First, some alphabet soup: NERC stands for the North American Energy Reliability corporation. NERC establishes reliability standards that grid operators must adhere to. CIP stands for “Critical Infrastructure Protection.” In the context of “NERC CIP”, “CIP” are standards that NERC developed that North American Bulk Electric System (BES) providers must comply with. Regional Reliability Organizations (RRO) are the enforcement arm of NERC. They perform periodic audits of grid operators and can levy financial fines for non-compliance. All of these agencies/organizations/standards are beholden to the The Federal Energy Regulatory Commission (FERC) which regulates the transmission and wholesale sale of electricity and monitors energy markets.
But where did NERC come from? Where did CIP come from? Understanding the historical context of the NERC organization and the CIP standards might help understand — and ultimately justify — the effort that goes into complying with the standards.
“NERC” originally stood for “National Energy Reliability Council.” The term “National” referred to the USA, and the “council” was a more apt name for an organization that was funded by regional governments as opposed to end users. “National” was changed to “North American” when it became apparent that the electric systems of The USA and Canada were difficult to disentangle. Incidentally, NERC is also in use in some parts of Mexico and a bill to introduce NERC to more parts of Mexico is pending Mexican congressional approval.
There is even some interest from experts in the EU to use or borrow some of the concepts articulated in the NERC CIP standards. For example, a paper from the ‘Centre for Energy’1 states “The United States has favored a strategy of ‘security in depth’ with strict and detailed regulations in specific sectors, which are implemented by institutions possessing coercive powers. By contrast, the EU has adopted a more flexible and exhaustive approach covering a wide range of issues, leaving an important margin of maneuver for member states in the implementation of norms. Nevertheless, these approaches are potentially complementary in that the strengths of the American system can serve as a model to improve certain weaknesses in the European approach, and vice versa.”
Today, NERC has more than 1900 members and is funded directly by end-users (thus the change to “corporation” from “council”). Members include the largest Bulk Electricity System providers (more commonly referred to as electric utilities) in both the USA and Canada, such as Southern California Edison, Pacific Gas and Electric, and Florida Power and Light.
Over time, the technology used by BES providers has grown simultaneously more complex and more capable, and staying up-to-date and compliant with NERC CIP has, in many cases, become more complicated.
For these reasons CIP standards are on the minds of OT safety engineers and persons responsible for the security of their BES. The purpose of the 11 standards which BES providers must follow (and the standards that are subject to enforcement) are described below2:
- CIP-002: System categorization — To identify and categorize BES cyber assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES cyber assets could have on the reliable operation of the BES.
- CIP-003: Security management controls — To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES cyber systems against compromise.
- CIP-004: Personnel and training — To minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES cyber systems by requiring an appropriate level of personnel risk assessment, training, and security awareness.
- CIP-005: Electronic Security Perimeter(s) — To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
- CIP-006: Physical security of BES Cyber Systems — To manage physical access to BES cyber systems by specifying a physical security plan in support of protecting BES cyber systems against compromise.
- CIP-007: System Security Management — To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES cyber systems against compromise.
- CIP-008: Incident reporting and response planning — To mitigate the risk to the reliable operation of the BES by specifying incident response requirements.
- CIP-009: Recovery plans for BES Cyber Systems — To recover reliability functions performed by BES cyber systems by specifying recovery plan requirements.
- CIP-010: Configuration change management and vulnerability assessments — To prevent and detect unauthorized changes to BES cyber systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES cyber systems from compromise.
- CIP-011: Cyber security information protection — Prevent unauthorized access to BES cyber systems from compromise that would affect the stability of the BES.
- CIP 014: Physical security — To identify and protect transmission stations and transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or cascading within an interconnection.
BES providers can choose to show the RROs that they are in compliance with the standards listed above either by enlisting the help of an auditing agency, automating some of the security processes required to meet the standards above, or both.
Because CIP standards are comprehensive, spanning every aspect of BES safety from physical security to personnel training to threat detection and beyond, every electric utility should consider a variety of strategies to ensure compliance. Having said that, ICS asset visibility, vulnerability management, and threat detection are key to NERC CIP compliance and to effective ICS (or CIP) security in general. Implementing these capabilities and automating the processes that support them makes compliance — and overall safety/security — easier to both attain and maintain.
For information on how CyberX helps streamline NERC CIP compliance, click here.