The NERC-CIP standard is the standard in cybersecurity applied by electricity companies in the US and that are responsible for the production and management of the electricity networks, the acronym corresponds to North America Electric Reliability Corporation, and CIP means Critical Infraestructure Protection, and its objective is to establish a set of specific requirements for the management of the safety of critical infrastructures linked to the production and management of the electricity networks.
The management and production of electrical energy has evolved over the years in order to meet a growing demand with high levels of availability, which has implied the inclusion of new technology and control mechanisms, which although they have allowed to meet these needs, have introduced by the very nature of the technologies involved, weaknesses and vulnerabilities that must be properly managed in order to mitigate risks in these complex systems, which on the other hand are generally the target of sophisticated attacks by criminal groups and organizations.
Initially this standard was developed in 2003 by NERC with the intention of creating a industrial safety standard for companies in the electricity sector, the initial version was named as NERC CSS ( Ciber Security Standards ), after successive improvements and evolutions the most current version is known as NERC-CIP, and although its It is North American origin, it is currently implanted in several Latin American countries such as Mexico, Colombia, Ecuador, Brazil, Chile and Peru.
Structure of the NERC-CIP standard
This standard is currently composed of 12 standards that establish the security controls that must be applied for the protection of both critical infrastructures and information, personnel who manage facilities, management of security systems and recovery plans for assets and infrastructures that are considered critical.
• CIP-002-5.1a BES (bulk electric system) Cyber System Categorization
• CIP-003-8 Security Management Controls
• CIP-004-6 Personnel & Training
• CIP-005-6 Electronic Security Perimeter(s)
• CIP-006-6 Physical Security of BES Cyber-Systems
• CIP-007-6 System Security Management
• CIP-008-6 Incident Reporting and Response Planning
• CIP-009-6 Recovery Plans for BES Cyber-Systems
• CIP-010-3 Configuration Change Management and Vulnerability Assessments
• CIP-011-2 Information Protection
• CIP-013-1 Supply Chain Risk Management
• CIP-014-2 Physical Security
Objectives of the NERC-CIP standard
The objective of the standard is to achieve the improvement of the safety of electrical distribution systems,for this, in addition to the development of controls and monitoring of compliance in the implementation of controls, are carried out risk assessments to identify and address vulnerabilities in the systems involved, in order to ensure a safe provision of electricity distribution services. For this, it is necessary to identify the critical assets in the electricity production and distribution infrastructures, on which control and monitoring mechanisms are established to prevent and alert about events related to safety.
In addition to monitoring, they must be applied access control mechanisms to these assets, and to industrial control systems (ICS), as well as establishing incident management and response procedures, with recovery and contingency plans, whether in the face of intentional attacks, industrial accidents or natural disasters, which guarantee continuity in the provision of services.
The implementation of cybersecurity standards and strategies in the so-called Critical Infrastructures, such as the electricity generation and distribution sector, allow preventing possible situations of vulnerability or disaster, training the companies involved in a more efficient response and with less impact on users and organizations that depend on them.
In GlobalSuite Solutions we have the GlobalSuite® software,to implement the NERC-PIC standard. The tool allows the implementation, management and maintenance of a Risk Management System based on the established objectives, likewise, it allows the evaluation and monitoring of the treatment of the defined risk.