The History of NERC CIP Standards

The North American Electric Reliability Corporation (NERC) is responsible for protecting the power grid and electric generation of all of North America. Its job is to prevent things such as random blackouts or attacks on the power grid while regulating the system. It’s also in charge of investigating the reasons for these blackouts and finding solutions to the cause. However, it’s a relatively new organization, and it’s constantly undergoing change. To help you understand what it does and how it does it, here’s the history of NERC CIP standards.

1968

The NERC started back in 1968 in the electric utility industry to craft rules and regulations for the operation of bulk power energy transmissions. In the beginning, the rules and regulations of the NERC were simply voluntary and had no legal repercussions if an entity didn’t follow them. Many in the industry did follow them, though, as they proved to be quite useful.

2003 Blackout

In 2003, a massive blackout hit the northeastern section of North America. This blackout remains the biggest in USA history and came from a variety of errors and malfunctions that cascaded into a huge issue for millions of people. Soon after that, an investigation found a need for better protections on the electrical grid.

2005: The ERO

The devastating blackout led to the creation of the ERO, or the Electric Reliability Organization. The FERC, or Federal Energy Regulatory Commission, designated the NERC as this organization, which had the power to legally regulate the energy industry for safety and security.

2008: Order 706

Now with legal backing and power, the NERC had the authority—with permission—to instill and create regulations to prevent blackouts. The first set of regulations came out in 2008 as Order 706. This set of regulations, known as the CIP (Critical Infrastructure Protection), gave everyone a system to follow for electricity regulation.

2009: CIP-2

As time went on, the rules and regulations of the CIP weren’t enough to accurately protect the electric system. The NERC, through constant work and effort, eventually came out with CIP-2 in 2009. This change got rid of a lot of the confusing and misleading language of the first CIP.

2010: CIP-3

The third change to the CIP was all about addressing physical access to critical areas and infrastructure. Because this change was so important, very little time passed between CIP-2 and CIP-3. Even after CIP-3 came out, work quickly begun on CIP-4 to address other issues around electricity.

2012: CIP-4

Although the NERC worked quickly on CIP-4, it didn’t immediately receive approval for several iterations, as people couldn’t agree on the new changes. Effectively, CIP-4 wanted to change how the NERC identified key infrastructure, which caused a lot of internal problems. Eventually, a compromise was found, and the FERC (Federal Energy Regulatory Commission) approved the new CIP.

2013: CIP-5

It’s hard to exactly claim everyone’s motives, but the CIP-5 came out extremely quickly after the CIP-4. In fact, the CIP compliance date didn’t even pass before CIP-5 came into full effect. CIP 5 effectively addressed the same issues of CIP-4 as well as several other issues that plagued the industry.

2014: Emergency Response

There was a break from the quick releases of CIPs for the next few years, with new regulations but no major overhauls to the system coming out—that is, until an attack on a Metcalf substation. A team of gunmen shot a bunch of transformers, raising concerns about the physical safety of these stations. After this attack, the NERC, within 90 days, made massive changes and new regulations that culminated in CIP-14, a new standard for improving substation security across North America.

2016: CIP-6

As we mentioned, after CIP-5, there wasn’t nearly as big of a rush to get out the next set of standards. After a few years of drafting and revisions, the revisions team revealed the new CIP-6 standards for approval.

Because of the long wait between CIP-5 and CIP-6, a lot of problems and issues became more problematic. As such, CIP-6 had to address numerous problems, such as supply chain security, to make sure to protect the electricity grid from new cyber threats and attacks. A lot of CIP-6 also focused on cleaning up regulations to cover all sorts of issues and clear up confusion.

2017: Mexico NERC CIP

In an interesting move in 2017, the NERC announced it would start to apply its rules and regulations in Mexico, placing the country’s electrical infrastructure and grid under its rules. This is because of the overlap in the electrical grids and how they interact with each other.

2018–9: Emergency Electricity Conservation

In late 2018, quite a few states and grids started to show major issues with electricity. This caused a lot of worry for the NERC, and it put out an emergency electricity conservation order to try and lessen this overdraw on the grid.

Since 2017

There have been a lot of rules and regulation changes and additions since 2017, but not all of them were major overhauls of the CIP standards. Even now, a few changes—but no major events or changes to the system—are awaiting approval. But these rules are still important to many industries, affecting even the simplest of hires to major industry regulations.

This is just the simplified version of the history of NERC CIP standards; CIP standards have gone through plenty of other changes, each one being very important and changing all sorts of practices for every industry. For example, the NERC has recently started requiring any place it deems critical to report any attacks and all possible attempts to breach. This causes a lot of extra paperwork, but it can help with further incident prevention. There’s also the intense and thorough NERC CIP compliance background check requirements, which slow down hiring but prevents the hiring of potentially dangerous people. As you can see, there’s a lot to the history of the NERC, but it’s all important to keeping the power grid active and healthy.