North American Electric Reliability Corporation - Critical Infrastructure Protection (NERC CIP) is the presiding set of standards that govern our Bulk Electric System (BES) in the United States and protect all those who use it from cyber threats. This gold standard framework takes much of its influence from the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and its cyber risk management capabilities to measure reliable functioning operations using cybersecurity best practices.
The Federal Energy Regulatory Commission (FERC) has certified NERC as the United States Electric Reliability Organization. Enforced by FERC, these CIP standards are a mandatory compliance framework. All corporations and responsible entities that work with bulk power systems need to meet the various regulations set by North American Electric Reliability Corporation (NERC) cybersecurity to stay in reliable operation.
The NERC CIP requirements at the time of writing consist of 17 controls and 91 sub-requirements. Of these controls, only 11 are actively enforced, 5 are subject to future enforcement, and one is being transitioned to an inactive state. Here we’ll dive into currently enforced NERC security controls and provide transparency on ensuring you satisfy their regulatory standards.
With the rampant rise of critical infrastructure cyber security incidents, these cyber security standards serve to mitigate the security risks and compromises that could lead to unlawful BES operations and protect consumers and entities alike from the consequences of misuse and the operation of BES. Here we’ll be diving into the critical elements of the NERC CIP cyber security requirements and how to know if you’re meeting NERC compliance.
NERC CIP Compliance
NERC CIP-002-5.1a: Cyber Security — BES Cyber System Categorization
Identify and categorize all your critical BES cyber systems and critical assets. This helps illustrate risks associated with the misuse of systems, how to manage systems within your cyber network, and what could be affected by the operation of the BES.
CIP-003-7: Cyber Security — Security Management Control
In this standard, your organization must itemize and specify who has access to security management controls and their role. By doing so, all parties involved with operating the BES in your organization can be held accountable for their responsibilities in the event of misoperation.
CIP-004-6: Cyber Security - Personnel & Training
This standard uses a risk-based approach to evaluate the training of your organization’s employees. Anybody with authorized access to critical cybersecurity assets has to be screened. Personnel risk assessment, training, and security awareness are evaluated in support of protecting the BES from instability caused by misuse and in operation.
CIP-005-5: Cyber Security - Electronic Security Perimeter(s)
This standard assesses the scope and efforts to protect against vulnerabilities through remote access. Wherever your organization's data is stored, it must be properly protected with secure access points. This standard's key components are anti-malware updates, multi-factor authentication, and remote access encryption.
CIP-006-6: Cyber Security - Physical Security of BES Cyber Systems
The focus of this standard is physical security within your operation. To meet the requirements of this standard, your entity will have to prove it has a physical security plan, protection of physical access controls, physical access logging, physical access control systems, a protection plan of electronic control systems, physical access monitoring, and log retention access.
CIP-007-6: Cyber Security - System Security Management
To meet this requirement, your organization will need documentation for security measures. More specifically, your organization must create, implement, and explain its security procedures. This includes both critical and non-critical cybersecurity assets.
CIP-008-5: Cyber Security - Incident Reporting and Response Planning
Your company needs an incident response plan to meet this requirement. Your incident reporting and response plan should include the roles of those involved, the actions of those involved, and details of how incidents are handled and reported to governing bodies.
CIP-009-6: Recovery Plans for BES Cyber-Systems
To meet the needs of this requirement, your organization will require a recovery plan, change control, backup and respiration process, and tested backup media. You must also prove your critical cyber assets have implemented recovery procedures that comply with disaster recovery best practices.
CIP-010-2: Cyber Security - Configuration Change Management and Vulnerability Assessments
In this standard, your entity must show it has a system to identify unauthorized changes within the BES. You will need to specify configuration change management and meet vulnerability assessment requirements.
CIP-011-2: Cyber Security - Information Protection
For this, you must show that your organization’s confidential cyber information relating to the BES is protected from unauthorized access that could lead to exploitation or instability.
CIP-014-2: Physical Security
This requirement identifies and protects transmission stations, substations, and their primary control centers. If these are compromised, it can result in instability, uncontrolled separation, and cascading within an interconnection in the BES.
With the increase of cyberinfrastructure attacks and breaches, public perception of cybersecurity has shifted drastically in the past 10 years; we can only predict these incursions will increase as digital influences continue to intertwine with our lives. As bad actors and cyber threats evolve, NERC standards not only minimize the risks of the reliability of the BES in the event of misuse and operation but stand at the forefront as protection to our Bulk Electric System from cybersecurity incidents.
Learn more about cybersecurity frameworks and standards here.
CyberStrong offers AI-backed automation for real-time assessment workflows to track and monitor control changes. Security professionals can leverage real-time insights to accurately manage security posture and map compliance between gold-standard frameworks like ISO 27001, CMMC, CIS Top 18, and NIST 800-53. Schedule a demo with the team to discover more about CyberStrong's unique cyber risk assessment and continuous compliance.