A Complete Guide to Scoping Your Organizing For NERC CIP
by Arina Smith Business Security Systems 28 September 2021
Understanding how to set the scope of your energy system to be eligible for NERC CIP security assessments can be a difficult process. For many security executives at utility and power organizations trying to figure out what IT as well as OT assets fall under the scope of North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP), conformity requirements are the most difficult obstacle to determine if they’re conforming or not.
With the increasing prevalence of cyberinfrastructure-related attacks, These compliance standards reduce the risk of operating within the BES and shield both entities and consumers alike from the repercussions of exploitation and misuse within large energy systems.
The various NERC compliance standards to follow are listed below.
CIP-003-7: Cyber Security – Security Management Control
In accordance with this standard, you should identify who has access to security controls and their roles. This way, everyone involved in running the BES within your company will be accountable when they fail to perform their duties.
CIP-003-7 is an expansion of CIP-002-5.1a and is used in conjunction with the other controls within the NERC CIP. This regulation requires that your company must submit policy documents to the document management system, which specifies a review of every cyber security policy by the respective functional authorities at least every 15 months.
CIP-004-6: Cyber Security – Personnel & Training
To meet this requirement, the functional entity will have to submit evidence of background checks on employees and records proving the review of cybersecurity policies and incident response plans, physical and electronic access control, and the handling of cyber-related system data.
This requirement employs the risk-based method to determine the education of your company’s employees and who are granted access to crucial cybersecurity assets.
CIP-005-5: Cyber Security – Electronic Security Perimeter(s)
CIP-005-5 is a guideline for the size and the efforts you put into your security perimeter. Your electronic security perimeter needs to be protected from cyber-attacks and external communications and be used to protect your company’s private information.
Any external communications or dial-up connections should be controlled by an access point that is protected. Multi-factor authentication, remote access encryption, and updates for anti-malware must be installed to meet this rule of thumb.
CIP-006-6: Cyber Security – Physical Security of BES Cyber-Systems
This regulation describes the physical security boundaries that your online assets are protected by. To show compliance with this regulation, you’ll have to demonstrate guidelines that restrict physical access, track any unauthorized access, establish access control measures for physical assets, maintain the logs of access to physical assets monitoring the physical security of access control, retain logs, establish an alert system and maintain the physical security of access controls as time goes by.
CIP-007-6: Cyber Security – System Security Management
This guideline is focused on the best practices to manage the security of your system. To meet the CIP-007-6 requirement, technical operations and procedural requirements are required for all companies working under NERC. You must provide evidence of a patch to your software system that keeps your system up-to-date, malware protection software, and multiple password requirements covering all critical and non-critical assets.
CIP-008-5: Cyber Security – Incident Reporting and Response Planning
To comply with this rule, it is required that your business implement procedures and policies in place record and report incidents within your business or to the BES. This requires a system-wide response plan and logging the responsibility and roles of all those involved.
The mandate calls for the administration of tests for response every 15 months. Additionally, they must report any cybersecurity-related incidents for the Electricity Sector Information Sharing and Analysis Center.
CIP-009-6: Recovery Plans for BES Cyber-Systems
CIP-009-6 also addresses the best practices in the industry to recover cyber assets and how backup media can be used in case of an event that results in corruption or loss of data in BES systems. These security measures should be in place before the event occurs to protect and restore data swiftly.
Data recovery plans must include a recovery program including change control, backup and restoration processes, and checked backup media that conforms with best practices for disaster recovery and include all of your crucial cyber assets.
It is important to ensure that your energy system is compliant with various NERC CIP standards. Understand the standards mentioned above clearly and make sure you implement these in your energy systems.