In the event that there was a malicious actor who wanted to disable a country or state's power supply, the utility sector would be one of the first targets of this attack as seen in the Moore County power outage and the recent attacks on Portland’s infrastructure. Whenever stakes are this critical, it is essential that security is prioritized throughout the systems and processes involved in such matters. This is the reason why meeting and operating within the parameters of NERC CIP controls is so critical.
This guide will provide you with a concise explanation of the fundamentals of the NERC CIP's cybersecurity standards. It will also answer most of the questions that organizations often have about becoming compliant. It is also our goal in this article to provide you with helpful resources. These will greatly assist you in gaining a better understanding of what you need to do step by step for your utility company to become compliant.
In order to protect North American bulk electric transmission systems, the North American Electric Reliability Corporation has developed the Critical Infrastructure Protection Program (CIP), a set of standards that regulates, enforces, monitors, and manages the security of those systems. To mitigate cybersecurity attacks on the Bulk Electric System, the Critical Infrastructure Protection (CIP) compliance framework was developed in 2008 as a means to contain cybersecurity attacks. Although initially not required by law, the standards were used as a risk mitigation tool, which led to them becoming an industry standard as a result.
The North American Electric Reliability Corporation is known as NERC, and the Critical Infrastructure Protection Program is known as CIP.
In accordance with the NERC CIP, utility companies across North America are expected to adhere to a baseline set of cybersecurity measures. A major goal of operating in compliance with CIP is to ensure that the users and customers of the system are protected from threats that may affect its timely and effective functioning (including cyberattacks, cybervandalism, and acts of cyberterrorism).
In order to comply with CIP, risk and compliance managers need to develop standards, perform ongoing risk assessments, plan for business continuity in the event of disruptions, enforce IT controls, and share relevant information with different stakeholders throughout the organization.
Some of the terms that can be found in NERC's glossary include the following examples.
Adequacy - This is the ability of the electric system to provide the aggregate electrical demand and energy needs of the end-users at all times, taking into account scheduled as well as reasonably anticipated unscheduled outages of the system components.
Capacity Emergency - This situation occurs when a Balancing Authority Area's operating capacity, plus firm purchases from other systems, to the extent available or limited by transfer capabilities, is not sufficient to accomplish the task of meeting the demands and all the regulatory requirements that are placed on it.
Dynamic Transfer - As the name implies, this is the provision of real-time monitoring, computer software, hardware, communications, engineering, energy accounting (including accidental interchange), and administration that are required to electronically transfer the real energy services associated with a generator or load from one Balancing Authority Area to another.
Real-time Assessment - To evaluate system conditions using Real-time data to assess existing (pre-Contingency) and potential (post-Contingency) operating conditions. An assessment must take into account the following inputs: load, generation output levels, known state and degradation of Protection Systems and Remedial Action Schemes, functions, and limitations, outages, generator outages, facility ratings, exchanges, phase angles, and equipment limitations. Third-party services or internal systems may be used for Real Time Assessment.
You can continue reading the full NERC glossary here.
As many experts in the field are stating, one of the biggest challenges under NERC CIP is maintaining auditable proof of security measures that have been implemented. When you tell an auditor that a security measure has been taken, you will be expected to provide proof. Because of this, it is necessary to maintain audit logs for an extended period of time. In order to confirm that an action has been carried out, there must be auditable proof that can be readily provided to the auditors. This proof must show the date, time, and place where the action was taken. Observability platforms and compliance solutions for NERC CIP can assist organizations in complying with the NERC CIP standards by retaining data in accordance with NERC CIP v3 and v5.
There should be an audit trail for every change you make to your system in order for us to be able to show what has been changed, who made the change, and why the change was made for us to be able to prove these details. All audit log records should be maintained in one centralised location so that inspectors are able to ensure that the appropriate information is stored and maintained.
In view of the fact that auditors often ask for proof that certain internal security actions were performed at certain times, it is in your best interests to keep a large number of audit logs to retain the proof of all security actions performed. Additionally, end-to-end traceability is another feature that many observability platforms provide for the purpose of ensuring requirements are met. As a result of traceability, software risks can be identified and managed much more efficiently.
As a part of CIP compliance, NERC’s Critical Infrastructure Protection Committee (CIPC) has provided cybersecurity guidelines for CIP compliance that have been developed as part of this checklist. In keeping with NERC's efforts to educate, train, and certify industry personnel, this checklist is intended to serve as a baseline set of cybersecurity requirements for meeting compliance-driven objectives required by law.