What is NERC CIP compliance?
The North American Electric Reliability Corporation (NERC) is a global regulatory authority that operates to reduce the risks associated with power grid infrastructure. This is accomplished through the ongoing development of a set of regulatory standards, as well as education, training, and certification for the Energy industry personnel.
NERC manages the Critical Infrastructure Protection (CIP) program. These standards address the security of cyber assets that are critical to the North American electricity grid’s operation.
NERC standards apply to any organization involved in the electrical generation, transmission, and interconnection of the bulk power system in the United States, Canada, and a portion of Mexico. Owners, operators, and users of bulk power systems must adhere to NERC-approved Reliability Standards.
What are the requirements for NERC compliance?
The NERC CIP plan includes standards and requirements for electronic security systems and critical cyber asset protection, as well as training, security management, and disaster recovery planning:
- CIP-002-5.1a: Critical Cyber Asset Identification
- CIP-003-8: Security Management Controls
- CIP-004-6: Personnel and Training
- CIP-005-5: Electronic Security Perimeters
- CIP-006-6: Physical Security of Critical Cyber Assets
- CIP-007-6: Systems Security Management
- CIP-008-5: Incident Reporting and Response Planning
- CIP-009-6: Recovery Plans for Critical Cyber Assets
- CIP-010-2: Configuration Change Management and Vulnerability
- CIP-011-2: Information Protection
- CIP-014-2: Physical Security
The CIP program unifies all of NERC’s efforts to strengthen the security of the North American power system. These efforts include developing standards, enforcing compliance, assessing risk and preparedness, disseminating critical information, and raising awareness about key security issues.
Why should you be NERC compliant?
When an organization’s bulk powered systems, providers, and users are NERC compliant, it increases the reliability of its bulk electrical supply in transmission and generation. While the majority of the world is run on electricity, offering security for critical infrastructures is crucial in preventing and maintaining harm and risks to the power source. By becoming NERC compliant, an organization can ensure the safety and reliability of its infrastructure.
Noncompliance can cause fines that could reach as much as $1 million per day, which is reason enough for most industrial control system organizations to invest significant time and resources in maintaining compliance. The compliance Violation Severity Levels (VSLs) assigned by NERC range from low to severe and indicate the extent to which a noncompliant entity failed to meet their auditor’s expectations.
How to achieve NERC CIP compliance?
The NERC CIP standards must be followed at all times. To be NERC CIP compliant, proprietors of power supplies and business owners must ensure that all of the enforceable CIP standards have been implemented.
Covered entities are required to identify critical assets and conduct risk assessments on those assets on a regular basis. Policies for monitoring and modifying the configuration of critical assets, as well as policies governing access to those assets, must be defined. Furthermore, NERC CIP mandates the use of firewalls to block vulnerable ports as well as the implementation of cyber attack monitoring tools. Organizations must also implement IT controls to protect access to critical cyber assets. Organizations must have detailed safeguards in place for cybersecurity threats, natural disasters, and other unplanned events, as well as monitoring systems for security events.
Centraleyes delivers streamlined, automated data collection and analysis, prioritized remediation guidance and real-time customized scoring to ease NERC CIP compliance for energy companies. The platform has mapped NERC controls back to its extensive control inventory of the other frameworks in its framework library, which enables time savings, better accuracy and peace of mind when collecting and analyzing critical data towards achieving NERC CIP compliance.
