The NERC CIP, otherwise known as the North American Reliability Corporation’s critical infrastructure plan, is a highly important course of actions set forth to protect, secure and maintain the American electrical grid. The CIP plan is the perfect coordination of NERC’s operations to ensure the continuing safety of our critical power infrastructure.
The Basics of NERC CIP
The plan involves nine standards to follow, along with an additional 45 requirements that cover a variety of areas in the critical infrastructure system. Things like:
- sabotage reporting
- asset identification
- managing and controlling security
- the Electronic Security Perimeter
- management of system security
- and much more
Let’s look at basic information for each standard and some of their requirements.
Standard CIP-001: Sabotage Reporting
This standard covers “disturbances or unusual occurrences” that are expected or have yet to be confirmed to have been caused by sabotage. The event is to be reported to governmental agencies or regulatory bodies.
Leaders in various NERC divisions, such as Reliability Coordinators, Balancing Authorities, Generator Operators, and all Load Serving Entities ensure the necessary procedures are in place to identify sabotage and inform personnel in facilities about any sabotage event.
Compliance to the standard is then monitored by:
- Self-certification that is conducted annually and submitted by a deadline.
- Spot-check Audits. These can be conducted anytime with up to 30 days notice given to prepare.
- Periodic Audits. These are done once every three years according to schedule.
- Triggered Investigations. This is when a 60-day notice of investigation has to be made within 60 days after complaint or event of standard noncompliance. This also gives the investigated entity 30 days advance notice that it can start preparations.
Other requirements for this standard include making sure that the applicable parties are able to communicate information about sabotage events to the appropriate authorities. Best practices include creating sabotage response guidelines for staff. This should easily accessible contact information and open line of communication with authority organizations such as the Federal Bureau of Investigation.
Standard CIP-002: Critical Cyber Asset Identification
This standard uses a risk-based assessment to identify an organization’s “critical cyber assets” that are essential to the security and continued operations of that business.
Cyber assets are defined as anything related to “programmable electronic devices and communication networks including hardware, software, and data.”
Every sort of cyber asset, with the exception of ones that are associated with communication networks and data links, are included in CIP-002. Some of the important steps that are followed in this standard are:
Find all cyber assets associated with a critical asset. Evaluate and identify any cyber asset that could potentially impact the successful operations of a critical asset.
Split the cyber assets into groups. Organize your cyber assets by what they do. For example, they could be grouped by the type of software they use and communicate with, or by assets that are specifically supporting a certain operation of a critical asset.
Decide which cyber assets are absolutely essential. This can be done by evaluating their influence on the continued operation of a critical asset.
Are there cyber assets with qualifying connectivity? In this context, “Quality connectivity” means they follow a reliable protocol and can communicate with Electronic Security Perimeters, use routable protocols that are in a Control Center, or the cyber asset can be accessible by dial-up.
Assemble the cyber assets into a list that defines which ones are essential. One you’ve zeroed in on which cyber assets are essential to critical assets and which ones are able to meet the aforementioned quality connectivity requirements, you’re ready to sort the “critical cyber assets” into a list and document them.
Standard CIP-003: Security Management Controls
This standard is relevant to the cyber security protocols of any bulk electric system. These cyber security procedures protect the electric system from compromise and attacks that could damage assets. Responsible parties for this standard include:
- Balancing Authorities
- Distribution Providers
- Generator Operators or Owners
- Interchange Coordinators
- Reliability Coordinators
- Transmission Owners and Operators.
This standard has a few requirements to make sure that all responsible parties create, review, and implement security policies for staff to be aware of and to follow at all times. Following this standard will ensure the security and safety for continued operations of critical assets to the bulk electric system.
Review and approve all cyber security policies every 15 months. Regularly review security policies relevant to cyber security and adjust them if needed. Submitted reviews and revisions of policies to senior managers for final approval.
Identify and implement a documented security plan for cyber assets. Create, document, and implement a plan for the delegation of authority. CIP Senior Managers should specify the name and title of any person they wish to delegate. Their names and positions should be documented, along with the specific actions they are to be responsible for.
Ensure a compliance monitoring process is in play. This ensures all staff is in continued compliance of the NERC Reliability Standards. Staying compliant ensures the continued safety, security, and operations of the electric system.
Standard CIP-004: Personnel and Training
This standard ensures that any staff with authorized access of cyber assets, including third parties such as service professionals and contractors, are aware of all security protocols, have taken a personnel risk assessment, and have had the proper training.
Plans are put in place for security awareness and training, personnel risk assessments for any potentially authorized personnel, and should always maintain lists of personnel who actively have access to critical cyber assets. This helps keep everyone accountable.
Standard CIP-005: Electronic Security Perimeters
This standard both protects and identifies any Electronic Security Perimeter that houses all critical cyber assets. This includes all access points on the premises. Document that all cyber assets are housed in a security perimeter, ensure cyber assets have non-routable protocols and are accessible via dial up, and identify and document non-critical cyber assets.
Responsible parties should also have plans in place for:
Electronic access controls. There should be a documented process that outlines the mechanisms of all electronic access points to the security perimeter.
Monitoring the access. Electronic access controls should have systems in place for logging and monitoring the access of all critical cyber systems.
Potential vulnerabilities. Review all cyber security protocols annually, and revise them if any vulnerabilities are detected.
Standard CIP-006: Physical Security of Cyber Assets
Physical security programs also need to be in place to protect critical assets. A physical security plan should be documented and approved by CIP senior management.
Physical access to critical assets should be monitored and logged, and should have controls in place for monitoring the premises at all times. Maintain a physical log of all access for at least 90 days. Maintenance and testing should be done on all these systems, and procedures should be reviewed annually, and if necessary, revised and approved.
Standard CIP-007: System Security Management
This standard defines processes relating to securing systems that are essential to critical cyber assets, as well as certain non-critical assets in a security perimeter.
Test ports and services to ensure that only ports needed for essential operations are opened. Manage security patches, taking care to make sure all security devices are up to date with the latest security software. Create procedures that detect and prevent malicious software, and be familiar with monitoring all security systems.
Standard CIP-008: Incident Reporting and Response Planning
This standard ensures the identification, documentation, and reporting of security incidents related to cyber assets. It requires the development and implementation of a cybersecurity response plan. This includes the ability to implement the plan immediately in the event of a security incident.
This plan should be communicated to any staff who deal with its operations. Like all other security measures, it should be reviewed annually for potential vulnerabilities. After revision, it should always be approved by a senior manager.
Standard CIP-009: Recovery Plans for Critical Cyber Attacks
This is one of the most important standards of all. It ensures that all responsible parties have recovery plans in place in the event of a critical attack that could damage infrastructure or halt the operation of a critical asset. Actions include:
- review and revise security plans
- plan exercises such as drills in preparation for potential attacks
- backup and be able to restore any critical information needed to bring critical assets back online
- make sure all recovery media is easily accessible to authorized personnel on a physical backup media
Why is NERC CIP Important?
The critical infrastructure plan ensures that the bulk electrical system remains safe and secure and is continuously able to function. Physical and cyber security protection plans should be put in place to make sure that malicious criminals can’t attack the infrastructure and damage or stop critical assets.
This plan of action is also a guideline for all responsible parties, managers, and staff to follow and comply with to make sure that the operations and security of the electric system is solid. Not only does it help the electric system run like a well-oiled machine, it also holds everyone accountable with suggested compliance procedures.
Planning For Compliance
Any party responsible for maintaining America’s bulk electrical system needs to have a plan for compliance, as well as be able to monitor and enforce compliance measures. Third-party risk assessment is often required or encouraged for regulated industries. Some third-party organizations are highly specialized in the industry they serve, and can help develop plans and hold all responsible parties and staff accountable when the time comes to ensure all systems are secure and all plans are documented.
What is the Impact of Compliance?
Not only does it hold all responsible parties and staff accountable, but the critical infrastructure plan also ensures that the single most important system in our country runs continuously to provide all of the citizens, businesses, and emergency response teams with power. It provides guidelines to keep cyber criminals out, keeping our infrastructure safe and secure. These guidelines give everyone, whether they help maintain the system or just use it, added peace of mind in the stability and security of their power systems.
If you need help navigating the intricacies of NERC CIP, BitLyft helps businesses just like yours with risk assessment and putting protocols in place to mitigate risks in the future. Contact us today to get started.