In 2007, the North American Electric Reliability Corporation (NERC) was named the electric reliability organization for North America. NERC develops and enforces reliability standards for the supply of power in both the United States and Canada, as well as northern Baja California, Mexico. NERC’s programs impact more than 1,900 bulk power system owners and operators, and focus on reliability, assurance, learning, and risk-based approaches to improve the reliability of the electricity grid across the continent.
NERC administers a Critical Infrastructure Protection (CIP) program, encompassed in CIP standards 001 to 014. These standards address the security of cyber assets that are critical to the operation of the North American electricity grid. CIP compliance is mandatory.
What’s Covered in the Standards?
The various CIP standards cover everything from identifying and categorizing assets, to reporting sabotage, to ensuring security plans that limit physical and electronic access are in place. CIP-008 covers reporting cyber security incidents, and CIP-009 focuses on recovery plans and techniques following breaches. CIP-010 and CIP-011, focusing on change and vulnerability management and information protection, are also enforceable.
In 2013, Version 5 of the CIP standards was approved, and implementation began in 2014. NERC assisted industries transitioning from the older Version 3 to the new Version 5. This implementation is ongoing, as many of the standards have been revised.
Compliance with the NERC CIP standards is mandatory. The Critical Infrastructure Protection Committee (CIPC) helps NERC work directly with industry partners to obtain feedback, revise the standards, and draft new standards. NERC and its regional partners work to monitor and ensure compliance with industry partners.
How Is NERC CIP Compliance Achieved?
To be NERC CIP compliant, bulk power supply owners and operators must ensure they’ve enacted the measures contained in all of the enforceable CIP standards. CIP-002 outlines the categorization system used to determine which assets are “critical.” Identifying which items are critical assets is the first step in becoming compliant.
CIP-003 outlines controls for managing security and CIP-004 provides standards for training personnel to be CIP compliant. CIP-005 and 006 focus on creating security perimeters, both electronically and physically, while CIP-007 provides information on managing system security. CIP-008 and 009 deal with what happens after an incident occurs: how to report it and implement recovery plans. CIP-010 addresses change management and vulnerabilities. CIP-011 lays out standards for protecting information and the new CIP-014 addresses the need for physical security.
NERC CIP compliance involves a number of steps and tools, such as creating and enacting response plans for incidents; managing personnel access to critical assets physically, electronically, and remotely; and employee education sessions. The standards, which are all available on NERC’s website, outline the minimum requirements for plans, procedures, and processes in detail. NERC enforces compliance through auditing, investigation, and spot-checking. Responsible entities will also need to self-report and self-certify that their current operations meet the minimum requirements.
Updates and Monitoring
Most of the CIP standards in Version 5 have an enforcement date of July 1, 2016. These new versions represent updates and improvements over older versions, so those involved in the electricity industry will need to ensure they’re making updates to their NERC CIP compliance. One of the easiest ways to keep up with changes to standards like those issued by NERC is to use compliance management software, which can automatically monitor for updates and review processes to ensure they meet the revised minimum requirements. With new standards on vulnerability management now included in the CIP standards as well, software to help you monitor and assess vulnerabilities can also help you ensure you achieve NERC CIP compliance.