What is NERC CIP

Energy and Utility companies play a critical role in the United States’ national security. That’s largely partly because these responsible entities are strictly maintained and regulated to secure and protect energy infrastructure nationally. Whenever these systems fail, the damage has the potential to be massively more impactful than your typical power outage on a rainy day. While these failure cases are few and far between, catastrophe is much closer to our grid than the everyday consumer can account for.

For example, What would happen if a town lost power? Traffic lights stop working, buildings lose power, and chaos ensues. Hospital life-saving machines power down, and medications are kept in electrically powered and regulated machines. In today’s day and age, we often underestimate how dependent we are on electricity to power our daily lives. As the grid becomes increasingly connected through the Internet of Things (IoT), we are increasingly open to cyber attacks caused by bad actors who don’t even need to leave their houses to wreak havoc on an entire region or nation. 

NERC CIP compliance is crucial for energy industry organizations. Our blog breaks down key elements of the NERC CIP standards and guides starting and managing compliance with this crucial framework.

NERC CIP Cybersecurity Standards

The North American Electric Reliability Corporation (NERC) has operated since the early 1960s. It maintains the operations and functions of our Bulk Power System, also known as the electric grid. Before the invention and adoption of the internet and cybersecurity regulations today, NERC served entirely as a voluntary industry organization. For over 40 years, NERC has suggested NERC CIP environment standards to assist energy companies and government agencies in maintaining their infrastructure along the electric grid. Jump to 2005, the Energy Policy Act 2005 required the Federal Energy Regulatory Commission to choose an Electric Reliability Organization. NERC was seen as the most qualified organization to take charge, as they had been working towards establishing industry reliability standards for a very long time. This new designation gave NERC more authority, allowed it to decide mandatory regulations, and continued to improve and modify its current compliance standards.

In 2008, the Critical Infrastructure Protection Standards (CIP) compliance framework was developed to mitigate cybersecurity attacks on the Bulk Electric System. While initially not required, these standards were used to mitigate risk and later became an industry norm. NERC Critical Infrastructure Protection (NERC CIP) is a set of requirements designed to secure the assets required for operating North America's bulk electric system.

Explore more about the NER CIP Cybersecurity Requirements here. 

NERC CIP Requirements

At the time of writing, these frameworks comprise 11 control families, with another 5 subjects to be enforced in the future. These are mandated for energy and utility companies operating within the Bulk Electric System to protect critical cyber assets and minimize risk and manipulation by bad actors seeking to cause damage. 

1. Scope: Applicable to entities operating the BES, including utilities, grid operators, and energy generators.

2. Standards and Requirements: A series of standards (CIP-002 to CIP-014) address areas like:

   Asset Identification (CIP-002): Identifying and categorizing critical BES Cyber Systems.
   • Security Management Controls (CIP-003): Establishing security policies and procedures.
   • Personnel and Training (CIP-004): Managing personnel access and training.
   • Electronic Security Perimeters (CIP-005): Protecting electronic access to BES Cyber Systems.
   • Physical Security (CIP-006): Protecting physical access to BES Cyber Systems.
   • Systems Security Management (CIP-007): Managing system security through patch management, malware prevention, etc.
   • Incident Reporting and Response Planning (CIP-008): Reporting and responding to security incidents.
   • Recovery Plans (CIP-009): Creating and maintaining recovery plans.
   • Configuration Change Management and Vulnerability Assessments (CIP-010): Monitoring changes and assessing vulnerabilities.
   • Information Protection (CIP-011): Protecting BES Cyber System information.
   • Supply Chain Risk Management (CIP-013): Managing risks from third-party vendors.
   • Physical Security (CIP-014): Identifying and mitigating physical security threats.
   •  

3. Compliance and Audits: NERC regularly audits entities to ensure compliance, and violations can result in significant fines.

4. Objective: To ensure the reliability and resilience of the electric grid by securing critical infrastructure from cyber threats.

What is Critical Infrastructure Protection (CIP)?

Critical Infrastructure Protection (CIP) in cybersecurity refers to the measures and practices aimed at protecting the essential systems and assets that are vital for the functioning of a society and economy.   
Critical infrastructure is increasingly reliant on interconnected digital systems.

This interconnectedness makes these systems vulnerable to cyberattacks, which can have devastating consequences, including physical damage, economic loss, social disruption, and national security threats. 

Key components of CIP include risk assessment and management, network security, endpoint security, incident response planning, employee training, and Government and Industry Collaboration. Organizations, agencies, and governments can significantly reduce the risk of cyberattacks and protect critical infrastructure by prioritizing CIP.

NERC CIP Compliance 

As the information security landscape continues to evolve, we can expect the instances of bad actors attacking our electrical grid, both national and regional entities, to increase. By staying NERC CIP compliant and adjusting your business policies to NERC regulations as they are announced, your organization will succeed in protecting its customers, critical cyber assets, the natural resources it relies on, and the Bulk Electric System.

Learn more about cybersecurity frameworks and standards here. 

NERC CIP Compliance Software

The greatest critical infrastructure protection burden for many security leaders lies in the scope and awareness of what assets must be secure. In that capacity, a cyber risk management platform is critical to success and ongoing CIP compliance. Static spreadsheets and assessments are outdated the moment they are completed - a continuous, risk-based approach to NERC CIP standards compliance enables security leaders to gather assessment data into a single source of truth and report to technical and business-side stakeholders much more effectively and efficiently. 

CyberStrong is an industry-leading platform helping cybersecurity teams at some of the largest financial institutions and energy and utility organizations streamline their cyber risk assessments and security posture management. Learn how CyberStrong can help your organization streamline NERC CIP compliance and cyber risk management.