The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulates various standards that secure and protect assets operating North America’s bulk electric system. NERC CIP is a regulation for protecting energy sector infrastructure from cyber threats, ensuring North America's stable and reliable power supply. The electric grid is one piece of infrastructure in North America that, if affected by a cyber incident, could significantly impact individuals and the community.

This article will examine the main regulation standards of NERC CIP and how the energy sector can meet compliance requirements.

Learn how UpGuard helps organizations stay protected and meet compliance requirements >

What is NERC CIP?

NERC CIP is a set of security standards designed to protect the North American electric grid from potential vulnerabilities and cyber threats.

The North American Electric Reliability Corporation (NERC) was formed in 1968 in response to the Northeast Blackout of 1965. They aim to promote the reliability and adequacy of bulk power transmission across North America. After the September 11 terrorist attacks, the approach to U.S. national security dramatically changed, bringing a heightened focus on protecting energy control systems from physical and cyber threats.

In 2005, the Energy Act introduced Section 215 to the Federal Power Act. This gave the NERC and the Federal Energy Regulatory Commission (FERC) the power to establish and enforce reliability standards for all power grid parties, including users, owners, and operators.

The FERC approved the first NERC CIP standards (CIP-001 to CIP-009) in 2008. As time passed, NERC CIP added new standards to address evolving cyber threats, bringing the total number of standards up to 13.

NERC CIP Standards

The NERC CIP Standards provide 13 critical infrastructure protection requirements that organizations in the energy sector must adhere to to be NERC CIP compliant. These standards are heavily influenced by the NIST Cybersecurity Framework (NIST CSF), a gold cybersecurity standard for organizations to improve their risk management.

BES refers to the Bulk Electric System, a network of interconnected electrical assets that generate, transmit, and distribute power on a large scale. This system is the foundation of the power grid—and is crucial for the stable supply of electricity to residential, commercial, and industrial users.

The NERC CIP Standards are:

Who Must Comply with NERC CIP?

NERC CIP standards primarily apply to organizations and entities involved in North America's bulk electric system (BES). This includes:

  • Electric Utility Companies: Any public or private company involved in the process of generating, transmitting, or distributing electricity on the bulk power system
  • Regional Transmission Organizations (RTOs) and Independent System Operators (ISOs): Organizations that coordinate, control, and monitor the operation of the electrical grid in different regions
  • Power Marketers and Brokers: Entities involved in the sale and trading of electricity on the bulk system
  • Electric Reliability Coordinators: Geographic-specific organizations responsible for the reliable operation of the bulk electric system
  • Generators and Generator Owners: Owners and operators of facilities that generate electricity and are connected to the bulk electric system

Penalties for Noncompliance

If an organization or entity is found to be non-compliant with the NERC CIP standards, it can face various consequences with different levels of severity. Penalties include:

  • Monetary Penalties
  • Operational Repercussions
  • Legal Actions
  • Reputation Damage
  • Audits and Increased Scrutiny
  • Corrective Action Plans
  • Loss of Market Access

How Does NERC CIP Enhance Cybersecurity in the Energy Sector?

Each NERC CIP standard individually enhances areas of cybersecurity for organizations, and collectively, they work together to create comprehensive cybersecurity measures that protect North America’s electric grid. Below are some specific cybersecurity areas enhanced through NERC CIP.

Risk Identification and Management

When it comes to NERC CIP compliance, the first step is crucial. It involves identifying the critical cyber assets that support the energy infrastructure and assessing their associated risks. This process enables organizations to focus their cybersecurity efforts on the most vital infrastructure elements. By doing so, they can better protect their assets from cyber threats and minimize the impact of any potential breaches.

Establishing Security Perimeters

According to NERC CIP standards, electronic and physical security perimeters must be established around critical cyber assets. These perimeters serve as a first line of defense, functioning as barriers against unauthorized access. Organizations can protect their critical assets from malicious attacks and cyber threats by implementing these security measures. In addition, these perimeters can help mitigate the risk of data breaches and other security incidents, providing peace of mind to both organizations and their customers.

Access Control and Personnel Training

NERC CIP requirements for access control focus on personnel with access to critical systems and control centers. These include cybersecurity measures like multi-factor authentication (MFA), physical device security, accessing data through secured networks, and more. Additionally, ongoing cybersecurity awareness and training programs ensure that the workforce is equipped to identify and respond to potential cyber threats. These measures are crucial for maintaining the security and integrity of critical systems and protecting against potential breaches.

Incident Response and Reporting

Organizations must take specific measures to ensure they are prepared to handle cyber incidents. This includes developing and implementing incident response plans, establishing reporting mechanisms, and ensuring quick and effective responses to possible incidents. By following these standards, organizations can better protect themselves and their customers from the potential harm caused by cyber attacks. Having disaster recovery and business continuity plans ensures that essential services are restored promptly.

System Security Management

System security management is paramount to prevent service disruption in an organization that handles critical infrastructure. NERC CIP standards require various technical security controls, such as firewalls, intrusion detection systems, and anti-malware software. Regular audits and updates are necessary to ensure these measures effectively protect against emerging cyber threats.

Vendor and Supply Chain Security

As the energy infrastructure becomes increasingly complex, organizations must assess and manage cybersecurity risks posed by third-party services and products. Your organization may have a comprehensive cybersecurity approach, but when working with providers or third parties, their measures may not match yours. Third-party risk management helps mitigate any risk presented by utilizing vendors. NERC CIP mandates this, which is crucial for the safety and security of the entire industry.

Enhance Your Organization’s Cybersecurity with UpGuard

Cybersecurity is vital to any organization, not just those that provide electricity and power services. If your company wants to enhance your approach to cybersecurity, UpGuard is here to help.

We’re experts in our field, so you can rest assured you’re working with security expertise you can rely on. UpGuard’s security research has also been featured in The New York Times, The New Yorker, The Washington Post, TechCrunch, Bloomberg, Gizmodo, Engadget, Forbes, ZDNet, and The Guardian. We’ve helped hundreds of global healthcare companies protect their customers using UpGuard’s suite of products, including Chapters Health System, Westfund, dorsaVi, and more.

UpGuard BreachSight helps organizations confidently manage their external attack surface by providing continuous monitoring, comprehensive data leak protection, vulnerability management, and proactively addressing and minimizing cyber risks.

For organizations with third-party vendors, UpGuard Vendor Risk streamlines Vendor Risk Management in a single platform, with real-time notifications about your vendors’ security standards. Utilize industry-standard questionnaires, automation workflows, risk assessments, reports on vendor risk, and comprehensive vendor lifecycle management.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?