The last thing any nation wants is a cyber attack on its energy systems that cuts off power and puts the nation to a halt.

This would cripple the nation and could lead to unimaginable losses.

To tackle this problem, there are NERC CIP standards applicable to the nation’s Bulk Electric Systems. Let us see some fundamentals of the NERC CIP Compliance in this article.

What is NERC?

NERC CIP stands for Critical Infrastructure Protection. It is a cybersecurity framework created by the North American Electric Reliability Corporation.

It aims to protect the key utility infrastructure of the power generation systems against cyberattacks. NERC CIP is adopted by all critical infrastructure sectors, power generation plants, transmission and distribution networks, and industrial control systems.

It also addresses vulnerable points in the infrastructure, making it more resilient to cyberattacks that can be potentially catastrophic to the power plants and the entire country.

Identifying & Dealing With Power Outages & Cyber Attacks

Many cyber attacks, disasters, and events revolve around the fact that critical systems are compromised. This can lead to power outages in the cities, halting the nation’s progress.

The Identification and Categorization segment of NERC CIP focuses on such power outages. What led to the outage is a secondary concern, the primary being the duration of the outage. Any power outage of more than 15 minutes becomes a matter of serious concern.

This comes under the NERC CIP-002-5.1a that deals with BES identification and categorization.

Security Controls

The purpose of this NERC CIP-003-6 protocol is to provide the baseline standards and guidance for implementing protection mechanisms for the operation of the BES Cyber Systems in North America.

In addition, it identifies and provides the detail on specific controls that must be identified, designed, integrated, implemented, and maintained as part of an effective security management program to ensure compliance with security requirements.

Training & Background Verification

The current NERC CIP Cyber Security Standards contains many provisions related to the training of people working on the site. This training involves informing all staff and contractors about the cyber risks they could be exposed to, their responsibilities, and how to prevent them from happening.

In addition to that, background checks play an important role in protecting the cyber assets of the BES and reducing the cyber risk via personnel.

The training covers the following aspects (but are not limited to):

Visitor control program

Various Cybersecurity policies

BES Cyber System security risks

BES Cyber System: Recovery Plan

Cybersecurity Incidents: Response Plan

This is based on NERC CIP-004-6 protocol.

Electronic Controls

To expand their control over cyber assets, personnel need to create an electronic security perimeter (ESP) around every component within the BES environment.

According to the NERC CIP standard, the cybersecurity team will need to ensure that all components in a BES are secure from any unauthorized intrusions and involved in implementing system hardening measures.

An ESP is established by applying security controls on all devices (endpoints) which connect to a router or routable protocol. These controls can be hardware-based firewalls, software like an intrusion detection system (IDS) or antivirus even, or both. From this, it’s easier to establish controls around other domains to prevent data from crossing into undesired channels.

These parameters are used to monitor the in-out flow of traffic in real-time and take preventive actions (such as block traffic or even shut down servers) when anomalies are detected.

This is based on NERC CIP-005-5.

Final Word

NERC CIP is one of the most important cybersecurity standards adopted within the North American energy industry. Retailers, power marketers, and large consumers come under the NERC CIP compliance scope.

NERC compliance is a must if you are an organization operating certain class BES cyber systems. Even if you do no comply with all the requirements of this standard, it is important to be aware of what changes have been made this year.

This is because organizations should also meet the requirement of these Cyber Security Standards for ensuring compliance with other standards. As a facility manager, it is important to remain NERC CIP compliant to avoid hefty penalties.

We’re sure this article would have helped you better understand the various fundamentals of NERC CIP compliance.