NERC-CIP Compliance with regulations

What is the NERC-CIP standard?

The NERC-CIP standard is the cybersecurity standard applied by electricity companies in the USA that are responsible for the production and management of electricity grids, the acronym stands for North America Electric Reliability Corporation, and CIP stands for Critical Infrastructure Protection, and its objective is to establish a set of specific requirements for the management of the security of critical infrastructures linked to the production and management of electricity grids.

Management and production of electrical energy has evolved over the years in order to satisfy a growing demand with high levels of availability, which has implied the inclusion of new technologies and control mechanisms, which, although they have made it possible to meet these needs, have introduced, due to the very nature of the technologies involved, weaknesses and vulnerabilities that must be managed correctly in order to mitigate risks in these complex systems, which are generally the target of sophisticated attacks by criminal groups and organisations.

At the beginning this standard was developed in 2003 by NERC with the intention of creating an industrial security standard for companies in the electrical sector, initial version was named NERC CSS (Cyber Security Standards), after successive improvements and evolutions the most current version is known as NERC-CIP, and although its origin is North American, it is currently implemented in several Latin American countries such as Mexico, Colombia, Ecuador, Brazil, Chile and Peru.

Structure of the NERC-CIP standard

This standard is currently composed of 12 standards that establish the security controls that must be applied for the protection of critical infrastructures as well as for information, personnel that manage the facilities, management of security systems and recovery plans for assets and infrastructures that are considered critical.

  • CIP-002-5.1a BES (bulk electric system) Cyber System Categorization
  • CIP-003-8 Security Management Controls
  • CIP-004-6 Personnel & Training
  • CIP-005-6 Electronic Security Perimeter(s)
  • CIP-006-6 Physical Security of BES Cyber-Systems
  • CIP-007-6 System Security Management
  • CIP-008-6 Incident Reporting and Response Planning
  • CIP-009-6 Recovery Plans for BES Cyber-Systems
  • CIP-010-3 Configuration Change Management and Vulnerability Assessments
  • CIP-011-2 Information Protection
  • CIP-013-1 Supply Chain Risk Management
  • CIP-014-2 Physical Security

Objectives of NERC-CIP standard

The objective of the standard is to improve security of electricity distribution systems. To this end, in addition to developing controls and monitoring compliance in the implementation of controls, risk assessments are carried out to identify and address vulnerabilities in the systems involved, in order to ensure the secure provision of electricity distribution services. This requires identification of critical assets in electricity production and distribution infrastructures, for which control and monitoring mechanisms are established to prevent and warn of security-related events.

In addition to monitoring, access control mechanisms must be applied to these assets and to the industrial control systems (ICS), as well as establishing incident management and response procedures, with recovery and contingency plans, whether in the face of intentional attacks, industrial accidents or natural disasters, to ensure continuity in the provision of services.

Implementation of cybersecurity standards and strategies in the so-called Critical Infrastructures, such as the electricity generation and distribution sector, makes it possible to prevent possible situations of vulnerability or disaster, enabling the companies involved to respond more efficiently and with less impact on the users and organisations that depend on them.

In GlobalSUITE Solutions we have the GlobalSUITE® software, to implement the NERC-PIC standard.  The tool allows the implementation, management and maintenance of a Risk Management System based on the established objectives, as well as the evaluation and monitoring of the defined risk treatment.

More Articles