detection Processes – Detection processes and procedures must be continually maintained and updated to provide effective awareness of anomalous events.
Respond
Once a cybersecurity event is detected there must be appropriate activities with which the organization can respond. The Respond function requires these activities to be developed and then implemented to contain any impact arising from a cybersecurity incident.
- Response Planning – A Response Plan must be in place, and its process must be executed whilst a cybersecurity incident is in progress and also afterwards.
- Communications – Response activities based on the Response Plan must be coordinated with all stakeholders as appropriate; this includes relevant federal and state law enforcement agencies.
- Analysis – Analysis of the event should be conducted both during the breach and after to determine the likely and actual impact on the organization. Recovery activities should also include digital forensic analysis and reporting on the effectiveness of the activities taken.
- Mitigation – Any Response Plan must also include activities which prevent the expansion, or worsening, of an event and to mitigate and resolve the incident.
- Improvements – Post-event analysis of the organization’s response activities should be incorporated as lessons learned from current and previous detection and response activities. An ongoing process of improvement through learning from previous incidents and their causes and impacts is desirable.
Recover
Once a cybersecurity incident has occurred, the organization must have a plan in place which identifies the appropriate activities for the restoration of lost or damaged services and capabilities, and the ongoing maintenance of the organization’s cyber-resilience. The process of recovery is outlined in 3 areas;
- Recovery Planning – The Recovery plan, with its processes and procedures must be followed to restore any systems and assets adversely affected by a cybersecurity incident.
- Improvements – The process of continual improvement through incorporating the lessons learned from analysis of previous cybersecurity incidents must be implemented through the review and updating of pre-existing Response and Recovery strategies.
- Communications – All Communications with both internal and external stakeholders, including vendors and other third parties, must be coordinated from a central point authorized by the organization. Coordinated communications should be in place throughout the live incident and during the recovery phase from a cybersecurity incident.
Profiles
The NIST Framework is designed to be flexible and adaptable to the individual needs of each organization and this is most clearly seen in the Framework Profiles which bring together the elements within the Framework Categories identified by the organization as their desired cybersecurity outcomes.
The organization’s Profile becomes the big picture implementation document which can be used for comparison between the current and desired state of cybersecurity within the organization. The Profile becomes a useful tool for inter-departmental communication and organizational self-assessments around cybersecurity matters.
Broadly presented as 3 areas of interplay, these are;
- Business interests
- Threat environment
- Requirements and controls
By assessing the current state of the organization relative to these 3 areas, it becomes possible for a future or ‘target’ state to be defined and the implementation of an improvement plan.
NERC CIP compliance VS NIST Compliance
Owners, operators, and users of the Bulk Energy Supply (BES) system must become compliant with all the NERC Reliability Standards including the NERC CIP Standards and then remain compliant through active engagement with the CIP requirements.
These cybersecurity standards are becoming an increasingly important aspect within the NERC standards framework as the threat of cyber attacks to the efficient and reliable functioning of the BES becomes more evident. This was highlighted in a recent case where a penalty of $10 000 000 was imposed on an unnamed utility company for low quality compliance:
‘Critically, the utility had in place an internal compliance program at the time of the violations. However, NERC determined that the quality of the compliance program was deficient in facilitating compliance with the CIP standards. Moreover, NERC highlighted the both compliance history and a lack of management involvement in creating a culture of compliance as an aggravating factor for penalty purposes.’ Sidley Austin LLP
The NIST Framework is a voluntary set of guidelines initially developed for federal departments which has been taken up by private businesses and organizations throughout the U.S. and is internationally acknowledged as one of the world’s best cybersecurity frameworks. It has an active community of contributors whose main motivation is to continually improve the NIST framework which helps make the NIST Cybersecurity Framework one of the most up to date and relevant frameworks available.
| NERC CIP | NIST | |
| Regulation or Framework | Both | Framework (Guidance) |
| Compulsion | Mandatory | Voluntary |
| Industry | All Involved in BES (Bulk Electric System) | Any private organization which wishes to join the framework |
| Penalties | Yes, as it falls under regulation, failure to comply could result in legal/financial penalties | No, it is a set of guidelines directed by the wider cyber community |
Closing Remarks
Choosing the right framework can make a big difference to the ease of implementation and the effectiveness of the guidelines. It is important that the right framework is applied to the relevant industry.
Hopefully, now, you have a better understanding of the differences between the NERC CIP and NIST frameworks, and how they can fit your organization.
At RSI Security we have a wide range of cybersecurity services that can help you with compliance, such as the NERC CIP, book a consultation now to assess your cybersecurity needs!