What is NERC? Everything you need to know
Electric grids are part of every nation’s critical infrastructure. Every societal activity and business depends on reliable and safe electricity distribution. The US electric grid is a huge network of powerlines, distribution hubs, and renewable and non-renewable energy generators that is increasingly exposed to cyber-physical risks due to the accelerated reliance on cyber-enabled systems and IoT-connected devices, such as smart meters.
The North American Electric Reliability Corporation (NERC) is the organization behind ensuring the security and reliability of electric grids, and the NERC Critical Infrastructure Protection (CIP) reliability standard is the tool that provides responsible entities with the processes to achieve a crucial mandate: secure the electric grid from physical and cyber threats.
Let’s dive into the amazing world of NERC!
What is NERC?
Back in 1965, a blackout caused by a high demand for power in Ontario and a misconfigured protective relay started a chain of events, causing a widespread blackout across New England, New York, and New Jersey. The United States Federal Power Commission investigated and reported on the blackout, recommending the establishment of “a council on power coordination made up of representatives from each of the nation’s Regional coordinating organizations.”
The National Electrical Reliability Council (NERC) was created on June 1, 1968, to promote the reliability and adequacy of bulk power transmission in the electric utility systems of the United States. In 1981, the organization changed its name to North America Electric Reliability Corporation in recognition of Canada’s participation in electricity production and distribution.
Today, NERC is a regulatory organization that works to reduce risks to power grid infrastructure. They do this through the continual development of a set of regulatory standards in addition to education, training, and certifications for industry personnel.
What are the NERC Critical Infrastructure Protection (CIP) Reliability Standards?
It took another major outage in 2003 in Ohio that affected the NYC subway system for NERC to develop the Critical Infrastructure Protection (CIP) reliability standards. Although the initial scope was not about cybersecurity, the introduction of NERC CIP marks the beginning of a delicate dance between reliability and security.
NERC CIP v5 was ratified in 2013 to remove some of the gray areas of previous versions. This version introduced the concept of the BES (bulk electric system) and Cyber System Categorization and set well-defined compliance and scoping criteria. Utilities began budgeting and planning for the changes, and audits became more widespread.
Cybersecurity professionals working within the electrical grid and other critical infrastructure supply industries must comply with NERC CIP. Fines for noncompliance can reach up to $1 million per day, so energy organizations must spend substantial time, resources, and budget ensuring that their systems comply with the standard. This can prove difficult, as the CIP standards require implementing complex cybersecurity controls around their physical and cyber assets and maintaining ongoing proof of NERC compliance for auditors. Organizations often implement cybersecurity software and hardware solutions to automate NERC CIP compliance within their systems.
NERC CIP Standards
NERC CIP is broken down into subsections that give detailed directives on how to properly implement and enforce them. The standards continue to evolve, covering uncharted areas like the use of removable media, transient assets, and supply chains. As of today, NERC has 13 critical infrastructure protection requirements:
CIP-002-5.1a BES Cyber System Categorization: Identify and categorize bulk electric system (BES) cyber assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES cyber assets could have on the reliable operation of the BES.
CIP-003-8 Security Management Controls: Specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES cyber systems against compromise.
CIP-004-6 Personnel & Training: Minimize the risk of compromise that could lead to misoperation or instability in the BES from individuals accessing BES cyber systems by requiring an appropriate level of personnel risk assessment, training, and security awareness.
CIP-005-7 Electronic Security Perimeter(s): Manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter to protect BES Cyber Systems against compromise that could lead to mis-operation or instability in the BES.
CIP-006-6 Physical Security of BES Cyber Systems: Manage physical access to BES cyber systems by specifying a physical security plan to protect BES cyber systems against compromise.
CIP-007-6 System Security Management: Manage system security by specifying select technical, operational, and procedural requirements to protect BES cyber systems against compromise.
CIP-008-6 Incident Reporting and Response Planning: Mitigate the risk to the reliable operation of the BES by specifying incident response requirements.
CIP-009-6 Recovery Plans for BES Cyber Systems: Recover reliability functions performed by BES cyber systems by specifying recovery plan requirements.
CIP-010-4 Configuration Change Management and Vulnerability Assessments: Prevent and detect unauthorized changes to BES cyber systems by specifying configuration change management and vulnerability assessment requirements to protect BES cyber systems from compromise.
CIP-011-2 Information Protection: Prevent unauthorized access to BES cyber systems from compromise that would affect the stability of the BES.
CIP-012-1 Communications between Control Centers: Protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers.
CIP-013-2 Supply Chain Risk Management: Mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.
CIP-014-3 Physical Security: Identify and protect transmission stations and transmission substations and their associated primary control centers that, if rendered inoperable or damaged as a result of a physical attack, could result in instability, uncontrolled separation, or cascading within an interconnection.
Latest Developments
Updates are always emerging to adapt to the changing technology and risk environment. It is worth noting two developments coming from the Federal Energy Regulatory Commission (FERC) and NERC.
FERC issued a final rule on January 19, 2023, directing NERC to develop new or updated CIP reliability standards. These standards include requirements for internal network security monitoring (INSM), specifically for highly impactful Bulk Electric System (BES) cyber systems and medium-impact BES cyber systems with external connectivity. INSM functions within a trusted zone, such as an Electronic Security Perimeter (ESP), providing an extra layer of protection when perimeter network defenses are breached. This is a critical addition, enabling the monitoring of internal communications and identifying potential harmful activities.
In March 2023, the approval of NERC CIP-003-9 marks a significant change in the way low-impact BES supply chain risks are managed. This new standard replaces CIP-003-8, which only dealt with high and medium-impact systems. The updated rule now requires organizations to include vendor electronic remote access security controls in their cybersecurity policies. This change is in response to the risks posed by the potential introduction of malicious code and unauthorized remote access by vendor employees.
How Tripwire Helps You Be NERC CIP Compliant
The burden of NERC CIP audit documentation can be daunting. In addition to standard reports, auditors will often request ad hoc proof while onsite. Tripwire delivers a preferred solution for registered entities and auditors alike with the standard out-of-the-box reporting required by the regulations. Its comprehensive tracking of your entire infrastructure can also provide on-demand responses to auditor’s ad-hoc queries. Tripwire not only documents your compliance status but can also record authorized waivers and exceptions for complete compliance documentation.
Tripwire keeps up with the ever-changing NERC CIP standards, so you don’t have to. Tripwire allows you to efficiently apply new controls to new asset classes when needed. You can also take advantage of Tripwire’s professional services staff. They are experts in NERC CIP compliance and can help you apply the proper controls, generate the appropriate documentation and meet demanding deadlines for changing regulations.
Further reading: Tripwire NERC CIP Case Study
To discover how Tripwire can help you automate your compliance tasks and reduce the time required to meet NERC CIP requirements, read this case study and visit our dedicated solution page.