How to Efficiently and Effectively Achieve NERC CIP Compliance
What are the NERC CIP standards and how is a successful NERC CIP compliance program structured for power utilities?Learn More
Subscribe to stay in the loop with the latest OT cyber security best practices.
The NERC CIP standards are the mandatory security standards that apply to entities that own or manage facilities that are part of the U.S. and Canadian electric power grid.
They were initially approved by the Federal Energy Regulatory Commission (FERC) in 2008. Their wide-ranging requirements drive a significant amount of investment by the regulated utilities and have helped create a foundation of cyber security awareness among the electric utility sector in North America. But it is their foundation as a model for an emerging set of Operating Technology cyber security regulations around the world that should make studying them required reading for industrial operators worldwide.
NERC is the North American Electric Reliability Corporation. NERC was founded in the late 1960s as the National Electric Reliability Council in response to the northeastern U.S. blackouts of the early and mid-’60s, as the need for utility cooperation became more apparent. The organization was quickly renamed to encompass “North America” as the integrated nature of the joint U.S./Canadian power grid made the need for cross-border cooperation clear.
NERC is a non-profit body created and funded by the utilities themselves. It is subject to the Federal Energy Regulatory Commission, the United States government’s regulatory entity for energy. The original creation of NERC was to focus on the stability and reliability of the grid after a significant blackout on the east coast of North America during the 1960s.
Over time, NERC worked with utility experts to create voluntary standards for operations for the industry, and those standards were highly influential in the establishment of stability within the North American power grid throughout the 1980s and 1990s.
As the need for protection of the national infrastructure, in general, became more apparent in the late 1990s, triggering a Presidential Decision Directive from President Clinton in 1996, NERC shifted to focus on issues of cyber security, along with some consideration of physical security for issues that could have an impact on interstate commerce.
Discussions around the consideration of the creation of a set of cyber security standards for the industry began when the catalyzing events of 9/11/2001 occurred and provided an increased sense of urgency to the effort. Timelines were compressed by several years from what participants at the time had expected, and NERC issued an Urgent Action Standard in 2003 which served as the predecessor of the current CIP standards.
In conjunction with that timeline, a significant outage in the northeastern US, Ontario, and Quebec in 2003 led to calls and eventually action to strengthen the responsibilities of asset owners and operators to follow the NERC standards. Under the Energy Policy Act of 2005, NERC was designated as the official Electric Reliability Operator (ERO) for the US power grid, to be managed with some restrictions by the Federal Energy Regulatory Commission (FERC), and NERC standards were given mandatory status, with the ability for NERC to issue fines with FERC approval. While most fines are in the low five-figure range, fines of over a million dollars have been issued for systemic series of violations.
NERC standards are created by drafting teams composed of industry experts, often based upon general directives issued by FERC staff, and are subjected to multiple rounds of review and comment before being voted on and, usually, approved by the NERC membership, the NERC Board of Trustees, and the FERC commissioners.
NERC standards belong to family groups which are reflected in their names. For example, the BAL standards cover required activity by what is called Balancing Authorities, who balance the power generation needs within a region, and the MOD standards cover required modeling activity by transmission and generation operators. The CIP standards are named for the effort for Critical Infrastructure Protection, a general term that arose in the aftermath of the original Clinton Directive.
The first version of the CIP standards was released in 2006 and approved by the Federal Energy Regulatory Commission in 2008. That core body of standards went through what are generally considered to be five versions before revision numbering was abandoned for the body as a whole in favor of tracking versions of individual standards. Versions 3 and 5 represented significant steps forward for the industry as a whole. With the change to per-standard revision monitoring, incremental changes such as the addition of a supply chain security standard and consideration for better support for virtualization have been possible.
As of this writing, NERC CIP standards include the following categories:
|CIP-001||Sabotage Reporting (Retired)|
|CIP-002||Asset Identification and Classification|
|CIP-003||Policy and Governance|
|CIP-004||Personnel and Training|
|CIP-006||Physical Security of Cyber Assets|
|CIP-007||System Security Controls|
|CIP-008||Cyber Security Incident Response|
|CIP-010||Change and Vulnerability Management|
|CIP-011||Protection of BES Cyber System Information|
|CIP-012||Control Center Communications|
|CIP-013||Supply Chain Security|
|CIP-014||Physical Security of Key Substations|
The NERC standards encompass the same breadth of topics, generally, as other cybersecurity frameworks such as the NIST CSF or CIS Top 20 Controls, but they are more prescriptive than those frameworks and are enforceable on those entities that are subject to them, including the application of potentially large fines in cases of non-compliance.
Although all of these standards are important and can result in fines if not met, there are a few which warrant further detail and understanding.
To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES.
To understand this requirement two definitions are important:
BES: Bulk Electric System. The Bulk Electric System means the electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, generally operated at voltages of 100 kV or higher.
BES Cyber System: A BES Cyber System was new in Version 5. The intent was to group “Cyber Assets” the prior term of art so that a responsible entity (i.e., utility) could consider how it would protect a system rather than each individual asset. For instance, the NERC documentation provides the example of anti-malware which might be applied to a system as a whole, but not to each individual asset within that system.
“It becomes possible to apply requirements dealing with recovery and malware protection to a grouping rather than individual Cyber Assets, and it becomes clearer in the requirement that malware protection applies to the system as a whole and may not be necessary for every individual device to comply.”
The standard requires the entity to define these systems and assets as either High, Medium, or Low potential impact on the power grid (or BES). NERC does provide prescriptive guidelines of what constitutes each level with control centers as High, large Transmission and Generation facilities as Medium and the other control centers and backups, generation, transmission, or distribution protection assets as Low impact.
The importance of defining these assets is that the levels of control or security maturity required for High and Medium impact assets are much greater than those for Low impact assets. Therefore, comprehensively identifying ALL of an entity’s assets and then carefully categorizing them is a key component of successful compliance.
To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
CIP-005 focuses on controlling network access to those critical assets described in CIP-002. This is a particular issue today in a world of growing connectivity of industrial control systems. As the industry drives to ever greater analytics and remote connectivity, the risks to the electric system increase dramatically. CIP-005 is intended to try to reduce some of these risks. Monitoring and maintaining segmentation and access control over networking, especially vendor and other third-party remote access is the focus of this requirement.
To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).
Of all the CIP standards, this may be the most controversial. Not because of the general recognition of the importance of system security controls, but because of the prescriptive nature of the standards. Several of the CIP standards are “procedural” in nature in that the entity needs to establish a process and then maintain that process. But others, such as CIP-007 are more “prescriptive” in nature, requiring the entity to take specific actions, regardless of outcomes, to meet the standard satisfactorily.
The particular control that comes under greatest scrutiny is that related to Patch Management (CIP-007-6 R2):
2.1: A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists.
2.2: At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1.
2.3: For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take one of the following actions:
The patch management prescriptive requirements create significant debate among NERC CIP managers, auditors, and commentators. Regardless of one’s view of the security efficiency-effectiveness trade-offs of the requirements, the reality is that this does require a significant investment of effort by the responsible entity to maintain their patch status. See more on ICS Patch Management here.
To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the Bulk Electric System (BES).
CIP-010 focuses on ensuring that the system, established initially to be secure, maintains that security over time. This applies to both configurations that may drift over time due to adjustments to ports, services, rules settings, etc. as well as to new vulnerabilities identified in software.
This standard creates many challenges for utilities but two of the greatest are how to manage the change process so that the human processes involved in documenting and approving changes align with the technical realities of those changes on the systems themselves. Entities need to map their approval processes to the actual results on the system and be able to monitor and maintain records of these changes to demonstrate compliance to auditors.
Vulnerability assessments are also challenging due to the sensitive nature of the cyber assets, themselves, within industrial control systems. Traditional IT vulnerability scanning tools can cause damage to sensitive ICS devices. Therefore, entities need to define an ICS-safe approach to capturing these new vulnerabilities. Unfortunately, the growth in new ICS vulnerabilities is accelerating with an increase of almost 50% in 2020 and similar rates so far in 2021.
To mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.
CIP-013 has become one of the “hottest” topics in NERC CIP since the public announcement of the Solarwinds attack. Presidential Orders, Congressional committees, software industry mandates, etc. are all the result of this attack which made software supply chain risk a front-page story. CIP-013 was already in progress and working through committees, but the relevance and focus have accelerated since Solarwinds. The eventual compliance of CIP-013 will likely require detailed “Software Bills of Materials” for all new components deployed into BES and will likely over time have a significant impact on software development practices.
We would expect the requirements of this part of the standard to grow over time as more is learned about how to implement these supply chain risk management processes.
Because CIP compliance is mandatory and compliance is largely driven by self-reporting or through the audit cycle, a successful CIP compliance program will include a constant drive to produce and maintain evidence of compliance. Each procedure should produce evidence of its successful performance; that evidence should be sampled and reviewed periodically for completeness and correctness; that evidence should be archived in easily retrievable manners so that compliance can be demonstrated quickly when needed.
Producing this evidence-based structure requires an integrated approach combining dedicated compliance personnel who design and gather evidence with input and cooperation from operations personnel who produce and supply the evidence. In large utilities, this structure is typically replicated across each business unit or functional organization.
If you are a North American electric utility, you care because the NERC CIP standards require significant investment – and risk of fines. While most fines are in the low five-figure range, fines of over a million dollars have been issued for systemic series of violations. But the true negative impact of a poor audit finding is more than the fine. Self-reported violations or negative audit findings create management challenges with boards, shareholders, regulators, and other stakeholders.
Beyond the power utilities which are the specific focus of NERC CIP, however, industrial organizations across North America and the world need to begin to understand these standards and prepare for similar requirements in their industries. Although this may strike the NERC CIP critics as problematic, the reality is that the emerging OT cyber security regulations around the world lean more towards “prescriptive” than they have historically. While they may end up as “NERC-CIP-LITE”, they will likely be more prescriptive in nature.
Recent examples of this include the TSA pipeline cyber security standards which were recently released. According to the redacted version available online, security requirements include:
Other examples are in Chile where CEN (the government’s National Electricity Coordinator) has adopted the NERC CIP standards or in the Middle East countries where regulators such as the DESC in Dubai have adopted more prescriptive OT cyber security requirements.
The future of OT cyber security regulation is clear – more prescriptive requirements and more auditing by regulatory bodies.
This will require a significant shift in mindsets, investments, and efforts among industrial organizations around the world. It took the North American electric power sector 8 years from the first approval of NERC standards to robust audits under the “version 5” standard…and another 5 years to today. Because the risks are even greater, we would expect these new regulatory standards to be adopted with even greater urgency than NERC CIP was. This will mean less time to prepare and evolve than was the case in North America.
The good news is that after almost 15 years of trial and error, there are great learnings from the North American power industry of how to increase cyber security and address these growing regulatory prescriptions. They and industry partners have developed new technologies and processes. But one of the key learnings is this takes time. The earlier an organization begins its cyber security journey, the less painful the eventual regulatory burden is.
Cyber security is often referred to as “defense in depth”. Whether that phrase is a perfect summary for the modern threats, there is no question that success requires foundational elements and those foundational elements take time. An organization cannot just jump to maturity “5”. The earlier it begins to draw its path – using NERC CIP and other frameworks as its guideposts – the more feasible achieving future regulatory compliance will be.
What are the NERC CIP standards and how is a successful NERC CIP compliance program structured for power utilities?Learn More
What can the power industry learn from the evolution of NERC CIP in OT cybersecurity for improved reliability and security?Learn More
A leading power producer talks about how they were able to achieve more efficient and effective OT cybersecurity compliance with NERC CIP.Learn More