NERC CIP Standards Background and Basics
The North American Electic Reliability Corporation (NERC) is an international regulatory organization that works to reduce risks to power grid infrastructure. They do this through the continual development of a set of regulatory standards in addition to education, training, and certifications for industry personnel.
NERC manages several subcommittees in order to cover the breadth of their efforts to keep the energy grid safe from cyberattack:
- Compliance and certification committee
- Critical infrastructure protection committee
- Operating committee
- Personnel certification governance committee
- Planning committee
- Reliability issues steering committee
- Standards committee
Who Uses NERC Reliability Standards
Cybersecurity professionals who work within the electrical grid and other critical infrastructure supply industries are mandated to comply with NERC CIP (CIP meaning critical infrastructure protection). NERC CIP standards are enforced by audit, so energy organizations are required to spend substantial time, resources and budget making sure that their systems stay in compliance with the standard. This can prove difficult, as the CIP standards require they implement a complex set of cybersecurity controls around their physical and cyber assets and maintain ongoing proof of NERC compliance for auditors. Organizations often implement cybersecurity software and hardware solutions to automate NERC CIP compliance within their systems.
The vision for the Electric Reliability Organization Enterprise, which is comprised of NERC and the six Regional Entities, is a highly reliable and secure North American bulk power system. Our mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid. — NERC
The Importance of Physical Security for Critical Assets
Critical assets are those that sustain the delivery of your product—be it the treatment of water and wastewater or the power supply for your local grid. A critical asset-based approach puts the safety, reliability and uptime of these assets front and center. NERC improves the North American power system’s security by showing critical infrastructure suppliers how to protect their most important assets in implementing the NERC CIP standards.
NERC CIP standards
NERC CIP is broken down into several sub-standards that give detailed directives on how to properly implement and enforce them. Here is a breakdown of the standards currently enforced under NERC CIP v6 along with a quick summary of each from NERC.
CIP 002: BES Cyber System Categorization
Purpose: To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for the application of cybersecurity requirements commensurate with the adverse impact that loss, compromise or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES.
Purpose: To specify consistent and sustainable security management controls that establish responsibility and accountability to protect Bulk Electric System (BES) Cyber Systems against compromise that could lead to misoperation or instability in the BES.
Purpose: To minimize the risk against compromise that could lead to misoperation or instability in the Bulk Electric System (BES) from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training and security awareness in support of protecting BES Cyber Systems.
Purpose: To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
Purpose: To manage physical access to Bulk Electric System (BES) Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
Purpose: To manage system security by specifying select technical, operational and procedural requirements in support of protecting Bulk Electric System (BES) Cyber Systems against compromise that could lead to misoperation or instability in the BES.
Purpose: To mitigate the risk to the reliable operation of the BES as the result of a cyber security incident by specifying incident response requirements.
Purpose: To recover reliability functions performed by BES Cyber Systems by specifying recovery planning requirements in support of the continued stability, operability and reliability of the BES.
Purpose: To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the BES.
Purpose: To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
CIP 014: Physical Security
Purpose: To identify and protect Transmission stations and Transmission substations and their associated primary control centers that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation or Cascading within an Interconnection.
Fines for noncompliance can reach up to $1 million per day, which is reason enough for most industrial control system organizations to pour substantial time and resources into staying compliant. NERC’s compliance Violation Severity Levels (VSLs) range from low to severe and delineate the level to which a non-compliant entity missed their mark in the eyes of their auditor.
The Federal Energy Regulatory Commission (FERC)
FERC is another regulatory body that works closely with NERC to regulate compliance within the energy sector. They occasionally release new rules mandating additions to the NERC CIP standards. For example, as of June 2019, they’ve added the above CIP 008 rule due to growing concern about underreporting of cybersecurity incidents within critical infrastructure organizations. This includes both actual disruptions to service as well as attempted but failed disruptions, which also provide the industry with helpful information on how to prevent similar future attempts by cybercriminals.
How Tripwire Helps You Get—and Stay—NERC CIP Compliant
The burden of NERC CIP audit documentation can be daunting. In addition to standard reports, auditors will often request ad hoc proof while onsite. Tripwire delivers a preferred solution for registered entities and auditors alike with the standard out-of-the-box reporting required by the regulations. It's comprehensive tracking of your entire infrastructure can also provide on-demand responses to auditor’s ad-hoc queries. Tripwire not only documents your compliance status but can also record authorized waivers and exceptions for complete compliance documentation.
One way you can streamline your operations around NERC CIP v6 compliance is Tripwire's allowlisting capabilities. Tripwire lets you define system settings in alignment with compliance standards like NERC CIP, automating compliance and delivering hard proof to share with your auditors. Settings are enforced through agent-based scans, sending alerts directly to your Tripwire Enterprise dashboard when compliance misconfigurations are discovered.
Tripwire keeps up with the ever-changing NERC CIP standards so you don’t have to. Tripwire allows you to efficiently apply new controls to new asset classes when needed. You can also take advantage of Tripwire’s professional services staff. They are experts in NERC CIP compliance and can help you apply the proper controls, generate the appropriate documentation and meet demanding deadlines for changing regulations. Further reading: Tripwire NERC CIP Case Study
See how you can use Tripwire to automate your compliance tasks and reduce the time required to meet NERC CIP requirements.