Your Top Five Cyber Risks in Five Clicks with the Free Cyber Risk Analysis

FREE RISK ANALYSIS
Request Demo

Energy & Utilities

How to Scope Your Organization for NERC CIP

down-arrow

Knowing how to scope your organization for NERC CIP security assessments can be daunting. For many information security leaders at power and utility organizations, knowing which IT and OT assets fall within the purview of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance requirements is often the greatest challenge to knowing if they are compliant. As the oldest regulatory standard for operating, securing, and protecting our Bulk Electric System, the consequences of misuse are catastrophic and have far-reaching impacts on the electric grid as a whole, the organizations operating with the BES, and the consumers who rely on it for everyday use. As of now, there are only 11 controls being actively enforced; five are subject to future enforcement, and one is being transitioned to an inactive state.

With the rampant rise of cyberinfrastructure attacks, these compliance standards serve to mitigate the risks associated with operating in the BES and protect consumers and entities alike from the consequences of misuse and inoperation within bulk power systems.  Read our blog to learn more about the NERC CIP standards. 

CIP-002-5.1a: Cyber Security — BES Cyber System Categorization

Identify and categorize all your critical BES cyber systems and critical assets. This helps illustrate the risk associated with the misuse of systems within your cyber network and what could be affected by the operation of the BES.

According to NERC, this guideline serves to: provide “bright-line” criteria for applicable Responsible Entities to categorize their BES Cyber Systems based on the impact of their associated Facilities, systems, and equipment, which, if destroyed, degraded, misused, or otherwise rendered unavailable, would affect the reliable operation of the Bulk Electric System.

In this standard, the initial scope should be relevant only to systems that directly influence the BES if compromised. As such, each system should be categorized into impact categories, and your organization’s critical and non-critical cyber assets must be identified. Systems in this guideline need to stay consistent with risk management approaches for the purpose of application for cyber security requirements. Additionally, each system has associated cyber assets that must be accounted for. These include Access Control and Monitoring Systems and Protected Cyber Assets. Responsible entities will need to supply information on control centers and backup control centers, transmission stations and substations, generation resources, systems and facilities critical to system restorations, special protection systems and categorize the risk of each based on reliability.

CIP-003-7: Cyber Security — Security Management Control

In this standard, your organization must itemize and specify who has access to security management controls and what their role is. By doing so, all parties involved with operating the BES in your organization can be held accountable for their responsibilities in the event of misoperation.

CIP-003-7 is an extension of CIP-002-5.1a and operates in tandem with the rest of the controls in NERC CIP. In this regulation, your entity must provide policy documents from a document management system that indicates a review of each cyber security policy at least once every 15 months by their respective functional entities.

CIP-004-6: Cyber Security - Personnel & Training

For this requirement, functional entities must provide evidence of background checks for their employees and logs proving review of cybersecurity policies, incident response plans, physical and electronic access controls, and the handling of cyber system information. This mandate uses a risk-based approach to evaluate the training of your organization’s employees and who has authorized access to critical cybersecurity assets.

CIP-005-5: Cyber Security - Electronic Security Perimeter(s)

CIP-005-5 focuses on the scope and efforts of your electronic security perimeter. Your electronic security perimeter should be secure from cyber threats and external transmissions and should serve to store your organization's private data. All external communications and dial-up connections must additionally be filtered through a single protected access point. Remote access encryption, multi-factor authentication and anti-malware updates must be in place to satisfy this guideline.

CIP-006-6: Cyber Security - Physical Security of BES Cyber Systems

This regulation outlines the physical security perimeter of your cyber assets. To prove compliance in this guideline, you will need to show evidence of policies that restrict access to physical assets, monitor unauthorized access, implement physical access controls, keep logs of physical access, monitor physical access controls, retention logs, implement an alert system, and sustain physical access control systems over time.

CIP-007-6: Cyber Security - System Security Management

This guideline focuses on best practices for managing your security system. To satisfy CIP-007-6, technical operations, and procedural requirements are needed for all entities operating under NERC. You will need to provide evidence of a software patch system to keep your system up to date, malware protection software, and multiple password requirements covering both critical and non-critical cyber assets.

CIP-008-5: Cyber Security - Incident Reporting and Response Planning

For this regulation, your company needs to have policies and procedures in place to log and report incidents within your company or the BES. This entails a system response plan and logging the roles and responsibilities of those involved. This mandate requires response tests to be administered every 15 months and to report all cybersecurity incident events to the Electricity Sector Information Sharing and Analysis Center.

CIP-009-6: Recovery Plans for BES Cyber Systems

CIP-009-6 also focuses on industry best practices for recovering cyber assets and the operation of backup media in the event of an incident that causes data loss or corruption within BES systems. These safeguards must be put in place before an incident to preserve and restore data quickly. Your data recovery plans should include a recovery plan, change control, backup and restoration process, and tested backup media that comply with disaster recovery best practices and encompass all your critical cyber assets.

CIP-010-2: Cyber Security - Configuration Change Management and Vulnerability Assessments

CIP-010-2 focuses on monitoring procedures for cyber assets. For this, your organization must supply a default configuration for all BES systems in operation. From there, you will need to run vulnerability assessments to monitor if there is any deviation from your default configuration. Over time, changes to the baseline configuration must be documented and approved, with security audits done in intervals to monitor your baseline configuration.

CIP-011-2: Cyber Security - Information Protection

CIP-011-2 focuses on protecting and securing BES cyber assets. In this regulation, you must prove that your organization can identify and protect sensitive BES System Information. This information must be protected, stored, transmitted, and disposed of according to NERC requirements.

CIP-014-2: Physical Security

This requirement identifies and protects transmission stations, substations, and their primary control centers. If these are compromised, it can result in instability, uncontrolled separation, and cascading within an interconnection in the BES.

NERC CIP-014 focuses on the physical security plan for your organization and its connection within the BES. For this, your organization must meet risk requirements from an external organization, an incident response plan, and proper training. Some of the assets focused on in this control are transmission stations, substations, and their primary control centers.

Knowing Your Assets and Assessing for NERC CIP

As cybersecurity practices change we can expect the scope of these mandates to continuously expand to meet the needs of organizations and consumers alike. These standards are necessary to protect our national electrical grid from bad actors and internal misuse. By utilizing a risk-based approach to satisfy NERC CIP compliance, keeping accurate logs of your BES systems, and paying attention to new NERC CIP version releases, your organization can adjust to new regulations efficiently and effectively.

CyberStrong takes a unique approach to compliance management with continuous control monitoring to deliver real-time updates on control changes and why they occurred. Map controls between industry frameworks using synced automated crosswalking in seconds. Learn more about this cyber risk management software in a demo. 

You may also like

Step-by-Step Guide: How to Create ...
on September 23, 2024

Cyber risk management has become more critical in today's challenging digital landscape. Organizations face increased pressure to identify, assess, and mitigate risks that could ...

From Fragmentation to Integration: ...
on September 17, 2024

Organizations are often inundated with many security threats and vulnerabilities in today's fast-paced cybersecurity landscape. As a result, many have turned to point ...

How to Create a Comprehensive ...
on September 9, 2024

Cyber threats are becoming more frequent, sophisticated, and damaging in today's rapidly evolving digital landscape. Traditional approaches to cyber risk management, which often ...

Top Cybersecurity Risk Mitigation ...
on August 22, 2024

In today’s rapidly evolving digital landscape, cybersecurity risks are more prevalent and sophisticated than ever before. Organizations of all sizes are increasingly exposed to ...

August Product Update
on August 16, 2024

The team at CyberSaint is thrilled to announce the latest additions and updates made to the CyberStrong solution. These latest updates will focus on reporting and remediation. To ...

The Ultimate Guide to Managing ...
on September 24, 2024

Cyber risk management has taken center stage for managing and assessing cybersecurity. Security professionals who have taken a risk-first approach to replacing legacy GRC tools ...