The NERC CIP Standards: An Overview to Foster Compliance
Samantha Salomon kicked off our ongoing blog series on the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) in July 2018, with her blog post entitled NERC CIP and the Importance of Consistent Compliance. This introductory piece provided insights into the basics of NERC CIP, the Bulk Electric System (BES) and the key requirements for full NERC CIP compliance.
We now want to continue our exploration of this crucial regulatory body that serves to both ensure compliance to assure the reliability of the Bulk Power System (BPS) across North America by examining the NERC CIP Reliability Standards.
What Is the Main Purpose of the NERC CIP Standards?
NERC developed its set of CIP Standards to require utilities to establish a baseline set of security measures. The regulatory body developed these standards using a results-based approach, focusing on performance, risk management and entity capabilities. The overriding goal of the CIP standards was to ensure that the appropriate security measures were in place to protect the BPS.
NERC CIP is currently the only mandatory requirement with which electric utilities must comply when it comes to cyber-security—outside of customer data privacy considerations—in relation to operations.
Learn More About the 9 NERC CIP Standards
Currently, the NERC CIP plan consists of nine Standards, which include 45 requirements that cover the security of all electronic perimeters, as well as the protection of vital cyber-assets. These requirements also encompass matters that include security management, personnel and training, and disaster recovery planning.
Take a moment to learn more about each of the nine NERC CIP Standards and how they might apply to your own facility.
CIP-001 Sabotage Reporting
The purpose of this standard is to address any disturbances or unusual occurrences—whether only under suspicion or those that are actually determined to be caused by sabotage—and further, to report such events to the appropriate regulatory bodies, systems, governmental agencies or relevant private organizations.
Any time that an incident of sabotage is detected, the team’s General Operator, Reliability Coordinator, Balancing Authority, Transmission Operator and Load Serving Entity must follow procedures to recognize the sabotage events against its facilities before informing their operating personnel about the incident. Further, if there are multiple sites affected, this team will work within the broader scope, and according to chain of command, to assure readiness and appropriate response.
CIP-002 Critical Cyber-Asset Identification
NERC Standards CIP-002 through CIP-009 each contribute to the cyber-security framework for the identification and protection of all Critical Cyber-Assets to support the reliable operation of the BES.
Each of these different standards recognizes the distinct roles of each entity within the operation of the BES. The standard also acknowledges the criticality and vulnerability of the assets involved that are necessary to manage BES for optimal reliability. Further, these standards serve to illuminate the risks to which the BES is regularly exposed.
CIP-002, in particular, requires the identification and documentation of any Critical Cyber-Assets associated with the determined Critical-Asset in question that supports the reliable operation of the BES through the performance of a risk-based assessment by your auditing firm.
CIP-003 Security Management Controls
CIP-003’s purpose, within the framework of Standards CIP-002 through CIP-009, requires that all Responsible Entities have the minimum security management controls in place at all times to protect Critical Cyber-Assets.
With this standard, the Responsible Entity must document and implement a sound cyber-security policy that accurately represents management’s ability and commitment to security all Critical Cyber-Assets under his or her care. Such responsibilities in this standard certainly include all provisions regarding emergency situations.
Additionally, the Responsible Entity must ensure that the completed cyber-security policy is readily available to all personnel who are responsible for, or who have access to, any Critical Cyber-Assets.
Finally, the cyber-security policy must undergo review each year by the senior manager assigned to the task.
CIP-004 Personnel and Training
Standard CIP-004 requires that each member of the team who has access to any Critical Cyber-Assets—whether authorized cyber access or authorized unescorted access to physical assets—have the appropriate amount and level of personnel risk assessment credentials, training and security awareness. Persons in this category may include contractors and service vendors.
Following are more details on the necessary requirements in awareness and training for employees.
Each Responsible Entity must establish, maintain and document a security awareness program to make sure all personnel are continually compliant with this standard. A few of the key components of such a program include instruction regarding appropriate behavior for the following situations:
- Direct communications that may include emails, memos and computer-based training
- Indirect communications that may indicate posters, intranet, brochures and newsletters
- Management support and reinforcement in settings like presentations and meetings
Training will serve to reinforce the components of awareness. Each relevant personnel member must undergo proper awareness training within ninety calendar days of authorization to physical assets or Critical Cyber-Assets.
CIP-005 Electronic Security Perimeter
Standard CIP-005 requires the protection and identification of the Electronic Security Perimeter(s). Such an area houses all Critical Cyber-Assets and all access points along the perimeter.
The assigned Responsible Entity is required to maintain the security of the area surrounding all Cyber-Security Assets, using the following criteria, in addition to the Electronic Security Perimeter(s) itself:
- Electronic Access Controls
- Monitoring Electronic Access
- Cyber-Vulnerability Assessment
- Documentation Review and Maintenance
CIP-006 Physical Security of Critical Cyber-Assets
Standard CIP-006 intends to secure the implementation of a physical security program to protect Critical Cyber-Assets.
The Physical Security Plan should address matters that include the following:
- Designating, identifying and documenting the Electronic Security Perimeter(s)
- Identifying all access points through each Physical Security Perimeter and measures to control entry via those access points
- Developing processes, tools and procedures necessary to monitor physical access to all relevant perimeters
- Designing a loss or breach response to manage any infiltrations to these areas
The Physical Security Plan must undergo review annually.
CIP-007 Systems Security and Management
Standard CIP-007 focuses on the requirement of Responsible Entities to define methods, processes and procedures to secure all systems designated as Critical Cyber-Assets, along with non-critical Cyber-Assets that lie within the Electronic Security Perimeter(s).
Following are the methods, processes, practices, policies and tools needed to comply with the CIP-007 Standard:
- Test Procedures
- Ports and Services
- Security Patch Management
- Malicious Software Prevention
- Account Management
- Security Status Monitoring
- Disposal or Redeployment
- Cyber-Vulnerability Assessment
- Documentation Review and Maintenance
Standard CIP-007 is fairly extensive, so if you would like to learn more, read here:
CIP-008 Incident Reporting and Response Planning
Standard CIP-008 prepares entities for any incidents that arise, ensuring the identification, classification, response, and reporting and documentation of Cyber-Security Incidents related to Critical Cyber-Security Assets.
With this standard, the Responsible Entity must develop and maintain a Cyber-Security Incident Response Plan. He or she must also implement the resulting plan that includes proper reporting procedures to all relevant authorities.
Additionally, the Responsible Entity must keep all relevant documentation related to any incidents.
CIP-009 Recovery Plans for Critical Cyber-Assets
This standard ensures that recovery plan(s) are developed for Critical Cyber-Assets. Standard CIP-009 also provides that these plans follow established business continuity and any disaster recovery plans, techniques or practices.
The Responsible Entity must create and review recovery plan(s) annually for any Critical Cyber-Assets in his or her care.
At the very minimum, the recovery plan(s) must address required actions to respond to an event or condition of varying duration and severity that might necessitate the activation of the required recovery plan(s). It is also essential to define the roles and responsibilities of each responder on the team.
The following components must also be included in recovery plan(s) to ensure effectiveness of the official Recovery Plans for Critical Cyber-Assets:
- Exercises. It is important to exercise the recovery plan(s) annually, at least, to test soundness and effectiveness for current conditions.
- Change Control. Upon learning the results of exercises, recovery plan(s) are subject to updates to reflect changes, or the need to make changes.
- Backup and Restore. Processes and procedures related to backup and storage of information needed to securely store Critical Cyber-Assets must regularly be performed.
- Testing Backup Media. Any information vital to recovery must be stored on backup media that undergoes annual testing, which may occur offsite.
Are You Confident That Your Critical Cyber-Asset Infrastructure Is Fully NERC CIP Compliant?
If you are feeling somewhat overwhelmed by this extensive list, or if you simply have some questions about one or two of the NERC CIP Standards, our team at I.S. Partners, LLC. can help clear things up for you.