While it’s not certain that society would become a zombie apocalypse overnight if the power grids failed, it is hard to imagine how any aspect of everyday life would continue in the event of a vast, extended electrical outage. Part of what makes electrical infrastructure resilient against these types of events are the North American Electric Reliability Corporation (NERC) regulatory standards, especially the Critical Infrastructure Protection (CIP) standards, which provide detailed guidelines for both physical and cyber security. The CIP standards evolve along with the available technology and known threats, so they are versioned to provide structured documentation and protocols for companies to move from one iteration of the standards to the next. But the jump from version 3 to version 5 involves many new requirements, so we'll look at some of the differences between the two and what they mean for businesses in the industry.
From v3 to v5
Companies trying to keep up were thrown for a bit of a loop when version 4 of the CIP standards was abandoned and NERC decided the standards would move directly to v5. This caused trouble for companies who now had to map the version 3 standards they were (hopefully) complying with to the new v5 standards, as well as understanding and implementing compliance for several new categories, many of them cybersecurity related.
NERC CIPv5 features the following major new requirements over v3, in addition to many others:
In addition to the many changes found in version 5 of the CIPs, the major change outlined in version 4, regarding CIP-002, the discovery and classification of critical assets, also must be enforced. Companies require a system of record that inventories all of their computer and network assets, as visibility has taken prominence in security standardization.
Compliance to the NERC CIP standards means modernizing the data center and using tools and methods with proven resilience, as well as documenting those measures and regularly testing them for compliance. If this presents a challenge to some companies in the industry, that only speaks to the increasing need for these standards to be enforced, so that our shared critical infrastructure remains secure and operable.
The transition between versions 3 and 5 of the NERC CIPs further show that a true compliance solution must be able to adapt to the changing standard. At UpGuard, we believe that the ability to regularly test all configurations, not just whatever specific pieces are required by a compliance standard, puts companies well ahead of the compliance game, and more importantly, makes them that much more resilient against the threats NERC and other regulatory organizations were created to defend against in the first place.