Knowing how to scope your organization for NERC CIP security assessments can be a daunting ordeal. For many information security leaders at power and utility organizations, knowing which IT and OT assets fall within the purview of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance requirements is oftentimes the greatest challenge to knowing if they are compliant or not. As the oldest regulatory standard for operating, securing and protecting our Bulk Electric System, the consequences of misuse are catastrophic and have far reaching impacts on the electric grid as a whole, the organizations operating with the BES and the consumers who rely on it for everyday use. As of now, there are only 11 controls being actively enforced, five are subject to future enforcement and one is being transitioned to an inactive state.
With the rampant rise of cyber infrastructure attacks, these compliance standards serve to mitigate the risks associated with operating in the BES and protect consumers and entities alike from the consequences of misuse and inoperation within bulk power systems.
CIP-002-5.1a: Cyber Security — BES Cyber System Categorization
Identify and categorize all your critical BES cyber systems and critical assets. This helps illustrate risk associated with the misuse of systems within your cyber network as well as what could be affected within the operation of the BES.
According to NERC, this guideline serves to: provide “bright-line” criteria for applicable Responsible Entities to categorize their BES Cyber Systems based on the impact of their associated Facilities, systems, and equipment, which, if destroyed, degraded, misused, or otherwise rendered unavailable, would affect the reliable operation of the Bulk Electric System.
In this standard, the initial scope should be relevant only to systems that have direct influence on the BES if compromised. As such, each system should be categorized into impact categories and your organization’s critical and non-critical cyber assets must be identified. Systems in this guideline need to stay consistent with risk management approaches for the purpose of application for cyber security requirements. Additionally, each system has associated cyber assets that must be accounted for. These include Access Control and Monitoring Systems, and Protected Cyber Assets. Responsible entities will need to supply information on control centers and backup control centers, transmission stations and substations, generation resources, systems and facilities critical to system restorations, special protection systems and categorize the risk of each based on reliability.
CIP-003-7: Cyber Security — Security Management Control
In this standard, your organization will need to itemize and specify who has access to security management controls and what their role is. By doing so, all parties involved with operating the BES in your organization can be held accountable for their responsibilities in the event of misoperation.
CIP-003-7 acts as an extension of CIP-002-5.1a and operates in tandem with the rest of the controls in NERC CIP. In this regulation, your entity will need to provide policy documents from a document management system that indicates review of each cyber security policy at least once every 15 months by their respective functional entities.
CIP-004-6: Cyber Security - Personnel & Training
For this requirement, functional entities will need to provide evidence of background checks for their employees, and logs proving review of cybersecurity policies, incident response plans, physical and electronic access controls and the handling of cyber system information. This mandate uses a risk-based approach to evaluate the training of your organization’s employees and who has authorized access to critical cybersecurity assets.
CIP-005-5: Cyber Security - Electronic Security Perimeter(s)
CIP-005-5 focuses on the scope and efforts of your electronic security perimeter. Your electronic security perimeter should be secure from cyber threats and external transmissions and should serve to store your organizations private data. All external communications and dial-up connections must additionally be filtered through a single protected access point. Remote access encryption, multi-factor authentication and anti-malware updates must be in place in order to satisfy this guideline.
CIP-006-6: Cyber Security - Physical Security of BES Cyber Systems
This regulation outlines the physical security perimeter of your cyber assets. To prove compliance in this guideline, you will need to show evidence of policies that restrict access to physical assets, monitor unauthorized access, implement physical access controls, keep logs of physical access, monitor physical access controls, retention logs, implement an alert system, and sustain physical access control systems over time.
CIP-007-6: Cyber Security - System Security Management
This guideline focuses on best practices for managing your security system. To satisfy CIP-007-6, technical operations and procedural requirements are needed for all entities operating under NERC. You will need to provide evidence of a software patch system to keep your system up to date, malware protection software, and multiple password requirements covering both critical and non-critical cyber assets..
CIP-008-5: Cyber Security - Incident Reporting and Response Planning
For this regulation, your company needs to have policies and procedures in place to log and report incidents within your company or the BES. This entails a system response plan and logging the roles and responsibilities of those involved. This mandate requires response tests be administered every 15 months and to report all cybersecurity incident events to the Electricity Sector Information Sharing and Analysis Center.
CIP-009-6: Recovery Plans for BES Cyber Systems
CIP-009-6 also focuses on industry best practices for recovering cyber assets and operation of backup media in the event of an incident that causes data loss or corruption within BES systems. These safeguards must be put in place before an incident in an effort to preserve and restore data quickly. Your data recovery plans should include a recovery plan, change control, backup and restoration process, and tested backup media that comply with disaster recovery best practices and encompass all your critical cyber assets.
CIP-010-2: Cyber Security - Configuration Change Management and Vulnerability Assessments
CIP-010-2 focuses on monitoring procedures for cyber assets. For this, your organization will need to supply a default configuration for all BES systems in operation. From there, you will need to run vulnerability assessments to monitor if there is any deviation from your default configuration. Over time, changes to the baseline configuration must be documented and approved, with security audits done in intervals to monitor your baseline configuration.
CIP-011-2: Cyber Security - Information Protection
CIP-011-2 focuses on protecting and securing BES cyber assets. In this regulation, you will need to prove your organization can identify sensitive BES System Information and protect it. This information must be protected, stored, transmitted and disposed of according to NERC requirements.
CIP-014-2: Physical Security
This requirement is designed to identify and protect transmission stations, substations and their primary control centers. If these are compromised, it can result in instability, uncontrolled separation and cascading within an interconnection in the BES.
NERC CIP-014 focuses on the physical security plan for your organization and its connection within the BES. For this, your organization will need to meet risk requirements from an external organization, an incident response plan and proper training. Some of the assets focused on in this control are transmission stations, substations and their primary control centers.
Knowing Your Assets and Assessing for NERC CIP
As cybersecurity practices change we can expect the scope of these mandates to continuously expand to meet the needs of organizations and consumers alike. These standards are a necessary safeguard to protect our national electrical grid from bad actors and internal misuse alike. By utilizing a risk based approach when working to satisfy NERC CIP, keeping accurate logs of your BES systems and paying attention to new NERC CIP version releases, your organization can adjust to new regulations in an efficient and impactful way.
If you still have questions about NERC CIP standards, or you’re curious how your organization ranks in this framework and multiple others, give us a call at CyberSaint at 1-800-NIST CSF or request a demo.