North American Electric Reliability Corporation – Critical Infrastructure Protection
- NERC is a non-profit corporation tasked with ensuring the reliability and security of the bulk power transmission system in North America.
- Nine standards covering the security of electronic perimeters, physical security of critical cyber assets, personnel and training, security management, disaster recovery and more. The overriding goal of CIP-002 through CIP-009 (CIP-001 generally isn’t tied to cybersecurity) is to ensure the bulk electric system is protected from unwanted and destructive effects caused by cyberterrorism and other cyberattacks, including attacks from within the utility (i.e., insider threats).
- CIP-001 – Sabotage reporting
- CIP-002 – Critical cyber asset identification: identify critical assets and to perform a risk-based assessment of those assets on a regular basis
- CIP-003 – Security management controls: Policies for monitoring and changing the configuration of critical assets need to be defined, as do policies governing access to internally and externally facing critical assets
- CIP-004 – Personnel and training
- CIP-005 – Electronic security perimeters: A logical perimeter needs to be established around critical cyber assets, including the use of firewalls to block vulnerable ports and attack monitoring tools such as intrusion detection and prevention systems
- CIP-006 – Physical security of critical cyber assets: organizations need to enforce controls on physical access to critical cyber assets
- CIP-007 – Systems security management: Systems for monitoring security events need to be deployed
- CIP-008 – Incident reporting and response planning: Comprehensive emergency response plans for cyberattacks
- CIP-009 – Recovery plans for critical cyber assets: natural disasters and other unplanned events
- More than 100 NERC Reliability Standards
- Requirements for protecting critical assets used in the bulk electric system and the systems that support those assets
- Note: Version 3 of the NERC CIP standards is currently under development, and will focus on inclusion of the level-2 SCADA protocols, encryption of communications, forensics following a cyber incident and closer alignment with the National Institute of Science and Technology (NIST) standards for cyber security.
- Federally designated Electric Reliability Organization that develops and enforces reliability standards and requirements for planning and operating the collective bulk power system
- Accredited by the American National Standards Institute
- It covers resource, transmission, personnel and training, emergency preparedness and the design and maintenance of facilities, including nuclear power facilities.
- Standards, including CIP, mandatory for users, owners and operators of the bulk electric power system, entities that serve specific functions in the electric power network, such as generator owners and generator operators, as well as transmission owners and transmission operators
- NERC CIP is all about management of cyber assets (IT infrastructure) — the systems that support the operation of the bulk electric system. Because much of the infrastructure supporting the bulk electric power system is IP-based, the NERC CIP standards provide guidelines for the identification and management of critical cyber assets, as well as the security (both physical and cyber) of those assets. And, while many of the disaster scenarios facing the electric grid concern natural disasters like hurricanes and floods, increased attention in recent years on cyberattacks on utilities has raised the specter of terrorist- or state-sponsored attacks on the electric grid.
- Penalties – The levying of fines as well as sanctions or other actions against covered entities
Related articles across the web