What are the NERC CIP Cybersecurity Standards?
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards are a set of regulatory cybersecurity requirements designed to secure the assets critical to the reliability of the North American bulk electric system (BES).
The NERC CIP Standards include:
CIP-002-5.1a Cyber Security - BES Cyber System Categorization
To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for applying cybersecurity requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES.
What it means: Here, the framework prioritizes the inventory of any connected systems that fall within the scope of the NERC CIP standards. As with any cybersecurity framework, knowing what you and your organization are protecting is paramount to success. If you don’t know how many assets you’re protecting and don't run vulnerability assessments, you leave yourself open to unexpected threats.
CIP-003-7 Cyber Security - Security Management Controls
To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES)
What it means: Organizations must outline the controls they have in place to secure the assets they scoped for the previous section. This sits at the highest level and is most relevant to cybersecurity program managers and CISOs; this enables visibility into the security activities, responsible entities, and steps to secure the organization's assets.
CIP-004-6 Cyber Security - Personnel & Training
To minimize the risk of compromise that could lead to misoperation or instability in the Bulk Electric System (BES) from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.
What it means: One of the most unpredictable variables of any cybersecurity program is human error - as a result, given that the grid is of such great importance, those adhering to NERC CIP must include personnel training in their cybersecurity program.
CIP-005-5 Cyber Security - Electronic Security Parameters
To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
What it means: Organizations must make sure that they are aware of who has access to what assets and what amount of access they have.
CIP-006-6 Cyber Security - Physical Security of BES Cyber Systems
To manage physical access to Bulk Electric System (BES) Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
What it means: Organizations must also consider the physical security of these assets.
CIP-007-6 Cyber Security - System Security Management
To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).
What it means: Ensure that your organization has documentation supporting your activities to secure your assets, including previously listed activities and processes.
CIP-008-5 Cyber Security - Incident Reporting and Response Planning
To mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response requirements.
What it means: Ensure that you and your organization have a clear and documented plan if a cyber event happens.
CIP-009-6 Cyber Security - Recovery Plans for BES Cyber Systems
To recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.
What it means: You and your organization should also have a documented plan for disaster recovery - how does your organization ensure that business and operations remain uninterrupted in the face of an event?
CIP-010-2 Cyber Security - Configuration Change Management and Vulnerability Assessments
To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the Bulk Electric System (BES).
What it means: This element goes hand-in-hand with access control - ensure you have systems and processes in place if configurations are changed. This can pose a great security threat, and you must ensure that systems are in place to protect against unauthorized or unsupervised configuration changes.
CIP-011-2 Cyber Security - Security Protection
To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).
What it means: Getting a level deeper, the controls necessary to satisfy these requirements are specific tactics and solutions (endpoint solutions) to protect specific elements and assets of the organization.
CIP-014-2 Physical Security
To identify and protect Transmission stations and Transmission substations and their associated primary control centers that if rendered inoperable or damaged due to a physical attack, could result in instability, uncontrolled separation, or Cascading within an Interconnection.
What it means: The grid sits at one of the largest intersections of the digital and physical realms. If the grid is down, access to the digital fails. As a result, organizations must also consider the steps they are taking to protect the physical centers that keep the grid online.
See Also: What is NERC CIP?