North American Electric Reliability Corporation (NERC) was founded in the late 1960s with the rising need for utility cooperation. The mandatory security standards are known as NERC CIP standards as they are applied to every entity which is responsible for managing and owning facilities that come under the electric power grid of the US and Canada. 

To strengthen and safeguard the cyber resilience of the country, NERC came up with this framework that is crafted to protect the utility infrastructure of the nation. NERC CIP standards lay out the requirements that go into protecting, operating, and planning the North American bulk power supply system. You can learn about NERC compliance software here along with learning the standards and substandards of NERC CIP. Let us find out the 10 fundamentals of NERC CIP compliance.

10 Fundamentals Of NERC CIP Compliance:

  1. Asset Identification and Classification: The primary objective of NERC CIP-002-5.1 is to identify and classify BES Cyber Systems, which are characterized as a grouped collection of vital cyber assets– BES Cyber Assets. Cyber assets are further described as programmable electronic devices and the data contained inside such devices. As part of the categorizing procedure, the different BES Cyber Systems are graded depending on the effect of any disruption to the dependable energy supply.
  2. Security Management Control: The purpose of this standard is to create unambiguous responsibility for North American BES Cyber Systems protection. Accountability is accomplished by delegating power and choosing a top manager to build policies around steady and sustainable security management procedures. In addition, the standard protocol contains provisions for emergency scenarios.
  3. Background Checks and Training: One of the most significant parts of the NERC CIP guidelines is employee and contractor training. Personnel and Training is the subject of NERC CIP-004-6. The goal here is to decrease the BES’s exposure to cyber threats from workers and contractors with direct physical access or authorized cyber access by screening and training individuals.
  4. Network Security: This standard’s goal is to safeguard BES Cyber Systems against malfunction and instability. It is also concerned with restricting network access to key assets. As a result, companies must build Electronic Security Perimeters (ESPs) around Cyber Assets to establish a virtual barrier through which data flows may be monitored. Assets situated outside the ESP must connect to the network through a designated Electronic Access Point. Entities must monitor and maintain network segments, use data encryption, and manage any remote access, particularly from suppliers and other third parties.
  5. Physical Security: Physical assets and vital infrastructure are also in danger when it comes to cybersecurity. A visitor monitoring system, a physical security plan, and a maintenance and testing program are all examples of operational and physical controls mandated under the CIP Requirements. Personnel, visitors, and contractors must adhere to certain operational and procedural guidelines in each of these sectors.
  6. System Security Management: Managing system security is another essential CIP need that must be performed using certain technological, operational, and procedural components. This standard specifies the technical, organizational, and procedural requirements for securing all systems inside ESPs, including Cyber Assets deemed non-critical.
  7. Incident Management: This standard protocol provides organizations with guidance on how to react to cyber events using a cybersecurity crisis management plan. It aids in the detection, categorization, reaction, reporting, and documenting of events involving essential cybersecurity assets.
  8. Recovery Plans: Recovery planning is required to recover from a cybersecurity incident that has compromised the BES Cyber Systems’ reliability. Similar to incident management standards, NERC CIP requirements for the recovery phase of a cybersecurity event include specifications, execution, testing, evaluation, and communication.
  9. Information Protection: This standard provides the criteria for identifying information that might affect the operation of BES if it is manipulated, hacked, or stolen unlawfully. It also establishes standards for information security and the reuse and disposal of BES Cyber Assets.
  10. Change and Vulnerability Management: This standard specifies the regulatory requirement for detecting and preventing unauthorized modifications to Cyber Systems. Using configuration management restrictions and active vulnerability testing, the objective is to establish basic and continuing protection. The three compliance areas are:
  • Create a configuration baseline and authorization procedure for operating systems, software, ports, and security patches.
  • Monitor baseline for unauthorized modifications at least once every 35 days as part of configuration monitoring.
  • At least once every fifteen months, perform a vulnerability assessment using either a real occurrence or a practice exercise.

We know that any kind of cyber attack especially in the key structures of the nation like telecommunication, financial infrastructure, and transportation can spell disaster, and can impact heavily on the stability and economy of the country. That is why it is always important to be NERC CIP Compliant.

By Manali