The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority that ensures the security of bulk power systems (BPS) across all of North America. NERC’s primary responsibilities include defining and enforcing standards that safeguard against physical, cyber, and other threats. These protections keep power flowing to all North American populations.
In other words, they keep society functioning as expected.
For cybersecurity in particular NERC’s Critical Infrastructure Protection (CIP) Reliability Standards provide a framework for protecting Critical Cyber Assets. Compliance with the CIP standards is essential for all owners, operators, and users of the BPS. But compliance requirements vary widely, so many businesses across different industries seek Compliance consultation to help keep themselves protected.
This guide will break down everything you need to know about which industries are most impacted and how to prevent risks through compliance.
Industries and Entities Most Impacted
Since the BPS is the source of all power across North America it’s no exaggeration to say that every energy user is impacted by NERC. But the NERC CIP high impact practices are most important for the industries directly involved with the BPS. Beyond these end-consumers are also impacted indirectly, and risks trickle down to all parties involved.
Direct Impact: BPS Owners, Operators, and Users
The industries most directly affected by NERC CIP standards are those that make up the BPS—power and infrastructure. In practical terms this includes every party involved with the electric grid and power systems across North America.
According to the US Department of Energy, the electric system and power grid break down into three main areas or industries:
- Generation
- Transmission
- Distribution
Electricity is generated by converting other renewable and non-renewable primary energy sources into electrical charge. Then, it’s transmitted across the nation and distributed to its various end-users.
Ownership of these industries is spread across a wide variety of entities:
- Investor-Owned Utilities (IOUs) – Approximately 129 IOUs own about 38 percent of generation, 80 percent of transmission, and 50 percent of the distribution.
- Publicly-Owned Utilities and Cooperatives – Some 2,900 such entities own about 15 percent of generation, 12 percent of transmission, and 50 percent of the distribution.
- Independent Power Producers – Around 2,800 of these independent entities own about 40 percent of generation.
- The Federal Government – There are nine agencies owned by the government, which collectively account for seven percent of generation and eight percent of transmission.
- Electric Power Marketers – A combined 211 such marketers own about 19 percent of sales of electricity to consumers.
Beyond ownership management of the grid comes down to even more disparate parties. Two of the most important entities that run the grid are:
- Independent system operators (ISOs)
- Regional transmission organizations (RTOs).
Ownership, operation, and use of the BPS are distributed to individual entities’ Bulk Electric Systems (BES) and corresponding assets.
The NERC CIP standards apply to all these entities involved across these industries, except for those involved with the local-level distribution. Thus there are many different stakeholders across private and public sectors who are directly impacted on the production side of electrical power.
However, the end-users of electrical energy on the consumer side are also impacted indirectly.
Indirect Impact: All Users of Electricity
The power grid—which NERC was created to protect—serves over 400 million people across the US, Canada, and Mexico. And every single power user could potentially feel the impacts of a security breach. So, all these individuals are impacted by the NERC CIP.
In the US alone the Department of Energy estimates that there are over 140 million such parties, broken down into the following categories:
- 122 million residential customers (37 percent of sales)
- 17 million commercial customers (35 percent of sales)
- Less than one million industrial customers (28 percent of sales)
These end-users don’t bear the burden of implementing standards, nor would they ever face a NERC CIP background check. However, the effects of security breaches for energy suppliers can trickle down and have significant impacts on the lives of everyone.
Risks Faced by Those Impacted
Like any organization, those involved in the BPS industries face a variety of operational risks. These include but are not limited to:
- Accidental loss of or damage to physical assets
- Natural disasters and ensuing damage to property
- Cybercrime and sabotage of digital information and property
Cybercrime is one of the most unpredictable sources of risk, particularly as attacks become increasingly sophisticated with each advancement in technology. Today, hackers employ a number of general and targeted schemes to gain access to an organization’s digital files and networks. Valuable data, like employees’ or client’s financial information, can be leveraged directly for fraud or indirectly for extortion.
These vulnerabilities also compound with the other sources of risk. An accident or a physical disaster could compromise physical or digital security, creating even more vulnerabilities for hackers to exploit.
For the BPS in particular the threat isn’t simply limited to immediate financial loss; there’s also power outages to consider, which could impact nearby institutions, such as hospitals or senior living communities. Given how dependent the vast majority of social services are upon consistent power supply, even a momentary outage can have long lasting ramifications.
To ensure the safety and security of all of North America all BPS owners, operators, and users must comply with NERC CIP standards.
How the NERC CIP Framework Helps
NERC’s mission is to safeguard all parties listed above through the development and enforcement of universal standards. These standards are:
- Developed through a process that’s driven by industry-wide consensus
- Accredited by the American National Standards Institute (ANSI)
- Guided by a set of shared Reliability Principles and Market Principles
Overall, the NERC CIP standards exist in order to help the wide variety of interconnected businesses across the industries streamline and unify their security protocols.
The CIP Standards
The Standards Committee (SC) continuously assesses and modifies existing standards, generates new standards, and eliminates those that are no longer applicable.
Of all the CIP standards 11 are subject to enforcement. The first 10 involve cybersecurity primarily, whereas the final one involves physical security. Here’s a breakdown of each, with language adapted from linked PDFs for each standard:
- CIP-002-5.1a: BES Cyber System Categorization – Basic identification and categorized inventory of all BES assets and corresponding cyber systems. This includes a detailed catalog of interconnections and potential points of contact between BES assets and measures, scaled to ensuing risks.
- CIP-003-8: Security Management Controls – Specification of consistent, sustainable controls for security management. These controls establish both accountability and responsibility.
- CIP-004-6: Personnel & Training – Any personnel who access the BES require appropriate levels of training, risk assessment, and security awareness.
- CIP-005-5: Electronic Security Perimeter(s) – Management of electronic access to BES via specification of controlled perimeter.
- CIP-006-6: Physical Security of BES Cyber Systems – Specifications and exact limitations on physical access to BES. A security plan ensures protection against threats physical breaches expose.
- CIP-007-6: System Security Management – Managed specifications of three distinct categories: technical requirements, operational requirements, and procedural requirements.
- CIP-008-5: Incident Reporting and Response Planning – Specified requirements for all reporting of incidents and responses to incidents.
- CIP-009-6: Recovery Plan for BES Cyber Systems – Established recovery plan requirements to ensure stability, operability, and reliability of BES even in the event of potential losses.
- CIP-010-2: Configuration Change Management and Vulnerability Assessments – Detection and prevention of unauthorized changes to BES. These are specified requirements for configuration change management and vulnerability assessment.
- CIP-011-2: Information Protection – Prevention of unauthorized access to any and all BES via specified information protection requirements.
- CIP-014-2: Physical Security – Identification and physical protection of all transmission stations and substations, as well as any and all primary control centers associated with them. This includes measures to prevent instability, uncontrolled separation, or cascading interconnections.
This system of standards protects against misoperation or instability, resulting from a physical or cyberattack. In addition to the 11 currently-enforceable standards, there are five scheduled for future enforcement. There are also 74 inactive standards and one pending inactive status. You can find detailed information on each on the official master list of NERC CIP standards.
With such a wide variety of standards—both new and old—following the correct rules is not always straightforward. Enforcement is needed to ensure entities are compliant.
Compliance
Compliance is both monitored and enforced by Regional Entities. Through assessment, investigation, evaluation, and auditing these agents determine degrees of compliance or violations thereof. Each standard establishes a general action or behavior that’s expected.
These general standards break down into particular requirements for all responsible entities; these are labeled “R1,” “R2,” etc. for each standard. In addition, the requirements are different for relevant “Applicable Systems,” as not all systems need to follow the same protocols in the same ways. The execution of these requirements varies depending on the system in question, as well as the particular measures (labeled “M1,” etc.) specified.
For example, CIP-004-6: Personnel & Training breaks down into a total of 5 requirements. Of those, each has its own corresponding measurements. Some of these requirements are simpler—with just one part—whereas others are more complex, containing multiple parts:
- Requirement R2 for CIP 004-6 is titled “Cyber Security Training Program” and specifically details guidelines for cybersecurity programs.
- Requirement R2 breaks down into three parts:
- 2.1: Lists the specific topic areas personnel must be trained in.
- 2.2: Specifies that employees must complete trainings delineated in 2.1 before being granted access to cyber assets
- 2.3: Specifies that training delineated in 2.1 must be completed every 15 months.
While the specific requirement already goes into more detail than the general standard, the individual parts detail how to follow it. The measures then explain how to prove you’re following it. For example, measures specified for R2 part 2.1 include proof points of evidence like:
- Powerpoint presentations
- Instructor or student notes
- Handouts and other training materials
These specifications only scratch the surface of the complexity across all the standards. Furthermore, they feed into other specifications that are used to justify and administer enforcement.
Due to the sheer depth and breadth of these standards, most organizations require the help of experts to maintain compliance.
Enforcement
Enforcement depends on many variables related to the measurements above. Evidence retention and audit procedures vary depending by standard, but all include Violation Severity Levels (VSL). These levels enable uniform protocols for administering punishments, such as sanctions. These punishments scale according to Violation Risk Factors (VRF) as well as frequency and severity of violations.
For example, the Table of Compliance Elements for CIP-008-5: Incident Reporting and Response Planning includes variables for all three requirements of the Standard. Although they’re all rated “Lower” VRF, there are differences in VSL:
- R2 (Operations Planning, Real-Time Operations) and R3 (Operations Assessment) include ratings for all VSL categories (Lower, Moderate, High, and Severe).
- R1 (Long Term Planning) only includes ratings for High and Severe VSL:
- High VSL infractions include failing to specify roles and responsibilities of parties involved with Cyber Security Incident Response (related to R1.3) or incident handling procedures for cybersecurity incidents (R1.4).
- Severe VSL infractions include failure to develop a plan at all (R1.1), or developing a plan lacking key elements of identifying reportable incidents (R1.2).
Given the extreme complexity of all the rules, it’s no wonder many organizations have trouble keeping track of compliance. The best way to ensure that your organization avoids enforcement and remains compliant is to seek out professional help.
Professionalize your Cybersecurity
If you’re an owner, operator, or user of BPS, you need to make sure you’re complying with the NERC CIP standards. Whether you’re involved in generation, transmission, or distribution of bulk power, these standards and the risks they prevent impact you directly.
Here at RSI Security, our mission is to help you secure your success by bolstering your cyber defenses up to and beyond all relevant requirements. One of the many services we offer is comprehensive NERC compliance analysis and certification. We’ve worked with countless NERC entities to ensure they’re compliant and secure, avoiding both the hassle of sanctions and the very real threats these standards are meant to prevent.
Our team of experts can help with all stages of compliance. Once we get to know your business, we’ll assess your strengths and weaknesses from a cybersecurity perspective and facilitate your adoption of all relevant practices. We equip you with the tools and knowledge to keep yourself safe moving forward.
For NERC compliance and all your cybersecurity needs contact RSI today!