The North American Electric Reliability Corporation Critical Infrastructure Program (NERC CIP) is a set of requirements that is intended to help protect assets required for the reliable operation of North America’s bulk electric system.
These mandatory reliability standards include 9 main standards and 45 requirements regarding the security of electronic parameters, the protection of critical assets, impact assessment, and other important elements of the North American power grid’s security.
According to the NERC website, these 9 standards include
- CIP-001: Covers sabotage reporting
- CIP-002: Requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System
- CIP-003: Requires that responsible entities have minimum security management controls in place to protect Critical Cyber Assets
- CIP-004: Requires that personnel with authorized cyber or unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness
- CIP-005: Requires the identification and protection of the Electronic Security Perimeters inside which all Critical Cyber Assets reside, as well as all access points on the perimeter
- CIP-006: Addresses implementation of a physical security program for the protection of Critical Cyber Assets
- CIP-007: Requires responsible entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the other (non-critical) Cyber Assets within the Electronic Security Perimeters
- CIP-008: Ensures the identification, classification, response, and reporting of cybersecurity incidents related to Critical Cyber Assets
- CIP-009: Ensures that recovery plans are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices.
Covered entities are required to regularly identify critical assets, then perform a risk analysis for each. Entities needing CIP compliance face a significant challenge; identifying, defining, and monitoring critical assets to ensure they meet NERC CIP requirements represents a significant investment in time and resources.
Tips for CIP Compliance
Developing the procedures and audits necessary for CIP compliance requires an exhaustive accounting of how each of the NERC CIP 9 main standards and 45 requirements are met. Knowing where to begin may be intimidating. To ensure NERC CIP compliance, covered entities should begin by following each step on this NERC CIP compliance checklist.
- Document Critical assets. A list of all Critical Cyber Assets (CCAs) located within and outside of control centers need to be maintained by responsible entities. There should be documentation of at least one year’s worth of auditable information for each CCA.
- Ensure security protocols are defined and followed. NERC CIP regulations are, in part, designed to protect highly critical data. Through implementing modern cybersecurity, as well as physical security measures, proving compliance will be easier.
- Have Efficient Impact Assessment Methods. One of the main stumbling points for organizations is not having methods to measure the estimated impact of an event. A strong methodology needs to be in place in order to estimate attacks before they happen as well as the effects of those attacks should they succeed.
- Develop a Strong Security Infrastructure. Maintaining a strong security infrastructure for facilities located in isolated geographic locations is difficult. Having many networks connecting to remote substations significantly adds to the complexity of meeting NERC CIP standards. However, effective policies and technical controls can help provide compliant security for critical infrastructures.
- Implement Accountability and Reliability for All Layers. The requirements for NERC CIP compliance require multiple layers of accountability and maintaining auditable information throughout an organization.
- Provide Strong Security Training and Awareness for Employees. Without individual employees following the right procedures, compliance will be impossible. Investing in, then documenting, security training for employees is an effective way to improve compliance.
Get Help Developing the NERC CIP Compliance Checklist
If your organization is defined as a covered entity under the NERC CIP requirements, contact Patriot for help meeting these requirements.
Our team is experienced in helping organizations of any size develop security standards in a way that allows an easily demonstrable compliance to standards such as NERC CIP. Our team can help develop dashboards, reports and alerts proving compliance.