What is the NERC CIP?
NERC Critical Infrastructure Protection or simply NERC CIP is a set of compliance requirements designed to secure assets connected to North America’s power infrastructure. The mandates falling under NERC CIIP cover operational assets including critical ones (required for operating the Bulk Electric System or the BES commonly referred to as power grid) belonging to power and utility companies and seek to protect key cyber assets from the risk of manipulation by adversarial entities. At its core, NERC CIP mandates ensure that the power sector functions with less scope of cyber disruption caused by cyberattacks.
Since 2008, the CIP has been updated multiple times. And recently four new standards have been introduced which will be due for enforcement. Specifically, the NERC CIP standards focus on the physical and digital safety of the power plants, control centers, transmission stations, lines, and towers that constitute the power grid. NERC CIP establishes a series of controls, processes, audit mechanisms and, evidence management measures to reduce the risk of disruption due to cyberattacks.
While there are 12 enforceable standards mandated by the NERC CIP, the following are the ones that are related to cybersecurity:
CIP-002-5.1a: Cybersecurity — BES Cyber System Categorization:
Mandate: This framework talks about identifying the systems that come under the purview of NERC CIP. Without a clear inventory of assets to be protected, any protection measure may fall short as gaps might emerge.
Implication: Make sure all assets are accounted for, and no device runs on your network without it being part of your inventory. Entities are to categorize BES cyber systems based on the impact of their associated facilities and no asset should function without it being part of a documented inventory. This can also be extended to underscore the importance of conducting periodic vulnerability assessments.
CIP-003-8 Cybersecurity — Security Management Controls
Mandate: Spells out security management controls that clearly establish the responsibility and accountability necessary to secure cyber systems against cyberattacks that could lead to disruption of operations or systemic instability.
Implication: Organizations need to call out the controls they have established to protect the assets identified for protection. This includes security roles and responsibilities, programs, and steps taken to secure such assets. These controls should necessarily be established by entities in a manner that minimizes the risk of a cyberattack.
CIP-005-6 Cybersecurity — Electronic Security Perimeter(s)
Mandate: Deals with access control pertaining to cyber systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the BES.
Implication: Organizations need to know who has access to what and ensure that access is granted on a need-to-have basis only. The perimeter here refers to a digital zone that protects key assets from unauthorized access.
CIP-007-6: Cybersecurity – System Security Management
Mandate: To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the Bulk Electric System (BES).
Implication: Mandates maintenance of processes and records and documentation supporting them. This includes activities related to security mentioned earlier.
CIP-008-6: Cybersecurity — Incident Reporting and Response Planning
Mandate: To ensure that business continuity and reliable operations are not affected by a cybersecurity incident.
Implication: Be prepared to respond to any cyber incident with a clear plan and action. Document every step of the plan and ensure that all stakeholders are on board as far as the execution goes.
CIP-009-6: Cybersecurity – Recovery Plans for BES Cyber-Systems
Mandate: To recover reliability functions performed by BES Cyber Systems through specific recovery plan requirements. This is to support the continued stability, operability, and reliability of the BES.
Implication: Deals specifically with disaster recovery. How do you jump back on your feet?
CIP-010-3: Cybersecurity — Configuration Change Management and Vulnerability Assessments
Mandate: Detect and prevent unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements to protect BES Cyber Systems from compromise that could lead to disruption or instability in the Bulk Electric System (BES).
Implication: Organizations should be secured against unauthorized changes in configuration that could lead to large-scale disruption. A system should be in place to prevent unmonitored, unauthorized, and unsupervised changes.
CIP-011-2 Cybersecurity – Information Protection
Mandate: To prevent unauthorized access to BES Cybersystem information by specifying information protection requirements in support of protecting BES Cybersystems against compromise that could lead to mis-operation or instability in the Bulk Electric System (BES).
Implication: Going deeper into security provisions to ensure that specific elements and assets are protected. The responsible entity should ensure the implementation of a documented information protection program. Evidence of such a program should also be provided.
CIP-013-1 Cybersecurity – Supply Chain Risk Management
Mandate: To mitigate the cyber risks to sustainable operations by implementing supply chain risk management controls for BES cyber systems
Implication: Requires responsible entities to develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber-systems. It also requires organizations to retain evidence of compliance for a time period that commences from the last audit period. If an organization has been non-compliant, then information related to the non-compliance should be retained until the mitigation measures are approved.
Penalties for non-compliance
For every violation, entities could be fined up to $1 million. (Maximum fine stipulated).