North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
What is North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)?
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of standards aimed at regulating, enforcing, monitoring and managing the security of the Bulk Electric System (BES) in North America. These standards apply specifically to the cybersecurity aspects of BES. The CIP standards provide a cybersecurity framework to identify and secure critical assets that can impact the efficient and reliable supply of electricity of North America's BES.
NERC Critical Infrastructure Protection plan explained
The CIP program coordinates NERC's efforts to improve the security of the North American power system. NERC CIP includes the United States, several provinces in Canada and one state in Mexico.
The NERC CIP standards govern critical infrastructure of all entities that materially impact the reliability of BES. These entities include owners, operators and users of any part of the system.
These standards carry the force of regulations, meaning they are required by law. That's why these standards are also known as NERC CIP requirements. All entities that fall under the purview of NERC CIP must comply with these standards.
Requirements under NERC CIP
The NERC CIP standards require utility companies in North America to establish and adhere to a baseline set of cybersecurity measures. The goal is to ensure that appropriate security controls are in place to protect BES and its users and customers from all threats that may affect its timely and effective functioning. These threats may include cyber attacks, cyber vandalism or acts of cyberterrorism.
Entities must identify critical assets and regularly perform a risk analysis of those assets. They must also define policies for monitoring and changing the configuration of critical assets and for governing access to those assets.
In addition, NERC CIP requires the use of firewalls to block vulnerable ports and requires the use of cybersecurity monitoring tools. Organizations are also required to enforce IT controls to protect access to critical cyber assets. In addition, they must deploy systems to monitor security events and implement comprehensive contingency plans to respond to cyber attacks, natural disasters and other unplanned events that may affect the functioning of BES.
Importance of NERC CIP compliance
To ensure the delivery of consistent and effective power to all recipients, NERC and its regional bodies take compliance seriously. Therefore, NERC's Compliance Monitoring and Enforcement Program tracks, assesses and enforces the uniform compliance of covered entities via regular audits and spot checks.
All North American covered entities must comply with NERC CIP standards. Failure to comply may result in monetary fines, sanctions or other actions. Penalties may vary from country to country since NERC is a transnational organization.
Fundamental requirements of NERC CIP compliance
The fundamental standards and substandards under NERC CIP specify the requirements that utilities must follow to identify critical assets, create control mechanisms, enforce the logical and physical security of their systems, and recover any affected assets following a cybersecurity incident.
Ten such standards are explained below.
1. NERC CIP-002-5.1a: BES Cyber System Categorization
This standard is aimed at identifying and categorizing BES Cyber Systems, also known as BES Cyber Assets. The goal is to ensure that these assets are appropriately protected from compromises that could result in faulty operations or BES instability.
Categorization involves grading various BES Cyber Systems based on the impact of any interruption on reliable electricity supply. Rather than the cause, it is the length of interruption that matters.
Under this standard, Cyber Assets are broadly categorized as the following:
- Electronic Access Control or Monitoring Systems
- Physical Access Control Systems (PACS)
- Protected Cyber Assets
2. NERC CIP-003-8: Security Management Controls
The goal of this standard is to establish clear accountability to protect North American BES Cyber Systems. Accountability is achieved by delegating authority and identifying a senior manager to develop policies around consistent and sustainable security management controls. The standard also includes provisions regarding emergency situations.
3. NERC CIP-004-6: Personnel & Training
This standard focuses on the training of staff and contractors. Its purpose is to reduce the exposure of BES to cyber risks from personnel. The training consists of two parts:
- Cybersecurity awareness and training. Each individual must undergo training every 15 months, especially if they are involved in handling high-impact BES Cyber Systems.
- Risk and access control management. This includes programs for personnel risk assessment, access management, and revocation or removal of personnel access privileges.
4. NERC CIP-005-6: Electronic Security Perimeter(s)
The intent of this standard is to protect BES Cyber Systems from misoperation and instability. It also focuses on controlling network access to critical assets. Therefore, it requires entities to create Electronic Security Perimeters (ESPs) around Cyber Assets in order to create a virtual barrier through which data flows can be monitored.
Assets located outside the ESP must enter the network through a specified Electronic Access Point. Entities must monitor and maintain network segments, employ data encryption and control all remote access, especially by vendors and other third parties.
5. NERC CIP-006-6: Physical Security of BES Cyber Systems
This standard addresses operational and physical controls for a physical security plan, visitor control program, and maintenance and testing program:
- Physical security plan. Aims to restrict physical access through documented operational and procedural controls.
- Visitor control program. Establishes guidelines to manage visitors, including the provision of escorts and the maintenance of a detailed visitor log for at least 90 days.
- Maintenance and testing program. Standards to test all PACS, including the Physical Security Perimeter, once every two years.
6. NERC CIP-007-6: System Security Management
This standard defines the technical, operational and procedural elements to secure all systems within ESPs, including critical and noncritical Cyber Assets.
These elements include the following:
- ports and services
- security patches
- malicious code prevention
- security event monitoring
- system access controls
7. NERC CIP-008-6: Incidence Reporting and Response Planning
This standard prepares entities for cyber incidents and provides guidelines on how to respond to them with a cybersecurity incident response plan. It helps with the identification, classification, response, reporting and documentation of incidents related to critical cybersecurity assets.
It addresses three core areas of compliance:
- Cybersecurity incident response plan. It outlines the process to identify, classify and respond to cybersecurity incidents.
- Incident response plan implementation and testing. The incident response plan must be tested every 15 months.
- Incident response plan review, update and communication. Any changes to the plan must be communicated to relevant stakeholders within 90 days of a security incident.
8. NERC CIP-009-6: Recovery Plans for BES Cyber Systems
This standard addresses how entities can recover from a cybersecurity incident that has affected the functioning of BES cybersecurity systems. It ensures that a recovery plan is in place and that entities are following established plans for disaster recovery and business continuity.
The standard covers multiple aspects of incident recovery:
- Recovery specifications. Specifies when the plan should be activated and who is responsible.
- Recovery implementation and testing. Specifies that the plan should be tested every 15 months.
- Recovery plan review, update and communication. Specifies that any changes to the response plan must be communicated to relevant stakeholders within 90 days of a security incident or planned response exercise.
9. NERC CIP-010-3: Configuration Change Management and Vulnerability Assessments
This standard outlines the security policy requirements to prevent and detect any unauthorized changes to Cyber Systems. The goal is to achieve fundamental and ongoing protection through system configuration controls and active vulnerability testing.
It specifies three compliance areas:
- Configuration change management. Define baseline Authorization process for operating systems, software, ports, etc.
- Configuration monitoring. Monitor the baseline every 35 days for unauthorized changes.
- Vulnerability assessments. Conduct vulnerability assessment every 15 months.
10. NERC CIP-011-2: Information Protection
This standard specifies the requirements to identify information that could impact the functioning of BES if it is maliciously misused, compromised or stolen. It also specifies protocols for information protection and BES Cyber Asset reuse and disposal.
See how true IoT security in the energy industry requires continuous compliance; how regs create a blueprint for industrial controls, IoT and IIoT; and what NERC CIP is and IT's role in critical infrastructure protection.