NERC CIP Compliance
The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system (BPS) in North America. NERC develops and enforces mandatory standards that define requirements for reliable planning and operation of the bulk power system.
What is NERC CIP Compliance?
NERC’s Critical Infrastructure Protection (CIP) Reliability Standards, represent a comprehensive, risk-based approach to further enhance the security of the North American bulk power system by providing a physical and cyber-security framework for the identification and protection of Critical Cyber Assets that control or affect the reliability of North America’s bulk power systems.
RSI Security is a full service cyber security assessor and advisory company helping entities meet security compliance needs. RSI Security has the experience, skills and resources to help your organization identify and protect critical cyber assets by helping you meet NERC CIP compliance requirements.
Why do you need to be NERC CIP Compliant?
Schedule A Consultation For NERC CIP Compliance
Who Must Comply with NERC CIP?
All registered entities in North America that own, use, produce, or supply utilities on the Bulk Electric Supply (BES) must comply with the NERC CIP to avoid non-compliance penalties.
NERC compliance is mandatory for entities such as
- Transmission service providers
- Generator operators
- Regional entities
- Load serving entities
NERC requires entities to safeguard critical assets such as:
- Data acquisition systems
- Control systems
- Networking equipment
- Cloud-based storage
To streamline NERC compliance, you should ensure that the following categories of employees receive special NERC CIP training:
- Project managers
- Cybersecurity staff
- Incident response teams
- NERC CIP auditors
NERC CIP Requirements
To ensure the security and stability of the North American utility supply, the NERC CIP requires entities subject to its framework to comply with the NERC CIP requirements, which include 40 standards and a total of 100 sub-requirements aimed at safeguarding the North American BES.
The NERC CIP Requirements include:
- Security management
- Personnel security training
- Electronic security processes
- BES physical security
- System security management
- Incident reporting and response planning
- BES recovery planning
- Configuration change management
- Information security
- Physical security
Utility systems are critical components of any nation’s infrastructure and must be safeguarded at all times. The NERC CIP standards are comprehensive and risk-based to ensure that entities can fully protect their operations on the North American BES.
NERC compliance requires organizations to implement tools and processes such as:
- Patch management to promptly install security patches
- Personnel training for NERC compliance
- Reporting cybersecurity incidents
- Documenting and reporting compliance evidence
- Developing, planning, and implementing policies
Working with NERC compliance consultants will help you meet up-to-date NERC CIP compliance and help you prepare for NERC CIP audits.
Why do you need to be NERC CIP Compliant?
In 2006, the U.S. Federal Energy Regulatory Commission (FERC) made the CIP Cyber Security Standards mandatory for all registered entities identified by NERC, and enforceable across all users, owners, and operators of the bulk power system in the United States.
Entities that own, operate or use any portion of the North American power system are required to identify critical assets and regularly perform risk assessments on those assets.
Let us help your organization implement a plan with all necessary controls so you can meet all 45 requirements and avoid a non-compliance status.
Compliance analysis and certification, we can help.
Our NERC CIP Compliance Services
NERC CIP COMPLIANCE
Value and Benefits of Being
NERC CIP Compliant
- Audit Ready Electronic Security Perimeter and Cyber Asset Environment
- Cyber Asset Security Risk Management
- NERC CIP Compliance
- Increased Cyber Asset Protection
- Increased Customer Trust and Organizational Reputation
- Implementation of Information Security Program
- Effective Incident Response Planning
WORK WITH US
Your NERC CIP Compliance Partner
RSI Security has worked comprehensively with NERC entities in their NERC CIP standards implementation program
RSI Security’s skilled, experienced and qualified security assessment, advisory, engineering and testing teams utilize a risk-based and strategic value based approach to achieving your organization’s NERC CIP Compliance.
Our advisory services help you identify and meet required NERC CIP standards requirements
Our qualified security assessors possess information security assessment, auditing, administrative and technical skills, knowledge and experience to help organizations achieve NERC CIP compliance.
RSI Security is a full service security service provider organization with many years of experience providing systems and data security compliance, information security program implementation and testing services.
NERC CIP COMPLIANCE
Overview of NERC CIP Standards
CIP-002-5.1a Cyber Security BES Cyber System Categorization
- BES Cyber Systems at each site location have varying impact on the reliable operation of the Bulk Electric System. Attachment 1 provides a set of “bright-line” criteria that the Responsible Entity must use to identify these BES Cyber Systems in accordance with the impact on the BES.
- BES Cyber Systems must be identified and categorized according to their impact so that the appropriate measures can be applied, commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. These impact categories will be the basis for the application of appropriate requirements in CIP-003 through CIP-011.
CIP-003-6 Cyber Security Security Management Controls
- This requirement is intended to demonstrate a clear line of authority and ownership for security matters. One or more security policies demonstrate that entity’s management supports the accountability and responsibility necessary for effective implementation of the requirements and provide a management and governance foundation for all requirements. It also ensures that delegations are kept up-to-date and that individuals do not assume undocumented authority.
CIP-004-6 Cyber Security Personnel and Training
- Ensure that Responsible Entities with personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Assets take action so that those personnel with such authorized electronic or authorized unescorted physical access maintain awareness of the Responsible Entity’s security practices.
- Ensure that the Responsible Entity’s training program for personnel who need authorized electronic access and/or authorized unescorted physical access to BES Cyber Systems covers the proper policies, access controls, and procedures to protect BES Cyber Systems and are trained before access is authorized.
- Ensure that individuals who need authorized electronic or authorized unescorted physical access to BES Cyber Systems have been assessed for risk. Whether initial access or maintaining access, those with access must have had a personnel risk assessment completed within the last 7 years.
- Ensure that individuals with access to BES Cyber Systems and the physical and electronic locations where BES Cyber System Information is stored by the Responsible Entity have been properly authorized for such access as well as timely revocation of such access.
CIP-005-5 Cyber Security Electronic Security Perimeter(s)
- The Electronic Security Perimeter (“ESP”) serves to control traffic at the external electronic boundary of the BES Cyber System. It provides a first layer of defense for network based attacks as it limits reconnaissance of targets, restricts and prohibits traffic to a specified rule set, and assists in containing any successful attacks.
CIP-006-6 Cyber Security Physical Security of BES Cyber Systems
- Ensure that physical access to all BES Cyber Systems is restricted and appropriately managed. Entities may choose for certain Physical Access Control Systems (PACS) to reside in a Physical Security Perimeter (PSP) controlling access to applicable BES Cyber Systems.
- Control when personnel without authorized unescorted physical access can be in any Physical Security Perimeters protecting BES Cyber Systems or Electronic Access Control or Monitoring Systems
- Ensure all Physical Access Control Systems and devices continue to function properly
CIP-007-6 Cyber Security System Security Management
- The requirement is intended to minimize the attack surface of BES Cyber Systems through disabling or limiting access to unnecessary network accessible logical ports and services and physical I/O ports.
- Ensure security patch management by proactively monitoring and addressing known security vulnerabilities in software before those vulnerabilities can be exploited in a malicious manner to gain control of or render a BES Cyber Asset or BES Cyber System inoperable.
- Ensure malicious code prevention in order to limit and detect the addition of malicious code onto the applicable Cyber Assets of a BES Cyber System. Malicious code (viruses, worms, botnets, targeted code such as Stuxnet, etc.) may compromise the availability or integrity of the BES Cyber System.
- Ensure security event monitoring in order to detect unauthorized access, reconnaissance and other malicious activity on BES Cyber Systems, and comprises of the activities involved with the collection, processing, alerting and retention of security-related computer logs. These logs can provide both (1) the detection of an incident and (2) useful evidence in the investigation of an incident. The retention of security-related logs is intended to support post-event data analysis.
- Ensure that no authorized individual can gain electronic access to a BES Cyber System until the individual has been authenticated
CIP-008-5 Cyber Security Incident Reporting and Response Planning
- The implementation of an effective Cyber Security Incident response plan mitigates the risk to the reliable operation of the BES caused as the result of a Cyber Security Incident and provides feedback to Responsible Entities for improving the security controls applying to BES Cyber Systems. Preventative activities can lower the number of incidents, but not all incidents can be prevented. A preplanned incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services.
CIP-009-6 Cyber Security Recovery Plans for BES Cyber Systems
- Preventative activities can lower the number of incidents, but not all incidents can be prevented. A preplanned recovery capability is, therefore, necessary for rapidly recovering from incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services so that planned and consistent recovery action to restore BES Cyber System functionality occurs.
- The implementation of an effective recovery plan mitigates the risk to the reliable operation of the BES by reducing the time to recover from various hazards affecting BES Cyber Systems. This requirement ensures continued implementation of the response plans.
- To improve the effectiveness of BES Cyber System recovery plan(s) following a test, and to ensure the maintenance and distribution of the recovery plan(s).
CIP-010-2 Cyber Security Configuration Change Management and Vulnerability Assessments
- The configuration change management processes are intended to prevent unauthorized modifications to BES Cyber Systems.
- The configuration monitoring processes are intended to detect unauthorized modifications to BES Cyber Systems.
- The vulnerability assessment processes are intended to act as a component in an overall program to periodically ensure the proper implementation of cyber security controls as well as to continually improve the security posture of BES Cyber Systems.
CIP-011-2 Cyber Security Information Protection
- The intent of the information protection program is to prevent unauthorized access to BES Cyber System Information.
- The intent of the BES Cyber Asset reuse and disposal process is to prevent the unauthorized dissemination of BES Cyber System Information upon reuse or disposal.
NERC CIP Compliance FAQs
As of 2006, implementing the NERC CIP is mandatory for all registered organizations on the United States BPS, including users, owners, and operators. The NERC places high standards on compliance and will discipline entities that are found to be non-compliant with the NERC CIP.
The NERC CIP oversees the Bulk Electric System (BES) of North America, ensuring that a cyberattack does not disrupt the North American utility infrastructure. Beyond mitigating utility disruption, NERC CIP standards aim to prevent the effects of a large cyber attack on the North American economy.
There are currently 14 NERC CIP standards, which are also referred to as NERC CIP Requirements. Each of the 40 Fundamental NERC CIP Requirements includes one or more sub-requirements, for a total of 100 sub-standards.
The NERC CIP standards stipulate the NERC CIP compliance requirements, which help organizations plan, operate, and protect the bulk power supply system in North America.
Compliance with NERC CIP standards will help you achieve NERC certification, which guarantees uniform security standards across the BES. However, proper implementation of the NERC standards will also depend on your BES systems. You must identify the most critical assets as well as those which are most vulnerable to cyberattacks.
NERC CIP audits are random; there isn’t a set schedule. To increase your audit preparedness, it is important to install and maintain controls up to the NERC CIP compliance requirements and obtain NERC CIP certification. With the help of NERC compliance consultants, you will be well-positioned to pass NERC CIP audits whenever they happen. NERC CIP consulting will also help you fine-tune your current security controls and strengthen your security posture.