Request Demo

Energy & Utilities

How to Know You Meet NERC CIP Cybersecurity Requirements


North American Electric Reliability Corporation - Critical Infrastructure Protection (NERC CIP) is the presiding set of standards that govern our Bulk Electric System (BES) and protect all those who use it from cyber threats. As a mandatory compliance framework, all corporations and responsible entities that work with bulk power systems need to meet the various regulations set by NERC in order to stay in operation. These regulations are mandated and enforced by the Federal Energy Regulatory Commission (FERC).

The standards of NERC CIP at the time of writing are comprised of 17 controls and 91 sub-requirements. Out of these controls, only 11 are actively being enforced, 5 are subject to future enforcement and one is being transitioned to an inactive state. Here we’ll dive in to currently enforced controls and provide transparency on how to make sure you satisfy their regulatory standards.

With the rampant rise of critical infrastructure cyber attacks, these compliance standards serve to mitigate the risks associated with operating in the BES and protect consumers and entities alike from the consequences of misuse and in operation within the BES. Here we’ll be diving into the critical elements of the NERC CIP cyber security requirements and how to know if you’re compliant.

CIP-002-5.1a: Cyber Security — BES Cyber System Categorization

Identify and categorize all your critical BES cyber systems and critical assets. This helps illustrate risks associated with the misuse of systems within your cyber network as well as what could be affected within the operation of the BES.

CIP-003-7: Cyber Security — Security Management Control

In this standard, your organization will need to itemize and specify who has access to security management controls and what their role is. By doing so, all parties involved with operating the BES in your organization can be held accountable for their responsibilities in the event of misoperation.

CIP-004-6: Cyber Security - Personnel & Training

This standard uses a risk-based approach to evaluate the training of your organization’s employees. Anybody with authorized access to critical cybersecurity assets has to be screened. Personnel risk assessment, training, and security awareness are evaluated in support of protecting the BES from instability caused by misuse and inoperation.

CIP-005-5: Cyber Security - Electronic Security Perimeter(s)

This standard is used to assess the scope and efforts put forth into protecting against vulnerabilities through remote access. Wherever your organization's data is stored, needs to be properly protected with secure access points. A few key components accounted for in this standard are: anti-malware updates, multi-factor authentication, and remote access encryption.

CIP-006-6: Cyber Security - Physical Security of BES Cyber Systems

The focus of this standard is the physical security within your operation. To meet the requirements of this standard, your entity will have to prove it has a physical security plan, protection of physical access controls, physical access logging, physical access control systems, a protection plan of electronic control systems, physical access monitoring and log retention access.

CIP-007-6: Cyber Security - System Security Management

To meet this requirement, your organization will need documentation for security measures. To be more specific, your organization will need to create, implement, and explain its security procedures. This includes both critical and non-critical cybersecurity assets.

CIP-008-5: Cyber Security - Incident Reporting and Response Planning

Your company needs an incident response plan to meet this requirement. Your incident reporting and response plan should include the roles of those involved, the actions of those involved and details of how incidents are handled and reported to governing bodies.

CIP-009-6: Recovery Plans for BES Cyber-Systems

In order to meet the needs of this requirement, your organization will require a recovery plan, change control, backup and respiration process, and tested backup media. You must also prove your critical cyber assets have implemented recovery procedures that comply with disaster recovery best practices.

CIP-010-2: Cyber Security - Configuration Change Management and Vulnerability Assessments

In this standard, your entity will have to show it has a system to identify unauthorized changes within the BES. You will need to specify configuration change management and meet vulnerability assessment requirements.

CIP-011-2: Cyber Security - Information Protection

For this, you will need to show your organization’s confidential cyber information relating to the BES is protected from unauthorized access that could lead to misoperation or instability.

CIP-014-2: Physical Security

This requirement is designed to identify and protect transmission stations, substations and their primary control centers. If these are compromised, it can result in instability, uncontrolled separation and cascading within an interconnection in the BES.

With the increase of cyberinfrastructure attacks and breaches, public perception of cybersecurity has shifted drastically in the past 10 years, we can only predict these incursions will increase as digital influences continue to intertwine with our lives. As bad actors and cyber threats evolve, NERC CIP reliability standards not only minimize the risks of the reliability of the BES in the event of misuse and inoperation but stand at the forefront as protection to our Bulk Electric System.

If you still have questions about how NERC CIP standards or you’re curious how your organization ranks in this framework and multiple others, give us a call at CyberSaint at 1-800-NIST CSF or visit our website here and request a free demo.

You may also like

CIP-013 Implementation: Know ...
on April 8, 2020

As the deadline for NERC CIP-013 compliance approaches, power and utility organizations are focused on implementing supply chain risk management strategy across their global ...

Alison Furneaux
What to Know About Scaling NERC ...
on April 8, 2020

NERC CIP currently stands to be the oldest and most critical regulatory framework for protecting and securing our bulk electric systems as a whole as it relates to cybersecurity. ...

Why Glass-Box Reporting Beats ...
on April 7, 2020

In the wake of the Equifax and Marriott breaches, it is no secret that cybersecurity has made its way into the Boardroom. While many executives are experienced in managing myriad ...

Guidance for CIP-013: Effective ...
on April 2, 2020

Updated April 2, 2020 - Latest NERC CIP-013 Guidance NERC CIP-013 Overview On July 21, 2016, the Federal Energy Regulatory Commission (FERC) issued Order No. 829, directing the ...

Alison Furneaux
8 NIST Security Controls to Focus ...
on March 30, 2020

In times like these, attacks are exponentially more prevalent throughout some of our most prominent sectors. For information security leaders who have been working toward the ...

Three Areas of Cybersecurity ...
on March 27, 2020

These are strange times. As information security leaders across the globe watch their attack surface multiply with the rise of remote work, catalyzed by COVID-19, cybersecurity ...