Home Compliance StandardsNERC CIP Why You Need a NERC CIP Compliance Partner
NERC CIP

Why You Need a NERC CIP Compliance Partner

by RSI Security
written by RSI Security
nerc

Keeping the lights on across America is no simple task. It takes more than a thousand operators—spanning the four, interconnected, transnational power grids—all working together.

Today, to safely function within the power of infrastructure sectors, an operator must abide by the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards. This ensures that the American electric system is secure, reliable, and adequate.

But abiding by NERC CIP requirements is easier said than done, which is why the vast majority of operators enlist the services of a compliance partner.

 

The Four Pillars of NERC CIP

All businesses that either own, operate, or use a bulk electric power system must comply with NERC-approved Reliability Standards. But the degree of compliance varies from operator to operator. Because of this many operators ask a NERC CIP Consultant to perform a comprehensive audit of their operations to see:

  • Whether compliance is, in fact, required
  • The level of require compliance

Regardless of your specific situation, your partner can conduct a NERC CIP compliance checklist to help you build upon NERC’s four pillars for continued success, which are:

  1. Reliability – To highlight and confront risks and thus improve the bulk power system’s reliability.
  2. Assurance – To assure the public, industry, and government that the bulk power system is performing reliably.
  3. Learning – To create an environment where operators are striving for continued improvement and education, thus improving the reliability of the bulk power system.
  4. Risk-based approach – To direct attention, funds, and prescriptions toward issues that pose the greatest threat to the bulk power system’s reliability.

By coordinating and collaborating with experts you create an organizational culture of security compliance.

 

Assess your NERC CIP compliance!

 

NERC CIP Compliance Requirements

Although NERC won’t prevent all incidents from occurring, they set a high standard that can help reduce the frequency and severity of incidents. According to NIST, the NERC Cybersecurity Framework empowers your operation by establishing the following cybersecurity functionalities throughout your organization:

  • Identify – Instill an organizational effort to reduce cybersecurity risk, particularly to:
    • Internal systems
    • Personnel
    • Data
    • Capabilities
    • Assets
  • Protect – Create and establish protections to ensure the delivery of critical energy services.
  • Detect – Create and establish systems that alert you to cybersecurity incidents the moment they occur.
  • Respond – Create and establish protocols that trigger specific remedies for specific cybersecurity issues.
  • Recover – Create and establish protocols that fortify your system and help it return to normal operations in the wake of a cybersecurity event.

Today, the most recent version of NERC CIP has 14 standards regarding cybersecurity as well as physical infrastructure security. Of these 11 are enforceable. They include:

CIP-002 Critical Cyber-Asset Identification

All cyber-assets must be categorized and identified by yield and vulnerability to cyberthreats across the Bulk Electronic Systems (BES). For this you may need a compliance partner to perform a risk-based assessment of the critical-assets.

 

CIP-003 Security Management Controls

Every system must install and maintain at least the minimum security management controls to protect critical cyber-assets. To prove that the standard is being met you must document protocols and prove that they’ve been implemented. The policy should then be reviewed and updated on an annual basis.

 

CIP-004 Personnel and Training

Every team member that has physical access to Critical Cyber-Assets is required to have the right amount and level of training, security awareness, and personnel risk assessment credentials. Background checks and unique access codes are also must-haves.

 

CIP-005 Electronic Security Perimeters

An Electronic Security Perimeter must be established around all Critical Cyber-Assets. Your NERC CIP compliance partner can help you establish:

 

CIP-006 Physical Security of Critical Cyber-Assets

In addition to cybersecurity, your system must have a physical security program that restricts and guards the access points to the security perimeter. This includes:

  • Installing visual surveillance and alarm systems
  • Logging all personnel ingress and egress
  • Limiting access to authorized personnel only

 

CIP-007 System Security Management

Every security system is required to be up to date and continuously maintained by the authorized personnel. Patches, anti-virus, anti-malware, and other cybersecurity management assets should be frequently updated. An audit on your system security management by a compliance partner can help you ensure that all the proper protocols are in place.

 

CIP-008 Incident Reporting and Response Preparations

Prepare to document, report, and analyze all incidents—both big and small. A cyber-response team should be formed to help develop and maintain a cybersecurity incident response plan.

 

CIP-009 Critical Cyber-Asset Recovery Plans

Develop a recovery plan for every critical-cyber asset that would respond to a cyberattack.This ensures that BES is restored as quickly and securely as possible.

Nerc

CIP-10 Configuration Change Management and Vulnerability Assessments

The baseline configuration shouldn’t be changed unless authorized and documented. In addition, a security risk assessment must be conducted annually to verify that the baseline configuration is up to par.

 

CIP-011 Information Protection

All data—whether at rest or in transit—needs to be secure and protected. Networks require heightened security, especially for sensitive data. Therefore, all access to information storage sites requires strict controls.

 

CIP-014 Physical Security

The physical property that hosts critical-assets must be secured “by any and all means.” Physical security barriers, personnel, and access restrictions can all help protect the most vulnerable or critical system facilities. Your compliance partner can perform a review of your physical security precautions.

 

Compliance and Enforcement

According to NERC, compliance monitoring is “a process used to assess, investigate, evaluate, and audit in order to measure compliance with NERC Reliability Standards.” If a review finds that an operator falls short, NERC can take one of two enforcement actions:

  1. Issue sanctions to ensure that the violations are mitigated and addressed
  2. Issue directives to address violations and implement corrective actions to prevent further violations

If your organization is found guilty of violating any standards, you’ll be compelled to issue a mitigation plan for approval.

 

Achieving NERC CIP Compliance

To be compliant you must demonstrate that you’ve installed all of the NERC CIP compliance requirements. And if you wish to maintain compliance, your organization will be required to undergo a cyber vulnerability assessment (CVA) every single year.

This is where a compliance partner can assist. They have decades of experience necessary to ensure that a CVA is comprehensive and that every discovered vulnerability is immediately addressed.

Typically, a test compliance CVA includes:

  • Review of your CIP documentation
  • Assessment of Electronic Security Perimeter
  • Report with remediation guidance
  • Access point port and service reviews

 

Complying with NERC CIP

The continued safety and security of the power and infrastructure sectors is paramount for the country to function. All bulk power system owners, operators, and users must comply with NERC’s reliability standards.

But this process is complicated and the standards are always changing. Keeping track of updates is a full-time job, even for the cybersecurity experts. This is why many organizations rely on compliance partners to help them achieve NERC CIP compliance. They can evaluate, establish, and protect your digital security perimeter across multiple layers, devices, and systems.

At RSI Security we aren’t simply NERC CIP compliance partners; that barely scratches the surface of what we do. As cybersecurity experts, our mission is to help you establish a cyber-risk management program that offers several mission critical services including:

Whether you need guidance, consulting, or compliance testing, we’re here ready to help. Need a compliance partner? Reach out today.

 

Speak with a NERC CIP expert today!

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

What Does NERC CIP Stand For?

May 15, 2020

NERC CIP Vulnerability Assessment: A Comprehensive Guide

August 6, 2020

How to Achieve NERC CIP Compliance

October 31, 2018

What Is Threat and Vulnerability Management For NERC...

November 5, 2018

How Many CIP Standards Are There?

May 28, 2020

What Is NERC CIP Training?

July 22, 2020

Top Cybersecurity Standards for Critical Infrastructure

July 21, 2020

Which Industries are Most Impacted by NERC CIP?

June 17, 2020

What are the 10 Fundamentals of NERC CIP...

June 26, 2020

What is NERC CIP Compliance?

August 29, 2018

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More