Cybersecurity has become a pressing concern for individuals, organizations, and governments all over the world. There are 16 critical infrastructure sectors in the United States, of great importance to public life, that a cybersecurity breach could have a devastating effect on.
Given the damage that a breach in cyber critical infrastructure can cause, organizations are now looking at sophisticated cybersecurity standards to govern critical infrastructures and make them less susceptible to cyber threats.
Power plants, dams, and nuclear facilities are some of the critical infrastructures that need to be protected from hacks. Learn about the top cybersecurity standards and frameworks that are designed to secure bulk power plants and infrastructure.
What is NERC?
The North American Electric Reliability Corporation is the umbrella organization whose mission is to ensure the reliability of the bulk power system (BPS). The organization which was formed in 1968 regulates standards, enforces compliance, and provides leadership for the power generation industry across the United States, Canada, and Mexico.
The 2003 Northeast blackout that caused a loss of power supply to 50 million people and cost an estimated $6 billion dollars across the United States and Canada shows the importance of the regulatory standards by the NERC. It’s essential to commit money and expertise to ensure that governments and organizations adhere to acceptable cybersecurity standards across all critical infrastructure.
NERC CIP Reliability Standards Framework
Governments and organizations respond to threats that could disrupt the functioning of cyber critical infrastructure by leading the charge to ensure cyber threats are mitigated.
The NERC CIP standard is a holistic effort by the NERC to develop, implement, and enforce acceptable standards for governing critical infrastructure that applies to entities involved in the production and distribution of electric power systems.
Overview of NERC CIP Standards
The NERC CIP Standards provide a comprehensive approach to establishing cybersecurity infrastructure. Below are some of the NERC Standards:
Standard CIP 001 — Sabotage Reporting
Standard CIP 001 addresses unusual occurrences, whether through suspicion or sabotage, and ensures such occurrences are reported to qualified personnel and regulatory bodies. This requires personnel to follow appropriate guidelines and report the incident to the relevant bodies.
Standard CIP-002 — BES Cyber System Categorization
This standard incorporates the use of risk-based assessment to determine an organization’s critical infrastructure most critical to the safety and continuity of the bulk power system.
Some important steps followed under Standard CIP-002 are:
- Identify and evaluate any cyber asset that can impact the operations of critical assets.
- Organize your cyber assets based on what they do.
- Decide what cyber assets are absolutely important.
- Assemble the cybersecurity assets into a list that defines which one is essential.
Standard CIP-003 — Security Management Controls
This standard requires that all responsible parties create, review, and implement security policies for staff to be aware of and follow at all times. These requirements include:
- Review and approve all cybersecurity policies after 15 months.
- Identify and implement a documented security plan for cyber assets.
- Ensure a compliance monitoring process is in place.
Standard CIP-004 — Personnel and Training
Standard CIP 004 requires personnel having authorized or unauthorized access to cyber assets have an appropriate level of personal risk assessment, training, and security awareness.
This standard requires some specifications which include:
- Security awareness programs to ensure personnel having cyber or physical access to critical infrastructure receive ongoing to up to date training on security practices.
- All personnel who have access to critical infrastructure receive training within ninety days of authorization.
- Personnel are required to undergo risk assessment within 30 days of authorization.
- Organizations are required to maintain a list of personnel with authorized access to cyber infrastructure.
CIP-005 — Electronic Security Perimeter(s)
The organization must ensure the protection of their critical infrastructure by identifying and documenting the electronic security perimeter, within which resides all critical and noncritical cyber assets as well as access points to their perimeter
This standard comes with requirements such as:
- Control of electronic access at all access point
- Monitoring access to the electronic security perimeter
- Review, update, and maintain all documentation to comply with the electronic security perimeter standards.
Standard CIP-006 — Physical Security of BES Cyber-Systems
This standard advocates the use of physical barriers to limit access of unauthorized personnel to the cyber critical infrastructure.
The standard ensures security measures for the protection of critical infrastructure. These security measures include:
- Round-the-clock management of physical access to the physical perimeters.
- Monitoring physical access at every access point to the physical perimeters.
- Organizations are required to log physical access by sufficiently documenting the details of individuals and time of access 24 hours every day.
- Organizations are required to keep access logs for ninety days while logs associated with incidents shall be kept in accordance with NERC CIP standards.
- Maintenance and testing programs should be carried out to ascertain the proper functioning of all physical security systems.
Standard CIP-007 — System Security Management
Standard CIP-007 requires organizations to define methods and procedures for securing systems determined to be critical cyber assets and noncritical cyber assets.
The concerned organization must abide by the following requirements for both critical cyber assets and noncritical cyber assets:
- Ensure that new cyber assets within the electronic system perimeters do not adversely affect existing cybersecurity protocols.
- Established security management program for tracking, evaluating, and testing cyber assets within the electronic security perimeter.
- Use of malicious software prevention tools to detect and prevent malware on all cyber assets within the electronic security perimeter.
- Implement and document procedures that enforce access identification and accountability to minimize the risk of unauthorized system access.
Standard CIP-008 — Incident Reporting and Response Planning
Standard CIP-008 ensures the identification, classification, and reporting of cybersecurity Incidents related to critical cyber infrastructure. This standard mandates organizations to have a defined plan of response in the event of a breach in critical cyber infrastructure.
Standard CIP-009-6 Cyber Security — Recovery Plans for BES Cyber-Systems
With no guarantee that no mishap will ever occur, this standard ensures that organizations put in place recovery plans that allow for business continuity in the event of a cyber threat to critical infrastructure.
Many organizations that follow cybersecurity standards for critical infrastructure are able to secure their critical infrastructure with ease. Regardless of how complicated some of these standards may seem, you can apply them with the professional service of a cybersecurity expert.
RSI Security is a full-service cybersecurity assessor and advisory company helping entities meet security compliance needs. RSI Security has the experience, skills, and resources to help your organization identify and protect critical cyber assets by helping you meet NERC CIP compliance requirements.
Many organizations partner with us because of our wide range of NERC CIP services:
- System Security Management
- Patch Management
- Mock Audits
- Personnel and Training
Contact us today and let us help you execute a plan that ensures you meet all 45 NERC requirements and avoid a non-compliance status!