Energy and Utility companies play a critical role in the United States’ national security. That’s largely partly because these responsible entities are strictly maintained and regulated to secure and protect energy infrastructure nationally. Whenever these systems fail, the damage has the potential to be massively more impactful than your typical power outage on a rainy day. While these failure cases are few and far between, catastrophe is much closer to our grid than the everyday consumer can account for. For example:
What would happen if a town lost power? Traffic lights stop working, buildings lose power, and chaos ensues. Hospital life-saving machines power down, and medications are kept in trapped electrically powered and regulated machines. In today’s day and age, we often underestimate how dependent we are on electricity to power our daily lives. As the grid becomes increasingly connected through the Internet of Things (IoT), we are increasingly open to cyber attacks caused by bad actors who don’t even need to leave their houses to wreak havoc on an entire region or nation.
NERC CIP compliance is crucial for organizations in the energy industry. Our blog breaks down key elements of the NERC CIP standards and provides guidance on starting and managing compliance with this crucial framework.
NERC CIP Standards
The North American Electric Reliability Corporation (NERC) has operated since the early 1960s. It maintains the operations and functions of our Bulk Power System, also known as the electric grid. Before the invention and adoption of the internet and cybersecurity regulations today, NERC served entirely as a voluntary industry organization. For over 40 years, NERC suggested NERC CIP environment standards to assist energy companies and government agencies in maintaining their infrastructure along the electric grid. Jump to 2005, the Energy Policy Act 2005 required the Federal Energy Regulatory Commission to choose an Electric Reliability Organization. NERC was seen as the most qualified organization to take charge as they had been working towards establishing industry reliability standards for a very long time. This new designation gave NERC more authority, allowed them to decide mandatory regulations, and continued to improve and modify their current compliance standards.
In 2008, (CIP) Critical Infrastructure Protection Standards compliance framework was developed to mitigate cybersecurity attacks on the Bulk Electric System. While initially, these standards were not required, they were used to mitigate risk, later becoming an industry norm. NERC Critical Infrastructure Protection (NERC CIP) is a set of requirements designed to secure the assets required for operating North America's bulk electric system.
NERC CIP Cyber Security Requirements
At the time of writing, these frameworks comprise 11 control families, with another 5 subjects to enforcement in the future. These are mandated for energy and utility companies operating within the Bulk Electric System to protect critical cyber assets and minimize risk and manipulation by bad actors seeking to cause damage.
-
Scope: Applicable to entities operating the BES, including utilities, grid operators, and energy generators.
-
Standards and Requirements: A series of standards (CIP-002 to CIP-014) address areas like:
Asset Identification (CIP-002): Identifying and categorizing critical BES Cyber Systems.- Security Management Controls (CIP-003): Establishing security policies and procedures.
- Personnel and Training (CIP-004): Managing personnel access and training.
- Electronic Security Perimeters (CIP-005): Protecting electronic access to BES Cyber Systems.
- Physical Security (CIP-006): Protecting physical access to BES Cyber Systems.
- Systems Security Management (CIP-007): Managing system security through patch management, malware prevention, etc.
- Incident Reporting and Response Planning (CIP-008): Reporting and responding to security incidents.
- Recovery Plans (CIP-009): Creating and maintaining recovery plans.
- Configuration Change Management and Vulnerability Assessments (CIP-010): Monitoring changes and assessing vulnerabilities.
- Information Protection (CIP-011): Protecting BES Cyber System information.
- Supply Chain Risk Management (CIP-013): Managing risks from third-party vendors.
- Physical Security (CIP-014): Identifying and mitigating physical security threats.
-
Compliance and Audits: NERC regularly audits entities to ensure compliance, and violations can result in significant fines.
-
Objective: To ensure the reliability and resilience of the electric grid by securing critical infrastructure from cyber threats.
NERC CIP Compliance
As the information security landscape continues to evolve, we can expect the instances of bad actors attacking our electrical grid, both national and regional entities, only to increase. By staying NERC CIP compliant and adjusting your business policies to NERC regulations as they are announced, your organization will succeed in protecting its customers, critical cyber assets, the natural resources it relies on, and the Bulk Electric System.
Learn more about cybersecurity frameworks and standards here.
NERC CIP Compliance Software
The greatest critical infrastructure protection burden for many security leaders lies in the scope and awareness of what assets must be secure. In that capacity, a cyber risk management platform is critical to success and ongoing CIP compliance. Static spreadsheets and assessments are outdated the moment they are completed - a continuous, risk-based approach to NERC CIP standards compliance enables security leaders to gather assessment data into a single source of truth and report to technical and business-side stakeholders much more effectively and efficiently.
CyberStrong is an industry-leading platform helping cybersecurity teams at some of the largest financial institutions and energy and utility organizations streamline their cyber risk assessments and security posture management. Learn how CyberStrong can help your organization streamline NERC CIP compliance and cyber risk management.
