How to Ensure Continuous Compliance with NERC CIP

Cyber Risk

What is NERC?

The North American Electric Reliability Corporation, or NERC, is the largest electric reliability organization in North America. They’re responsible for over 1,900 bulk power system operations spanning the United States and Canada and they administer a Critical Infrastructure Protection (CIP) program in which it is mandatory to comply.

What are the standards?

The standards outlined in the Critical Infrastructure Protection program range from categorization to reporting to security, and are in place to protect organizations against ever evolving threats. NERC updates its CIP standards frequently in order to stay on top of the rapidly changing technological landscape and often in response to a breach or disruption to a critical infrastructure organization, so it’s important to review the standards regularly to ensure that your organization remains compliant. In 2009, NERC CIP transitioned from a recommended set of guidelines (Urgent Action 1200) to enforceable regulations to protect the Bulk Electric System from cyber and physical threats. Now, NERC often conducts audits on entities that are required to comply with these standards and there are consequences of inadequate compliance or failure to comply altogether.

Sabotage Reporting (CIP-001)

This standard requires that any disturbances or unusual occurrences—that are suspected or determined to be caused by sabotage—be reported to the appropriate systems, governmental agencies, and regulatory bodies. This means that there must be systems in place to do this effectively within an organization and that employees must be trained accordingly.

Critical Asset Identification (CIP-002)

CIP-002 requires the identification and documentation of Critical Cyber Assets through a risk-based assessment that supports the reliable operation of the Bulk Electric System (BES). This is a foundational standard for organizations to comply with. If you don’t know what assets you have, you won’t be able to secure them.

Security Management Controls (CIP-003)

The Security Management Controls standard requires that organizations have minimum security management controls in place to protect Critical Cyber Assets.

Personnel & Training (CIP-004)

CIP-004 ensures that personnel who have authorized access to Critical Cyber Assets are appropriately trained and have adequate knowledge of risk management and security awareness.

Electronic Security Perimeter(s) (CIP-005)

Standard CIP-005 requires the identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter.

Physical Security Perimeter(s) (CIP-006)

Standard CIP-006 is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets.

Systems Security Management (CIP-007)

Standard CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the non-critical Cyber Assets within the Electronic Security Perimeter(s).

Incident Response/Response Planning

Standard CIP-008 ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets.

Recovery Plans

Standard CIP-009 ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices.

Configuration Change Management & Vulnerability

CIP-010 aims to prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the BES.

Information Protection

Standard CIP-011 is in place to prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

Communication between Control Centers

CIP-012 protects the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers.

Supply Chain Risk Management

CIP-013 aims to mitigate cybersecurity risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.

Physical Security

The purpose of standard CIP-014 is to identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.

Keeping up with NERC

A few times monthly, NERC publishes updates and other important information on their Standards, Compliance, and Enforcement Bulletin, which is a great resource for keeping up with changes and other news related to critical infrastructure and all CIP standards. Sanctions and penalties do happen for entities that violate any of these standards. The severity of the consequences is determined by NERC and they categorize each incident as either low, medium, or high according to their Violation Risk Factors guidelines.

Low: A requirement that is administrative in nature and a requirement that, if violated, would not be expected to adversely affect the electrical state or capability of the bulk electric system […]

Medium: A requirement that, if violated, could directly affect the electrical state or the capability of the bulk electric system […]

High: A requirement that, if violated, could directly cause or contribute to bulk electric system instability, separation, or a cascading sequence of failures, or could place the bulk electric system at an unacceptable risk of instability, separation, or cascading failures […]

Maintaining continuous compliance with NERC CIP is no easy task. Implementing a platform such as ServiceNow can help your organization maintain continuous compliance, ensure an adequate level of security to your assets and build in business continuity and disaster recovery plans to build resilience into your organization. Additionally, our experts can guide you through NERC compliance step-by-step and help you develop a better understanding the CIP standards and how they affect your organization.

Start your GRC journey.
We’ll be your trusted partner.

Start your journey