The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulates various standards that secure and protect assets operating North America’s bulk electric system. NERC CIP is a regulation for protecting energy sector infrastructure from cyber threats, ensuring North America's stable and reliable power supply. The electric grid is one piece of infrastructure in North America that, if affected by a cyber incident, could significantly impact individuals and the community.
This article will examine the main regulation standards of NERC CIP and how the energy sector can meet compliance requirements.
What is NERC CIP?
The North American Electric Reliability Corporation (NERC) was formed in 1968 in response to the Northeast Blackout of 1965. They aim to promote the reliability and adequacy of bulk power transmission across North America. After the September 11 terrorist attacks, the approach to U.S. national security dramatically changed, bringing a heightened focus on protecting energy control systems from physical and cyber threats.
In 2005, the Energy Act introduced Section 215 to the Federal Power Act. This gave the NERC and the Federal Energy Regulatory Commission (FERC) the power to establish and enforce reliability standards for all power grid parties, including users, owners, and operators.
The FERC approved the first NERC CIP standards (CIP-001 to CIP-009) in 2008. As time passed, NERC CIP added new standards to address evolving cyber threats, bringing the total number of standards up to 13.
NERC CIP Standards
The NERC CIP Standards provide 13 critical infrastructure protection requirements that organizations in the energy sector must adhere to to be NERC CIP compliant. These standards are heavily influenced by the NIST Cybersecurity Framework (NIST CSF), a gold cybersecurity standard for organizations to improve their risk management.
BES refers to the Bulk Electric System, a network of interconnected electrical assets that generate, transmit, and distribute power on a large scale. This system is the foundation of the power grid—and is crucial for the stable supply of electricity to residential, commercial, and industrial users.
The NERC CIP Standards are:
- NERC CIP-002-5.1a - Categorization of BES Cyber Systems: Requires organizations to identify assets that must be secured from cybersecurity risks to prevent any damage to the BES. Once identified, assets are categorized (high, medium, or low) and secured with appropriate controls.
- NERC CIP-003-8 - Security Management Controls: Identifies security controls that must be implemented to safeguard BES cyber systems from compromise. Security controls focus on electronic security perimeters, reporting protocols, building cybersecurity awareness, etc.
- NERC CIP-004-6 - Personnel & Training: Requires organizations to conduct security awareness training with employees at least once a year to keep personnel updated on best practices for safeguarding assets on the BES
- NERC CIP-005-7 - Electronic Security Perimeter(s): Details requirements for protecting the network security of BES assets via electronic security perimeters (ESPs). This includes defined ESPs, electronic access points (EAPs), access permissions, etc.
- NERC CIP-006-6 - Physical Security of BES Cyber Systems: Identifies physical security requirements, including physical access controls, monitoring for unauthorized access, alarm systems, physical access logs, etc.
- NERC CIP-007-6 - System Security Management: Explains how security systems safeguarding BES assets should be managed, including disabling ports if they present security risks, installing security patches, removing malicious code, etc.
- NERC CIP-008-6 -Incident Reporting and Response Planning: Details how entities should develop incident reporting plans for any type of cyber incident, including procedures, optimization, testing requirements, etc
- NERC CIP-009-6 - Recovery Plans for BES Cyber Systems: Provides requirements for recovery planning, including roles/responsibilities for incident responders, data backups to restore functionality of the BES, data preservation measures, testing timelines, etc.
- NERC CIP-010-4 - Configuration Change Management and Vulnerability Assessments: Details security requirements if an organization changes configurations. Requires organizations to conduct a vulnerability assessment every 15 calendar days or whenever a new asset is added to the productive environment
- NERC CIP-011-2 - Information Protection: Organizations must protect information critical to operating BES systems during storage, transit, and use
- NERC CIP-012-1 - Communications Between Control Centers: Protects information and data that is transferred between one control center to another by requiring organizations to create a risk mitigation plan, which includes identified roles, security measures or real-time assessment, and owners/operators of control centers.
- NERC CIP-013-2 - Supply Chain Risk Management: Entities must develop a supply chain risk management plan for any medium or high-impact BES assets
- NERC CIP-014-3, Physical Security: Details physical security requirements, including risk assessments conducted by unaffiliated third parties at transmission stations and substations that can identify recommended changes to meet security needs.
Who Must Comply with NERC CIP?
NERC CIP standards primarily apply to organizations and entities involved in North America's bulk electric system (BES). This includes:
- Electric Utility Companies: Any public or private company involved in the process of generating, transmitting, or distributing electricity on the bulk power system
- Regional Transmission Organizations (RTOs) and Independent System Operators (ISOs): Organizations that coordinate, control, and monitor the operation of the electrical grid in different regions
- Power Marketers and Brokers: Entities involved in the sale and trading of electricity on the bulk system
- Electric Reliability Coordinators: Geographic-specific organizations responsible for the reliable operation of the bulk electric system
- Generators and Generator Owners: Owners and operators of facilities that generate electricity and are connected to the bulk electric system
Penalties for Noncompliance
If an organization or entity is found to be non-compliant with the NERC CIP standards, it can face various consequences with different levels of severity. Penalties include:
- Monetary Penalties
- Operational Repercussions
- Legal Actions
- Reputation Damage
- Audits and Increased Scrutiny
- Corrective Action Plans
- Loss of Market Access
How Does NERC CIP Enhance Cybersecurity in the Energy Sector?
Each NERC CIP standard individually enhances areas of cybersecurity for organizations, and collectively, they work together to create comprehensive cybersecurity measures that protect North America’s electric grid. Below are some specific cybersecurity areas enhanced through NERC CIP.
Risk Identification and Management
When it comes to NERC CIP compliance, the first step is crucial. It involves identifying the critical cyber assets that support the energy infrastructure and assessing their associated risks. This process enables organizations to focus their cybersecurity efforts on the most vital infrastructure elements. By doing so, they can better protect their assets from cyber threats and minimize the impact of any potential breaches.
Establishing Security Perimeters
According to NERC CIP standards, electronic and physical security perimeters must be established around critical cyber assets. These perimeters serve as a first line of defense, functioning as barriers against unauthorized access. Organizations can protect their critical assets from malicious attacks and cyber threats by implementing these security measures. In addition, these perimeters can help mitigate the risk of data breaches and other security incidents, providing peace of mind to both organizations and their customers.
Access Control and Personnel Training
NERC CIP requirements for access control focus on personnel with access to critical systems and control centers. These include cybersecurity measures like multi-factor authentication (MFA), physical device security, accessing data through secured networks, and more. Additionally, ongoing cybersecurity awareness and training programs ensure that the workforce is equipped to identify and respond to potential cyber threats. These measures are crucial for maintaining the security and integrity of critical systems and protecting against potential breaches.
Incident Response and Reporting
Organizations must take specific measures to ensure they are prepared to handle cyber incidents. This includes developing and implementing incident response plans, establishing reporting mechanisms, and ensuring quick and effective responses to possible incidents. By following these standards, organizations can better protect themselves and their customers from the potential harm caused by cyber attacks. Having disaster recovery and business continuity plans ensures that essential services are restored promptly.
System Security Management
System security management is paramount to prevent service disruption in an organization that handles critical infrastructure. NERC CIP standards require various technical security controls, such as firewalls, intrusion detection systems, and anti-malware software. Regular audits and updates are necessary to ensure these measures effectively protect against emerging cyber threats.
Vendor and Supply Chain Security
As the energy infrastructure becomes increasingly complex, organizations must assess and manage cybersecurity risks posed by third-party services and products. Your organization may have a comprehensive cybersecurity approach, but when working with providers or third parties, their measures may not match yours. Third-party risk management helps mitigate any risk presented by utilizing vendors. NERC CIP mandates this, which is crucial for the safety and security of the entire industry.
Enhance Your Organization’s Cybersecurity with UpGuard
Cybersecurity is vital to any organization, not just those that provide electricity and power services. If your company wants to enhance your approach to cybersecurity, UpGuard is here to help.
We’re experts in our field, so you can rest assured you’re working with security expertise you can rely on. UpGuard’s security research has also been featured in The New York Times, The New Yorker, The Washington Post, TechCrunch, Bloomberg, Gizmodo, Engadget, Forbes, ZDNet, and The Guardian. We’ve helped hundreds of global healthcare companies protect their customers using UpGuard’s suite of products, including Chapters Health System, Westfund, dorsaVi, and more.
UpGuard BreachSight helps organizations confidently manage their external attack surface by providing continuous monitoring, comprehensive data leak protection, vulnerability management, and proactively addressing and minimizing cyber risks.
For organizations with third-party vendors, UpGuard Vendor Risk streamlines Vendor Risk Management in a single platform, with real-time notifications about your vendors’ security standards. Utilize industry-standard questionnaires, automation workflows, risk assessments, reports on vendor risk, and comprehensive vendor lifecycle management.