Various NERC Topics and Why Should You Care?
by Abdul Aziz Mondal Technology 27 October 2021
The NERC CIP standards are mandatory security guidelines for companies that manage or control facilities that comprise the U.S. and Canadian electric power grid.
They were first accepted through the Federal Energy Regulatory Commission (FERC) in the year 2008. Their broad-based requirements have prompted substantial amounts of investment for the regulated utilities.
They have created the foundation for cybersecurity awareness in the electric utilities within North America. However, it is their basis as the model for a future list of Operating Technology cyber security compliance program management across the globe that will make the regulations mandatory for all industrial managers worldwide.
Which Topics Do NERC CIP Standards Cover?
| Subject | Standard |
| Retired Sabotage Reporting | CIP-001 |
| Facility Categorization
Inventory Validation Asset Classification & Identification Asset Recognization |
CIP-002 |
| Plan Maintenance & Creation – Low-Priority Components
Senior Accountable Executive Designation Plan Maintenance & Creation Governance & Policy |
CIP-003 |
| Access Checks
Background Validations Training Access Management Staff & Training Security Awareness |
CIP-004 |
| Setting Up Electronic Security Measures or Equivalents
Security of Network Protected Interactive Virtual Access Management |
CIP-005 |
| Physical Security Policies
Monitoring & Creation of Physical Security Measures Physical Protection of Cyber Components |
CIP-006 |
| Control of System Security
Credential and Password Management Management of Patch Shared Accounts Management Services & Ports Management Logging of Security Event Prevention of Malware |
CIP-007 |
| Incident Response for Cyber Security | CIP-008 |
| Recovery Strategies
Operations Continuity Restoration and Backup |
CIP-009 |
| Transient Cyber Assets Management
Change Monitoring and Management Vulnerability and Change Management Management of Vulnerability Configuration Management and Capture |
CIP-010 |
| BES Cyber System Records Protection
Classification and Protection of Records Media Disposal |
CIP-011 |
| Communications of Control Center | CIP-012 |
| Security of Supply Chain | CIP-013 |
| Key Substations Physical Security | CIP-014 |
The NERC standards typically cover the same broad topics as other cybersecurity frameworks like NIST CSF or CIS Top 20 Controls.
However, the NERC standards are much more explicit than these frameworks. They can be enforced on organizations that are subject to them, which includes imposing possibly large fines in the event of non-compliance.
Although these guidelines are crucial and could lead to fines if they’re not adhered to, some need more detail and explanation.
Why are NERC CIP Standards Important?
If you’re a North American electric utility, you must be aware that the NERC CIP standards demand substantial investment and the risk of penalties. Although most fines are in the lower five figures, more than one million dollars have been handed out due to a series of systemic violations.
The real impact of a flawed audit report is greater than the sum of the fine. Falsely reported violations or negative audit findings can cause management issues with shareholders, boards regulators, board members, and other stakeholders.
Outside of the energy utilities, which are the main subject on the agenda of NERC CIP, however, industries throughout North America and the world must begin to understand these standards and be prepared for similar requirements in their respective industries.
So, What’s The Takeaway?
The future of cybersecurity regulation is obvious – more prescriptive requirements and more auditing by regulators. This will need a significant shift in thinking, investment, and initiatives among industries across the globe.
Since the risk is more significant, we’d expect these new standards to be implemented more quickly as NERC CIP did. This will also imply lesser planning & development time, however, the scope will be as important as scoping NERC CIP.
Cyber security is frequently called “defense in depth”. It is not clear if that is an appropriate description of current threats. The truth is, a company can’t just leap into maturity “5”.
The earlier it starts to map its course – by using NERC CIP and various frameworks as its guides, the more achievable getting future compliance with the law can be.
Read Also:
Related
