What is NERC CIP Compliance?

The North American Electric Reliability Corporation (NERC) is the international regulatory authority whose mission is to assure the reliability and security of the bulk power system in North America. NERC develops and enforces reliability standards for the supply of power in the United States and Canada, as well as northern Baja California, Mexico.

To help improve cybersecurity at critical infrastructures, the NERC standards (Critical Infrastructure Protection (CIP) standards), were created to identify a set of cyber controls and protections that power suppliers and generators must address. To be NERC CIP compliant, power supply owners and operators must ensure the implementation of security requirements documented in the regulatory standards. Under these standards, you are required to identify critical assets and regularly perform a risk analysis. Failure to fully comply can result in significant fines and penalties.

DirectDefense services can fully support your security program in becoming compliant with the NERC standards. Our consultants can assist with the implementation of these standards or perform a third-party audit in the following enforceable areas of the standards:

  • Critical Asset Identification
  • Cyber System Categorization
  • Personnel & Training
  • Electronic Security Perimeter(s)
  • Physical Security
  • System Security Management
  • Incident Reporting and Response Planning
  • Disaster Recovery
  • Change Management
  • Vulnerability Assessment

Understanding NERC Compliance

The North American Electric Reliability Corporation (NERC) implements and oversees compliance with its Critical Infrastructure Protection (CIP) standards. CIP specifies minimum security requirements for bulk power systems, requiring energy sector infrastructures to maintain testing and remediation of security vulnerabilities.

NERC standards were essentially developed to reduce risks to the reliability and security of the power grid.

How NERC CIP is Protecting Infrastructure Security Through a Set of Standards

The standards for NERC CIP are not arbitrary and compliance is imperative to ensure dependable power production. Today’s sophisticated security attacks can do serious harm through mass power disruptions, and the interconnectivity of energy transmission networks makes them all the more vulnerable to attack.

Reliable and uninterrupted power production is protected through enforcing the standards and acknowledging their importance by system operators. One way to ensure power system operators understand the importance of the standards is through NERC certification.

How to Obtain a NERC Certification

Even if your company is working with a managed security services provider (MSSP) to help you meet NERC CIP and other standards, having system operators who have obtained their NERC certification is a great way to ensure they meet minimum security standards and understand the importance of these standards.

An operator can earn NERC certification by taking an exam and completing continuing education every three years that is approved by the North American Electric Reliability Corporation. The NERC certification ensures system operators will be knowledgeable on:

  • Balancing infrastructure resources and demand
  • Emergency preparedness and response
  • Contingency analysis and reliability
  • Communication and data

Third-Party Vendor Risk Management

Critical infrastructures like bulk power systems must be diligent about vendor risk and vendor risk management. Third-party vendors are regularly involved in the production or installation of SCADA systems to control major infrastructure operations, including utilities, making it important to conduct a vendor risk assessment before hiring or utilizing a third party.

Vendor risk can include poor password protections for an ICS architecture or allowing their databases to be compromised by attackers. The increasing use of digital technologies to connect critical infrastructure systems can lead to more risk in any supply chain. Critical infrastructures like bulk power grids should properly vet vendors by performing a vendor risk assessment before leveraging any type of third-party service or technology.