NERC CIP Standards: Safeguarding North America's Power Grid

Overview of NERC CIP Standards

NERC CIP standards (North American Electric Reliability Corporation Critical Infrastructure Protection) are the mandatory security standards that apply to entities that own or manage facilities that are part of the U.S. and Canadian electric power grid. The NERC CIP framework establishes crucial reliability standards to safeguard the North American electric grid from cyber and physical security threats. These standards form the backbone of efforts to protect the grid’s integrity and ensure uninterrupted power supply across the continent.

They were initially approved by the Federal Energy Regulatory Commission (FERC) in 2008. Their wide-ranging requirements drive a significant amount of investment by the regulated utilities and have helped create a foundation of cyber security awareness among the electric utility sector in North America. But it is their foundation as a model for an emerging set of Operating Technology cyber security regulations around the world that should make studying them required reading for industrial operators worldwide.

Background and Role of NERC

Origin of NERC

NERC is the North American Electric Reliability Corporation. NERC was founded in the late 1960s as the National Electric Reliability Council in response to the northeastern U.S. blackouts of the early and mid-’60s, as the need for utility cooperation became more apparent. The organization was quickly renamed to encompass “North America” as the integrated nature of the joint U.S./Canadian power grid made the need for cross-border cooperation clear.

NERC is a non-profit body created and funded by the utilities themselves. It is subject to the Federal Energy Regulatory Commission, the United States government’s regulatory entity for energy. The original creation of NERC focused on the stability and reliability of the grid after a significant blackout on the east coast of North America during the 1960s.

Development and Evolution

Over time, NERC worked with utility experts to create voluntary standards for operations for the industry, and those standards were highly influential in establishing stability within the North American power grid throughout the 1980s and 1990s.

As the need for protection of the national infrastructure, in general, became more apparent in the late 1990s, triggering a Presidential Decision Directive from President Clinton in 1996, NERC shifted to focus on issues of cyber security, along with some consideration of physical security for issues that could have an impact on interstate commerce.

Discussions around creating a set of cyber security standards for the industry began when the catalyzing events of 9/11/2001 occurred and provided an increased sense of urgency to the effort. Timelines were compressed by several years from what participants had expected, and NERC issued an Urgent Action Standard in 2003, which served as the predecessor of the current NERC CIP standards.

In conjunction with that timeline, a significant outage in the northeastern U.S., Ontario, and Quebec in 2003 led to calls and, eventually, action to strengthen the responsibilities of asset owners and operators to follow the NERC standards.

List of NERC CIP Standards

Below is an overview of the NERC CIP standards and the critical topics they address. These standards serve as the backbone of security measures, ensuring the resilience and protection of our crucial energy infrastructure.

You can find detailed information on each standard on the NERC website.

The NERC CIP standards generally encompass the same breadth of topics as other cybersecurity frameworks, such as the NIST CSF or CIS Top 20 Controls. Still, they are more prescriptive than those frameworks. They are enforceable on those entities subject to them, including applying potentially hefty fines in cases of non-compliance.

Although all of these standards are important and can result in fines if not met, there are a few that warrant further detail and understanding.

Understanding the Core NERC CIP Requirements

Below, we’ll explore the essential NERC CIP requirements that form the backbone of cybersecurity and reliability in the Bulk Electric System (BES). These standards play a pivotal role in protecting BES Cyber Systems from threats and vulnerabilities. We’ll dissect the key standards, shedding light on their specific objectives and significance within the energy sector.

NERC CIP-002: Asset Identification and Classification

To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for applying cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES.

To understand this requirement, two definitions are important:

BES: Bulk Electric System. The Bulk Electric System refers to the electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, generally operated at 100 kV or higher voltage.

BES Cyber System: A BES Cyber System was new in Version 5. The intent was to group “Cyber Assets” the prior term of art so that a responsible entity (i.e., utility) could consider how it would protect a system rather than each asset. For instance, the NERC documentation provides an example of anti-malware, which might be applied to a system as a whole but not to each asset within that system.

“It becomes possible to apply requirements dealing with recovery and malware protection to a grouping rather than individual Cyber Assets, and it becomes clearer in the requirement that malware protection applies to the system as a whole and may not be necessary for every individual device to comply.”

A key focus of NERC CIP-002 is identifying and classifying critical cyber assets, which are essential components in maintaining the resilience and security of the bulk power system. The standard requires the entity to define these systems and assets as having a high, medium, or low potential impact on the power grid (or BES). NERC does provide prescriptive guidelines of what constitutes each level, with control centers as High, large Transmission and Generation facilities as Medium, and the other control centers and backups, generation, transmission, or distribution protection assets as Low impact.

Defining these assets is important because the levels of control or security maturity required for High and Medium-impact assets are much greater than those for Low-impact assets. Therefore, comprehensively identifying ALL of an entity’s assets and then carefully categorizing them is critical to successful compliance.

NERC CIP-005: Network Security – Electronic Security Perimeters

To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

CIP-005 focuses on controlling network access to those critical assets described in CIP-002. This is a particular issue today in a world of growing connectivity of industrial control systems. As the industry drives to ever greater analytics and remote connectivity, the risks to the electric system increase dramatically. CIP-005 is intended to try to reduce some of these risks. Monitoring and maintaining segmentation and access control over networking, especially vendor and other third-party remote access, is the focus of this requirement.

NERC CIP-007: System Security Controls

To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).

Of all the CIP standards, this may be the most controversial, not because of the general recognition of the importance of system security controls but because of the prescriptive nature of the standards. Several of the CIP standards are “procedural” in that the entity needs to establish and maintain a process. But others, such as CIP-007, are more “prescriptive” in nature, requiring the entity to take specific actions, regardless of outcomes, to meet the standard satisfactorily.

The particular control that comes under the greatest scrutiny is that related to Patch Management (CIP-007-6 R2):

2.1: A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include identifying a source or sources that the Responsible Entity tracks for the release of cyber security patches for relevant Cyber Assets that are updateable and for which a patching source exists.

2.2: At least once every 35 calendar days, evaluate security patches released since the last evaluation from the source or sources identified in Part 2.1 for applicability.

2.3: For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take one of the following actions:

• Apply the applicable patches or
• Create a dated mitigation plan; or
• Revise an existing mitigation plan.
• Mitigation plans shall include the Responsible Entity’s planned actions to mitigate the vulnerabilities addressed by each security patch and a timeframe to complete these mitigations.

The patch management prescriptive requirements create significant debate among NERC CIP managers, auditors, and commentators. Regardless of one’s view of the security efficiency-effectiveness trade-offs of the requirements, the reality is that this requires a significant effort by the responsible entity to maintain its patch status. See more on ICS Patch Management here.

NERC CIP-010: Change & Vulnerability Management

To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the Bulk Electric System (BES).

CIP-010 ensures that the system, established initially to be secure, maintains that security over time. This applies to configurations that may drift over time due to adjustments to ports, services, rules settings, etc., and to new vulnerabilities identified in software.

This standard creates many challenges for utilities. However, two of the greatest are managing the change process so that the human processes involved in documenting and approving changes align with the technical realities of those changes on the systems themselves. Entities need to map their approval processes to the actual results on the system and be able to monitor and maintain records of these changes to demonstrate compliance to auditors.

Vulnerability assessments are also challenging due to the sensitive nature of cyber assets within industrial control systems. Traditional I.T. vulnerability scanning tools can cause damage to sensitive ICS devices. Therefore, entities must define an ICS-safe approach to capturing these new vulnerabilities. Unfortunately, the growth in new ICS vulnerabilities is accelerating, with an increase of almost 50% in 2020 and similar rates in 2021.

NERC CIP-013: Supply Chain Security

To mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.

CIP-013 has become one of the “hottest” topics in NERC CIP since the public announcement of the Solarwinds attack. Presidential Orders, Congressional committees, software industry mandates, etc., are all the result of this attack, which made software supply chain risk a front-page story. CIP-013 was already underway and working through committees, but the relevance and focus have accelerated since Solarwinds. The eventual compliance of CIP-013 will likely require detailed “Software Bills of Materials” for all new components deployed into BES. It will probably have a significant impact on software development practices over time.

We would expect the requirements of this part of the standard to grow over time as more is learned about how to implement these supply chain risk management processes.

Because CIP compliance is mandatory and compliance is primarily driven by self-reporting or through the audit cycle, a successful CIP compliance program will include a constant drive to produce and maintain evidence of compliance. Each procedure should have evidence of its successful performance; that evidence should be sampled and reviewed periodically for completeness and correctness; that evidence should be archived in easily retrievable manners so that compliance can be demonstrated quickly when needed.

Producing this evidence-based structure requires an integrated approach combining dedicated compliance personnel who design and gather evidence with input and cooperation from operations personnel who have and supply the evidence. This structure is typically replicated across each business unit or functional organization in large utilities.

Impact on North American Electric Utilities

NERC CIP Standards: Investment and Risk of Fines

If you are a North American electric utility, the NERC CIP standards require significant investment – and risk of fines. While most fines are in the low five-figure range, fines of over a million dollars have been issued for a systemic series of violations. But, the negative impact of a poor audit finding is more than the fine. Self-reported violations or negative audit findings create management challenges with boards, shareholders, regulators, and other stakeholders.

Global Relevance

The Shift Towards Prescriptive O.T. Cyber Security Regulations

The NERC CIP standards are instrumental in ensuring the security and efficiency of the North American power system, particularly in the face of evolving cyber threats. This underscores their importance beyond compliance, highlighting their role in maintaining a resilient and secure energy infrastructure. Beyond the power utilities, which are the focus of NERC CIP, industrial organizations worldwide need to understand these standards and prepare for similar requirements in their industries. Although this may strike the NERC CIP critics as problematic, the reality is that the emerging O.T. cyber security regulations worldwide lean more towards “prescriptive” than they have historically. While they may end up as “NERC-CIP-LITE,” they will likely be more prescriptive.

International Examples and Emerging Trends

TSA Pipeline Cyber Security Standards: A Closer Look

Recent examples include the TSA pipeline cyber security standards, which were recently released. According to the redacted version available online, security requirements include:

• Implementing network segmentation with a series of specific requirements of the way that segmentation should exist, for instance, prohibiting O.T. protocols from traversing the I.T. systems unless through an encrypted point-to-point tunnel
• Set Anti-virus scans across I.T. and O.T. every week
• Implement patches (or have a documented reason why they have not been implemented) in a specific timeframe (similar to the debated NERC CIP-007 mentioned above
• And many others

Adoption of NERC CIP in Chile and the Middle East

Other examples are Chile, where CEN (the government’s National Electricity Coordinator) has adopted the NERC CIP standards, and Middle Eastern countries, where regulators such as the DESC in Dubai have adopted more prescriptive O.T. cyber security requirements.

Impact on the Future of OT Security Regulation

The future of O.T. cyber security regulation is clear – more prescriptive requirements and more auditing by regulatory bodies.

This will require a significant shift in mindsets, investments, and efforts among industrial organizations worldwide. It took the North American electric power sector eight years from the first approval of NERC standards to robust audits under the “version 5” standard…and another five years to today. Because the risks are even more significant, we would expect these new regulatory standards to be adopted more urgently than NERC CIP was. This will mean less time to prepare and evolve than in North America.

The good news is that after almost 15 years of trial and error, there are significant learnings from the North American power industry in increasing cyber security and addressing these growing regulatory prescriptions. They and their industry partners have developed new technologies and processes. But one of the key learnings is this takes time. The earlier an organization begins its cyber security journey, the less painful the eventual regulatory burden is.

Cyber security is often referred to as “defense in depth.” Whether that phrase is a perfect summary of the modern threats, there is no question that success requires foundational elements, and those foundational elements take time. An organization cannot just jump to maturity “5”. The earlier it begins to draw its path – using NERC CIP and other frameworks as its guideposts – the more feasible it will be to achieve future regulatory compliance.