The North America Electric Reliability Corporation (NERC) is an organization developed to protect the country from cyber-attacks that could affect our economy and stability as a nation. The NERC has been designed to protect the infrastructure of America, and it is in charge of protecting the Bulk Electric System (BES). Through the use of regulations and standards, the NERC helps protect the BES and all the people in its jurisdiction. NERC also includes standards called Critical Infrastructure Protection or CIP. These are the standards set forth by NERC that deal directly with the cybersecurity of the BES. There are currently ten different sections to these standards, and they have changed numerous times since their creation. Here, we will go over the standards to help you understand how to achieve NERC CIP compliance.
The first standard of the CIP is to identify and designate what counts as a part of the BES as cyber assets. This identification is very important to the whole system, as it allows for a better focus of resources and enables people to provide protection to BES assets. The requirement to be a BES cyber asset is that it must be an electric device capable of being programmed and holding data. Once identified, they receive grades and categories to make sure they meet the correct qualifications for use. These categories include electronic access control systems, physical access control systems, and protected cyber assets.
The second set of standards are meant to establish an authority that is in charge of protecting the BES. Within each organization, there is someone who is responsible for making sure that there are policies in place to protect and run BES cyber systems in a consistent way. These managers also oversee the usage of the BES systems to make sure there is no instability or faulty usage.
Training and Background Checks
One of the most important standards deals with the recruitment and training of personnel that comes into contact with any BES. To limit any potential threats, it is very important that everyone who is given access to a BES asset goes through a NERC CIP background check. Properly certified places do these background checks that follow all the regulations and federal and state laws. It is also of vital importance that anyone related to your organization that deals with the BES is properly trained according to all pertinent NERC standards. These trainings will help you design the necessary policies required by NERC to accomplish proper protection of the BES. Trainings will cover situations such as termination protocols or personnel access and will keep everyone up to date on new and old policies.
NERC CIP requires certain protocols must be in place to help protect all cyber assets. One of the major ways to protect cyber assets is by using Electric Security Perimeters (ESP). An ESP groups together all the assets linked to one other and monitors all incoming and outgoing data. There are also requirements for cyber assets with remote access to these ESPs. It is management’s job to put policies in place that record and monitor all this data and access. They must also put other protections in place to protect these systems, such as multi-factor authentication.
Outside of the virtual security that must be in place, physical security to protect BES physical assets is also necessary and required. This requires the creation of a physical security plan that documents all the policies and systems in place to restrict physical access to the assets. A good security plan will include a record of all access, along with protocols on access and response plans for any threats or unauthorized access. These protocols periodically receive tests to make sure everything works as it should.
System Security Management
There are many requirements by the NERC CIP about how to manage system security. These deal with everything from controlling access to device ports to authenticating user access. Building systems to prevent the access of outside influences is a large requirement; the systems must be able to handle any form of malicious code while simultaneously handling the installation of security upgrades and patches. You should record this information, as well as any cybersecurity incidents.
Incident Response Plan and Reporting
Any corporation that follows NERC CIP requirements must have a response plan in place to mitigate incidents. Whether it is an attack or just a mistake, there needs to be a protocol in place to ensure the BES functions as well as possible. Once you resolve an incident, it is imperative that you report and record everything done to identify and deal with the incident. These plans and protocols are in place to receive tests periodically and manage the communication of any updates to these protocols.
Recovery After Incident Plans
Once an incident has occurred and those protocols have come into play, there has to be a plan to help any BES systems recover. These plans are under similar scrutiny and requirements as the Incident response plans, with the same testing timetable and report window. There is the added caveat of different conditions that trigger these recovery processes.
Configuration Management and Vulnerability Assessments
This NERC CIP requirement regulates any changes to cyber systems. It requires systems be in place to prevent and detect unauthorized changes to any virtual or physical BES asset. It also requires regular checks for unauthorized changes to assets and the investigation and report of these changes. As with the other systems, it will require periodic tests to make sure it follows regulations.
This requirement focuses on the identification and protection of sensitive information that could affect the functions of the BES. Personnel is expected to recognize and protect any information that could be used to compromise BES systems. There are to be policies and procedures in place that protect this information from unauthorized access and store it safely.
These are just simplified versions of the requirements for NERC CIP, and they will not teach you how to achieve NERC CIP compliance fully. However, you should get a general idea of the requirements and what you will need to invest in to comply with NERC.