Flashback to August 14, 2003 when North America experienced its worst blackout to date with more than 50 million people losing power in the Northeastern and Midwestern United States and parts of Canada. Less than 3 years prior to this massive blackout, the North American Electric Reliability Corporation (NERC) had been appointed as the electric utility industrys primary point of contact with the U.S. government for national security and critical infrastructure protection issues. After nearly eight (8) months of investigations into the record-breaking blackouts, NERC found that the prevention of future blackouts could be done through making Reliability Standards mandatory and enforceable through the U.S. federal government.
Fast forward to March 2007 when the Federal Energy Regulatory Commission (FERC) approved the first set of 83 mandatory NERC Reliability Standards that were legally enforceable for the U.S. Bulk-Power System (BPS). In the 11+ years since this list was formulated, the list of mandatory Reliability Standards has grown to 101 with 11 standards subject to future enforcement and 6 standards that have been filed and are currently pending regulatory approval. Although there are 14 unique categories to maintaining NERC compliance, this article will be focusing on maintaining NERC Critical Infrastructure Protection (CIP) compliance for which there are currently 11 reliability standards. Read on to learn how bulk power system (BPS) organizations can comply with all NERC Reliability Standards including those that pertain to their Critical Infrastructure Protection (CIP).
What is the NERC?
The North American Electric Reliability Corporation (NERC) is authorized by the Federal Regulatory Commission (FERC) to ensure the dependability and consistency of the North American bulk power system (BPS). NERC plays a big role in establishing and enforcing reliability standards on this continent as well as training, educating, and certifying industry personnel who are constantly being tasked with adopting new technologies on the job through an education and compliance program. The NERC also acts to ensure that the BPS and its critical assets are entirely free of any third-party tampering that may result in the BPS being critically compromised by cyber attacks.
If an investigation is warranted within a BPS, then NERC will step in to determine if any reliability standards are being violated and work with the organization at fault to configure a solution after enforcing penalties for non-compliance. If a BPS does not choose to comply with NERC reliability standards, it could end up costing them up to $1,000,000 per day.
Thats some major cheddar.
Therefore, it would behoove BPS organizations to comply with NERC reliability standards as well as undergo a thorough inspection. Through compliance with the NERC reliability standards, utilities can develop programs that allow them to detect and correct risks that pose threats to their day-to-day operational reliability.
One of the 14 NERC standards that are enforced in the U.S. we will be addressing in this article are the standards related to Critical Infrastructure Protection (CIP). NERC-CIP is a set of standards which specifies the minimum-security requirements for the BPS. The 11 reliability standards that make up NERC-CIP are a hot topic in the U.S. currently due to their focus on regulating critical physical security and cybersecurity assets that are deemed critical to the electricity infrastructure. Although technology does play a large part in the topics pertaining to the NERC-CIP reliability standards themselves, its true purpose is in building operational policies and procedures.
Along with hashing out these policies and procedures, NERC-CIP also is responsible for testing and repairing security issues of critical assets with vulnerability assessment tools. During the CIP testing process, categorized cybersecurity assets pertaining to the specific reliability standard are rated on a severity scale (high, medium, and low). If there are too many high severity cybersecurity assets present within the critical infrastructure then the BPS will altogether fail the NERC-CIP and need to work with NERC to repair or patch their infrastructure to stay in scope. For a full overview of the current list of NERC-CIP reliability standards in the U.S., check out the table below:
|Standard Number||Title||Effective Date of Standard||Phased-in Implementation Date (if applicable)|
|Critical Infrastructure Protection (CIP) Reliability Standards|
|CIP-002-5.1a||Cyber Security BES Cyber System Categorization||12/27/16|
|CIP-003-6||Cyber Security Security Management Controls||7/1/16||Detail|
|CIP-004-6||Cyber Security Personnel & Training||7/1/16||Detail|
|CIP-005-5||Cyber Security Electronic Security Perimeter(s)||7/1/16|
|CIP-006-6||Cyber Security Physical Security of BES Cyber Systems||7/1/16||Detail|
|CIP-007-6||Cyber Security System Security Management||7/1/16||Detail|
|CIP-008-5||Cyber Security Incident Reporting and Response Planning||7/1/16||Detail|
|CIP-009-6||Cyber Security Recovery Plans for BES Cyber Systems||7/1/16||Detail|
|CIP-010-2||Cyber Security Configuration Change Management and Vulnerability Assessments||7/1/16||Detail|
|CIP-011-2||Cyber Security Information Protection||7/1/16|
NERC CIP Compliance
The NERC-CIP standards listed in the table above detail the minimum requirements for plans, procedures, and processes that BPS operators must comply with. Any responsible entity that is required to adhere to these reliability standards also need to self-report and self-certify that their current operations meet the minimum requirements. Electric utilities meet these objectives through the formation of comprehensive processes while also assigning responsibilities to personnel to execute the defined process.
The Critical Infrastructure Protection Committee (CIPC) works in tandem with the NERC to obtain feedback from entities that help them to revise their standards, and draft new standards when applicable. FERC also directs NERC to develop modifications to the CIP Reliability Standards to mitigate the risk of malicious code that could result from third-party transient electronic devices. From there, NERC collaborates with regional partners to monitor and ensure that the required entities are maintaining their compliance. To be NERC CIP compliant, entities must ensure theyve enacted the measures contained in all the enforceable CIP standards. Through assessments, training, and additional measures listed in the subheadings below, entities can position themselves to become fully NERC-CIP compliant.
To achieve full compliance via NERC-CIP, entities are required to undergo vulnerability assessments every 15 months and self-report the documentation of their findings. Each assessment must report on deficiencies that were identified in past audits as areas that needed to be addressed and fixed. Entities are then required to implement an action plan that is set in motion to strengthen the functionality of their critical infrastructure. Even if the original audit revealed that nothing needed to be improved, it is still advisable that the entity should implement realistic processes and procedures that showcase to NERC that they are committed to improving the utilitys BPS reliability and reducing the risk of cyber-attacks.
Vulnerability assessments should examine the state of workstation firewalls, the configurations of network device firmware, as well as the system access controls and management of user accounts amongst other important physical security and cybersecurity assets. Each assessment must consider the entire system via the verification of cyber asset inventories with the purpose of seeking out and formulating solutions to mitigate vulnerabilities if/when they are found. Accomplishing this assessment requires many man hours of planning, creating processes, and educating operators on the finer points of complying with NERC-CIP reliability standards.
Technology moves fast and the requirements to stay compliant are constantly changing, therefore its imperative that your organization maintain a proactive stance in meeting NERC-CIP requirements. Building a dedicated compliance team that has the tools and resources needed to adhere to updates and additions to the NERC-CIP certification. Entities should address NERC-CIP compliance with all members of their organization (not just the ones that are tasked with the implementation and maintenance of the compliance process).
All employees (even contractors) should have a full understanding of how each reliability standard impacts their job and affects the organization. The best time to get employees acquainted is right at the point of hiring. Having processes already defined and baking them into company HR policies will help your organization close any liability gaps that may transpire if policies and procedures are not carried out appropriately.
Depending on the size of the entity and their hiring needs, its advantageous for them to implement a robust, holistic, and company-wide cybersecurity policy that falls into the scope of NERC-CIP reliability standards. Entities must change their mindset from passively integrating cybersecurity measures into processes to formulating widespread procedures that are integrated into everything they do. This can be tricky if the processes, plans, and policies are not clearly articulated as some employees are less cyber savvy than others. If the entity can formulate an easy-to-comprehend program that defines roles appropriately, it can improve its ability to protect its cyber assets.
Additional Compliance Measures
Entities must also configure recovery plans that allow them to adequately support the continued stability, operability, and reliability of their BPS in the event of a cyberattack. Even if an entity is secure now, doesnt mean that they will always be. If they are unable to configure a long-term plan for success based on future technology integrations, it may open a window of opportunity for a cyberattack of massive proportions. Doubling your efforts to collaborate with other organizations in your industry to configure solutions is of paramount importance to maintain continued NERC-CIP compliance in the future.
New technologies are constantly being developed that can help optimize operational efficiencies. Unfortunately, if an entity does not configure a plan that can integrate new technologies into your critical infrastructure, it might not be able to function at the high level that it needs to produce energy in a productive fashion. It may not be practical or cost-effective to replace or upgrade every device as quickly or as easily as procedures can be written, but if an entity wants to count themselves as an innovator amongst a sea of competing innovators, then they need to do their due diligence with planning out their NERC-CIP compliance processes.
Future NERC-CIP Compliance Needs
CIP-003-7 (Cyber Security Security Management Controls) has an effective standard date of January 1, 2020. The complexity of policies and procedures that entities must implement to adhere to this new reliability standard is incredibly daunting which is my most companies are searching for NERC CIP solutions. This reliability standard clarifies the obligations pertaining to electronic access control for BPS Cyber Systems while also requiring mandatory security controls for transient electronic devices. The list of transient electronic devices includes thumb drives and laptop computers as well as any portable device that is frequently connected to and disconnected from BPS Cyber Systems. Entities must also develop a policy for declaring and responding to CIP Exceptional Circumstances.
Thankfully, much of the language related to policy building within CIP-003-7 is already being used in CIP-003-6. This saves entities much needed time and effort in complying with the policies if they are already in compliance with CIP-003-6. The procedures, on the other hand, still need to be fledged out separate from the CIP-003-6. Thus, it is important to be proactive in developing these procedures in early 2019 to keep your organization from burning the midnight oil leading up to New Years Eve 2020 and stave off fines pertaining to NERC-CIP noncompliance. However, some organizations may not have trained personnel who are able to effectively implement these changes which is why it is important to seek cyber security solutions.
With 3 more NERC-CIP reliability standards being filed and pending regulatory approval, entities must be proactive in their NERC compliance and budget accordingly for the future. This means hiring and training more staff to plan, implement, and manage the policies and procedures necessary to maintain NERC-CIP compliance. There is a delicate balance that entities must partake in to ensure they do not become so focused on complying with the next new reliability standard that that they lose sight on improving their security processes. With cyberattacks growing in size and complexity, entities need to work out a system to absorb new reliability standards into their organization without sacrificing flexibility and security.
With more NERC Reliability Standards being added as the years progress, it is imperative that BPS operators formulate systems of controls and procedures that allow them to stay secure and in scope. Should the North American bulk electric system be compromised through a cyberattack, the effects would be devastating. Through the concerted efforts of BPS operators, the bulk electric system may be able to withstand and stay strides ahead of the constant bombardment of cyberattacks in the future while also making their operations and infrastructure more secure and efficient.