Keeping the lights on across America is no simple task. It takes more than a thousand operators—spanning the four, interconnected, transnational power grids—all working together.
Today, to safely function within the power of infrastructure sectors, an operator must abide by the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards. This ensures that the American electric system is secure, reliable, and adequate.
But abiding by NERC CIP requirements is easier said than done, which is why the vast majority of operators enlist the services of a compliance partner.
The Four Pillars of NERC CIP
All businesses that either own, operate, or use a bulk electric power system must comply with NERC-approved Reliability Standards. But the degree of compliance varies from operator to operator. Because of this many operators ask a NERC CIP Consultant to perform a comprehensive audit of their operations to see:
- Whether compliance is, in fact, required
- The level of require compliance
Regardless of your specific situation, your partner can conduct a NERC CIP compliance checklist to help you build upon NERC’s four pillars for continued success, which are:
- Reliability – To highlight and confront risks and thus improve the bulk power system’s reliability.
- Assurance – To assure the public, industry, and government that the bulk power system is performing reliably.
- Learning – To create an environment where operators are striving for continued improvement and education, thus improving the reliability of the bulk power system.
- Risk-based approach – To direct attention, funds, and prescriptions toward issues that pose the greatest threat to the bulk power system’s reliability.
By coordinating and collaborating with experts you create an organizational culture of security compliance.
NERC CIP Compliance Requirements
Although NERC won’t prevent all incidents from occurring, they set a high standard that can help reduce the frequency and severity of incidents. According to NIST, the NERC Cybersecurity Framework empowers your operation by establishing the following cybersecurity functionalities throughout your organization:
- Identify – Instill an organizational effort to reduce cybersecurity risk, particularly to:
- Internal systems
- Personnel
- Data
- Capabilities
- Assets
- Protect – Create and establish protections to ensure the delivery of critical energy services.
- Detect – Create and establish systems that alert you to cybersecurity incidents the moment they occur.
- Respond – Create and establish protocols that trigger specific remedies for specific cybersecurity issues.
- Recover – Create and establish protocols that fortify your system and help it return to normal operations in the wake of a cybersecurity event.
Today, the most recent version of NERC CIP has 14 standards regarding cybersecurity as well as physical infrastructure security. Of these 11 are enforceable. They include:
CIP-002 Critical Cyber-Asset Identification
All cyber-assets must be categorized and identified by yield and vulnerability to cyberthreats across the Bulk Electronic Systems (BES). For this you may need a compliance partner to perform a risk-based assessment of the critical-assets.
CIP-003 Security Management Controls
Every system must install and maintain at least the minimum security management controls to protect critical cyber-assets. To prove that the standard is being met you must document protocols and prove that they’ve been implemented. The policy should then be reviewed and updated on an annual basis.
CIP-004 Personnel and Training
Every team member that has physical access to Critical Cyber-Assets is required to have the right amount and level of training, security awareness, and personnel risk assessment credentials. Background checks and unique access codes are also must-haves.
CIP-005 Electronic Security Perimeters
An Electronic Security Perimeter must be established around all Critical Cyber-Assets. Your NERC CIP compliance partner can help you establish:
- Electronic Access Controls
- Electronic Access Monitoring
- Continued documentation review and maintenance
- Cyber-vulnerability assessments
CIP-006 Physical Security of Critical Cyber-Assets
In addition to cybersecurity, your system must have a physical security program that restricts and guards the access points to the security perimeter. This includes:
- Installing visual surveillance and alarm systems
- Logging all personnel ingress and egress
- Limiting access to authorized personnel only
CIP-007 System Security Management
Every security system is required to be up to date and continuously maintained by the authorized personnel. Patches, anti-virus, anti-malware, and other cybersecurity management assets should be frequently updated. An audit on your system security management by a compliance partner can help you ensure that all the proper protocols are in place.
CIP-008 Incident Reporting and Response Preparations
Prepare to document, report, and analyze all incidents—both big and small. A cyber-response team should be formed to help develop and maintain a cybersecurity incident response plan.
CIP-009 Critical Cyber-Asset Recovery Plans
Develop a recovery plan for every critical-cyber asset that would respond to a cyberattack.This ensures that BES is restored as quickly and securely as possible.
CIP-10 Configuration Change Management and Vulnerability Assessments
The baseline configuration shouldn’t be changed unless authorized and documented. In addition, a security risk assessment must be conducted annually to verify that the baseline configuration is up to par.
CIP-011 Information Protection
All data—whether at rest or in transit—needs to be secure and protected. Networks require heightened security, especially for sensitive data. Therefore, all access to information storage sites requires strict controls.
CIP-014 Physical Security
The physical property that hosts critical-assets must be secured “by any and all means.” Physical security barriers, personnel, and access restrictions can all help protect the most vulnerable or critical system facilities. Your compliance partner can perform a review of your physical security precautions.
Compliance and Enforcement
According to NERC, compliance monitoring is “a process used to assess, investigate, evaluate, and audit in order to measure compliance with NERC Reliability Standards.” If a review finds that an operator falls short, NERC can take one of two enforcement actions:
- Issue sanctions to ensure that the violations are mitigated and addressed
- Issue directives to address violations and implement corrective actions to prevent further violations
If your organization is found guilty of violating any standards, you’ll be compelled to issue a mitigation plan for approval.
Achieving NERC CIP Compliance
To be compliant you must demonstrate that you’ve installed all of the NERC CIP compliance requirements. And if you wish to maintain compliance, your organization will be required to undergo a cyber vulnerability assessment (CVA) every single year.
This is where a compliance partner can assist. They have decades of experience necessary to ensure that a CVA is comprehensive and that every discovered vulnerability is immediately addressed.
Typically, a test compliance CVA includes:
- Review of your CIP documentation
- Assessment of Electronic Security Perimeter
- Report with remediation guidance
- Access point port and service reviews
Complying with NERC CIP
The continued safety and security of the power and infrastructure sectors is paramount for the country to function. All bulk power system owners, operators, and users must comply with NERC’s reliability standards.
But this process is complicated and the standards are always changing. Keeping track of updates is a full-time job, even for the cybersecurity experts. This is why many organizations rely on compliance partners to help them achieve NERC CIP compliance. They can evaluate, establish, and protect your digital security perimeter across multiple layers, devices, and systems.
At RSI Security we aren’t simply NERC CIP compliance partners; that barely scratches the surface of what we do. As cybersecurity experts, our mission is to help you establish a cyber-risk management program that offers several mission critical services including:
- Compliance advisory services
- Managed network security services
- Penetration testing services
- Cloud computing security services
Whether you need guidance, consulting, or compliance testing, we’re here ready to help. Need a compliance partner? Reach out today.