The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a plan comprised of a set of requirements. The NERC CIP developed and designed a series of standards intended to protect any assets used to operate North America’s Bulk Electric System (BES). North America includes, for the purposes of NERC CIP, the United States, Canada and Mexico.
What Is the North American Bulk Electric System?
The BES includes any Transmission Elements set to operate at one kV (kilovolt) or higher. real power and reactive power sources, on the other hand, call for BES tapping into resources connected at 100 kV or higher.
The Energy Act of 2005 (EPAct) added Section 215 to the Federal Power Act, giving NERC and the Federal Energy Regulatory Commission (FERC) the authority and ability to establish and enforce reliability standards on everyone using the BES, including all users, owners and operators. These entities may include public power entities.
Essentially, the BES covers a large framework of interconnected facilities and control systems needed to effectively and efficiently operate an electric energy transmission network, not including those entities functioning on a local level.
A few of the specific power resources over 100 kV included in BES include the following:
- Transformer resources
- Generating sources, such as generating terminals
- Blackstart resources that are designed to remain active and energized without connection to the rest of a system
- Dispersed power that produces aggregate resources that is distributed to individual resources and specialized systems
- Static and dynamic devices that do not include generators, dedicated to absorbing or distributing reactive power resources
Combined, NERC’s programs impact more than 1,900 bulk electric power system operators and owners. The primary goals of these programs include ensuring learning, assurance and risk-based approaches to improving operations and reliability of the electrical grid across the entire continent.
Of course, such a large-scale power program needs a strong set of regularly updating standards and regulations that require compliance to ensure smooth-running operations and consistent power supply to recipients.
Who Does NERC CIP Apply To? What Types of Companies?
Any business that owns, operates and uses any type of bulk electric power system must comply with all NERC-approved Reliability Standards. Any of these business entities must register with NERC through the appropriate Regional Entity.
If your organization holds NERC registration as a user, owner or operator within the bulk electric system in the U.S., you must become and remain NERC CIP compliant. Your professional compliance team can help you determine whether—and to what degree—you must comply with the plan’s requirements.
As so much of this work is now done on a digital and online level, it is important to also consider the technological risks. NERC CIP has provided a cybersecurity framework that allows for the identification and security of critical cyber assets that can greatly impact and control the reliability of North America’s BES.
What Is NERC CIP?
NERC developed its set of CIP Standards to require utilities to establish a baseline set of security measures. The regulatory body developed these standards using a results-based approach, focusing on performance, risk management and entity capabilities. The overriding goal of NERC CIP standards was to ensure that the appropriate security measures were in place to protect the BPS.
NERC CIP is currently the only mandatory requirement with which electric utilities must comply when it comes to cybersecurity—outside of customer data privacy considerations—in relation to operations.
Why Is NERC CIP Compliance So Important?
NERC CIP and its regional bodies take compliance very seriously, in order to ensure consistent and effective power to all recipients. The NERC Compliance Monitoring and Enforcement Program (CMEP) tracks, assesses, and enforces uniform compliance.
At any time, your business—as a registered entity—may be subject to an audit or spot check for compliance with all Reliability Standards applicable to your organization. This means that you must constantly remain vigilant in your compliance efforts. The NERC has set forth a collection of NERC Sanction Guidelines that include some monetary fines that could reach six figures, depending on the type and degree of compliance violation.
The pressure in this industry is high, and as you know; it is necessarily so. When a massive continent is counting on you as part of the power grid, it really is a huge responsibility.
What Are the Key Requirements for NERC CIP Compliance?
Take a few moments to review some of the most important requirements for NERC CIP compliance:
- Program Development and Management
- Compliance Audits and Assessments
- Patch Management
- Vulnerability Assessment and Management
- Incident Reporting of Cybersecurity Events and Quick Response Planning
- Mock Audits
- On-the-Spot and Unplanned Audits
- Asset Identification and Configuration Management
- Reliability Standard Audit Worksheet Development
- Systems Security Assessments and Management
- Personnel Training
- Policy, Process and Procedure Planning
- Development, Documentation and Evidence Reporting
- Security Information and Event Management
- Recovery Planning
What Are the 9 NERC CIP Standards?
Currently, the NERC CIP plan consists of nine Standards, which include 45 requirements that cover the security of all electronic perimeters, as well as the protection of vital cyber-assets. These requirements also encompass matters that include security management, personnel and training, and disaster recovery planning.
Take a moment to learn more about each of the nine NERC CIP Standards and how they might apply to your own facility.
|CIP-001 Sabotage Reporting||
The purpose of this standard is to address any disturbances or unusual occurrences—whether only under suspicion or those that are actually determined to be caused by sabotage—and further, to report such events to the appropriate regulatory bodies, systems, governmental agencies or relevant private organizations.
Any time that an incident of sabotage is detected, the team’s General Operator, Reliability Coordinator, Balancing Authority, Transmission Operator and Load Serving Entity must follow procedures to recognize the sabotage events against its facilities before informing their operating personnel about the incident. Further, if there are multiple sites affected, this team will work within the broader scope, and according to chain of command, to assure readiness and appropriate response.
|CIP-002 Critical Cyber-Asset Identification||
NERC Standards CIP-002 through CIP-009 each contribute to the cybersecurity framework for the identification and protection of all critical cyber-assets to support the reliable operation of the BES. Each of these different standards recognizes the distinct roles of each entity within the operation of the BES. The standard also acknowledges the criticality and vulnerability of the assets involved that are necessary to manage BES for optimal reliability.
Further, these standards serve to illuminate the risks to which the BES is regularly exposed. CIP-002, in particular, requires the identification and documentation of any critical cyber-assets associated with the determined critical-asset in question that supports the reliable operation of the BES through the performance of a risk-based assessment by your auditing firm.
|CIP-003 Security Management Controls||
CIP-003’s purpose, within the framework of standards CIP-002 through CIP-009, requires that all responsible entities have the minimum-security management controls in place at all times to protect critical cyber-assets. With this standard, the responsible entity must document and implement a sound cybersecurity policy that accurately represents management’s ability and commitment to security all critical cyber-assets under his or her care.
Such responsibilities in this standard certainly include all provisions regarding emergency situations. Additionally, the responsible entity must ensure that the completed cybersecurity policy is readily available to all personnel who are responsible for, or who have access to, any critical cyber-assets. Finally, the cybersecurity policy must undergo review each year by the senior manager assigned to the task.
|CIP-004 Personnel and Training||
Standard CIP-004 requires that each member of the team who has access to any critical cyber-assets—whether authorized cyber access or authorized unescorted access to physical assets—have the appropriate amount and level of personnel risk assessment credentials, training and security awareness. Persons in this category may include contractors and service vendors.
Each responsible entity must establish, maintain and document a security awareness program to make sure all personnel are continually compliant with this standard. A few of the key components of such a program include instruction regarding appropriate behavior for the following situations: direct communications that may include emails, memos and computer-based training; indirect communications that may indicate posters, intranet, brochures and newsletters; management support and reinforcement in settings like presentations and meetings.
Training will serve to reinforce the components of awareness. Each relevant personnel member must undergo proper awareness training within 90 calendar days of authorization to physical assets or critical cyber-assets.
|CIP-005 Electronic Security Perimeter||
Standard CIP-005 requires the protection and identification of the Electronic Security Perimeter(s). Such an area houses all critical cyber-assets and all access points along the perimeter.
The assigned responsible entity is required to maintain the security of the area surrounding all cybersecurity assets, using the following criteria, in addition to the Electronic Security Perimeter(s) itself: electronic access controls, monitoring electronic access, cyber-vulnerability assessment, documentation review and maintenance.
|CIP-006 Physical Security of Critical Cyber-Assets||
Standard CIP-006 intends to secure the implementation of a physical security program to protect critical cyber-assets. The Physical Security Plan should address matters that include designating, identifying and documenting the Electronic Security Perimeter(s), identifying all access points through each Physical Security Perimeter and measures to control entry via those access points, developing processes, tools and procedures necessary to monitor physical access to all relevant perimeters, designing a loss or breach response to manage any infiltrations to these areas. The Physical Security Plan must undergo review annually.
|CIP-007 Systems Security and Management||
Standard CIP-007 focuses on the requirement of Responsible Entities to define methods, processes and procedures to secure all systems designated as critical cyber-assets, along with non-critical cyber-assets that lie within the Electronic Security Perimeter(s).
Following are the methods, processes, practices, policies and tools needed to comply with the CIP-007 Standard include test procedures, ports and services, security patch management, malicious software prevention, account management, security status monitoring, disposal or redeployment, cyber-vulnerability assessment, documentation review and maintenance.
|CIP-008 Incident Reporting and Response Planning||
Standard CIP-008 prepares entities for any incidents that arise, ensuring the identification, classification, response, and reporting and documentation of cybersecurity Incidents related to critical cybersecurity assets.
With this standard, the responsible entity must develop and maintain a cybersecurity Incident Response Plan. He or she must also implement the resulting plan that includes proper reporting procedures to all relevant authorities. Additionally, the responsible entity must keep all relevant documentation related to any incidents.
|CIP-009 Recovery Plans for Critical Cyber-Assets||
This standard ensures that recovery plan(s) are developed for critical cyber-assets. Standard CIP-009 also provides that these plans follow established business continuity and any disaster recovery plans, techniques or practices. The Responsible Entity must create and review recovery plan(s) annually for any critical cyber-assets in his or her care.
At the very minimum, the recovery plan(s) must address required actions to respond to an event or condition of varying duration and severity that might necessitate the activation of the required recovery plan(s). It is also essential to define the roles and responsibilities of each responder on the team.
Related article: Advantages of GPP Renewable Energy Certification.
Are You Ready to Become Fully NERC CIP Compliant?
Are you worried that you may receive a surprise visit from the NERC CIP Compliance Enforcement Authority before you feel fully confident that your organization is compliant? I.S. Partners will go through each requirement with you to make sure you have it covered right away.