The NERC CIP standards are the mandatory security standards which apply to entities which own or manage facilities which are part of the U.S. and Canadian electric power grid.

The standards encompass the same breadth of topics, generally, as other frameworks such as the NIST CSF or CIS Top 20 Controls, but they are more prescriptive than those frameworks and are enforceable on those entities that are subject to them, including the application of potentially large fines in cases of non-compliance. While remaining neutral in terms of what technology is applied, the goals specified in the NERC CIP standards tend to be less conceptual and more concrete than other frameworks.

 

Who Is NERC, and Why Do They Get to Set Standards?

NERC is the North American Electric Reliability Corporation. NERC was founded in the late 1960’s as the National Electric Reliability Council in response to the northeastern U.S. blackouts of the early and mid-60’s, as the need for utility cooperation became more apparent. The organization was quickly renamed to encompass “North America” as the integrated nature of the joint U.S./Canadian power grid made the need for cross-border cooperation clear.

Over time, NERC worked with utility experts to create voluntary standards for operations for the industry, and those standards were highly influential in the establishment of stability within the North American power grid throughout the 1980’s and 1990’s.

As the need for protection of the national infrastructure in general became more apparent in the late 1990’s, triggering a Presidential Decision Directive from President Clinton in 1996, NERC shifted focus on issues of cyber security, along with some consideration of physical security for issues that could have an impact on interstate commerce.

Discussions around the consideration of creation of a set of cyber security standards for the industry began, when the catalyzing events of 9/11/2001 occurred and provided an increased sense of urgency to the effort. Timelines were compressed by several years from what participants at the time had expected, and NERC issued an Urgent Action Standard in 2003 which served as the predecessor of the current CIP standards.

The first version of the CIP standards was released in 2006 and approved by the Federal Energy Regulatory Commission in 2008. That core body of standards went through what are generally considered to be five versions before revision numbering was abandoned for the body as a whole in favor of tracking versions of individual standards. Versions 3 and 5 represented significant steps forward for the industry as a whole. With the change to per-standard revision monitoring, incremental changes such as the addition of a supply chain security standard and consideration for better support for virtualization have been possible.

In conjunction with that timeline, a significant outage in the northeastern US, Ontario, and Quebec in 2003 led to calls and eventually action to strengthen the responsibilities of asset owners and operators to follow the NERC standards. Under the Energy Policy Act of 2005, NERC was designated as the official Electric Reliability Operator (ERO) for the US power grid, to be managed with some restrictions by the Federal Energy Regulatory Commission (FERC), and NERC standards were given mandatory status, with the ability for NERC to issue fines with FERC approval. While most fines are in the low five-figure range, fines of over a million dollars have been issued for systemic series of violations.

NERC standards are created by drafting teams composed of industry experts, often based upon general directives issued by FERC staff, and are subjected to multiple rounds of review and comment before being voted on and, usually, approved by the NERC membership, the NERC Board of Trustees, and the FERC commissioners.

 

What Subjects Are Covered by the NERC CIP Standards?

NERC standards belong to family groups which are reflected in their names. For example, the BAL standards cover required activity by what are called Balancing Authorities, who balance the power generation needs within a region, and the MOD standards cover required modeling activity by transmission and generation operators. The CIP standards are named for the effort for Critical Infrastructure Protection, a general term that arose in the aftermath of the original Clinton Directive.

NERC CIP Standards to date:

 

Standard Topic
CIP-001 Sabotage Reporting (Retired)
CIP-002 Asset Identification and Classification

  • Facility Classification
  • Asset Identification
  • Inventory Approval
CIP-003 Policy and Governance

  • Designation of Senior Responsible Official
  • Policy Creation and Maintenance
  • Policy Creation and Maintenance for Low-Impact Assets
CIP-004 Personnel and Training

  • Security Awareness
  • Background Checks
  • Training
  • Access Management
  • Access Review
CIP-005 Network Security

  • Creation of Electronic Security Perimeters or Virtualized Equivalents
  • Management of Secure Interactive Remote Access
CIP-006 Physical Security of Cyber Assets

  • Physical Security Plans
  • Creation and Monitoring of Physical Security Perimeters
CIP-007 System Security Controls

  • Patch Management
  • Management of Ports and Services
  • Malware Prevention
  • Security Event Logging
  • Management of Shared Accounts
  • Password and Credential Management
CIP-008 Cyber Security Incident Response
CIP-009 Recovery Plans

  • Continuity of Operations
  • Backup and Restoration
CIP-010 Change and Vulnerability Management

  • Configuration Capture and Management
  • Change Management and Monitoring
  • Vulnerability Management
  • Management of Transient Cyber Assets
CIP-011 Protection of BES Cyber System Information

  • Classification and Protection of Information
  • Disposal of Media
CIP-012 Control Center Communications
CIP-013 Supply Chain Security
CIP-014 Physical Security of Key Substations

Other than a handful of requirements which apply to low impact facilities (those which do not meet the set of explicit criteria to be medium or high impact facilities stated in CIP-002), the CIP standards apply to a set of explicitly designated components intended to have the potential to have a significant impact on the operation of the Bulk Electric System (BES) such as control centers, large power plants with shared control components, and significantly connected substations.

 

How Is a Successful NERC CIP Compliance Program Structured?

Because CIP compliance is mandatory and compliance is largely driven by self-reporting or through the audit cycle, a successful CIP compliance program will include a constant drive to produce and maintain evidence of compliance. Each procedure should produce evidence of its successful performance; that evidence should be sampled and reviewed periodically for completeness and correctness; that evidence should be archived in easily retrievable manners so that compliance can be demonstrated quickly when needed.

Producing this evidence-based structure requires an integrated approach combining dedicated compliance personnel who design and gather evidence with input and cooperation from operations personnel who produce and supply the evidence. In large utilities, this structure is typically replicated across each business unit or functional organization.

Verve personnel have experience both in designing these evidence structures, as well as supplying the underlying expertise needed to ensure that procedures produce compliant results, and in guiding the integration needed to build the human structure needed for the program to succeed. The Verve Security Center software then adds the ability to perform many of the automated tasks needed to succeed with the compliance structure without overloading operational personnel.

Related Resources

Blog

Ransomware Protection: How to Prevent & Detect OT/ICS Ransomware

Reduce the risk of a ransomware infection, leverage existing technology investments and improve recovery

Read the Story
Blog

Protecting Embedded Systems in OT Cyber Security

Learn how to protect OT embedded devices and firmware in OT/ICS cyber security environments.

Read the Story
Blog

5 Questions a CISO Should Ask About OT/ICS Cyber Security

These are 5 questions CISOs should ask as they pursue an OT or ICS cyber security program and establish an effective industrial organization and technical approach.

Read the Story

Subscribe to stay in the loop

Subscribe now to receive the latest OT cyber security expertise, trends and best practices to protect your industrial systems.