What is NERC CIP Compliance?

The North American Electric Reliability Corporation (NERC) is the international regulatory authority whose mission is to assure the reliability and security of the bulk power system in North America. NERC develops and enforces reliability standards for the supply of power in the United States and Canada, as well as northern Baja California, Mexico.

To help improve cybersecurity at critical infrastructures, the NERC standards (Critical Infrastructure Protection (CIP) standards), were created to identify a set of cyber controls and protections that power suppliers and generators must address. To be NERC CIP compliant, power supply owners and operators must ensure the implementation of security requirements documented in the NERC CIP standards. Under the NERC CIP, you are required to identify critical assets and regularly perform a risk analysis. Failure to fully comply can result in significant fines and penalties.

DirectDefense services can fully support your security program in becoming compliant with the NERC standards. Our consultants can assist with the implementation of NERC CIP standards or perform a third-party audit in the following enforceable areas of the NERC CIP standards:

  • Critical Asset Identification
  • Cyber System Categorization
  • Personnel & Training
  • Electronic Security Perimeter(s)
  • Physical Security
  • System Security Management
  • Incident Reporting and Response Planning
  • Disaster Recovery
  • Change Management
  • Vulnerability Assessment

Understanding NERC Compliance

The North American Electric Reliability Corporation (NERC) is responsible for implementing and overseeing compliance with its Critical Infrastructure Protection (CIP) standards. CIP specifies minimum security requirements for bulk power systems, requiring energy sector infrastructures to maintain testing and remediation of security vulnerabilities.

NERC standards were essentially developed to reduce risks to the reliability and security of the power grid.

Third Party Vendor Risk Management

Critical infrastructures like bulk power systems must be diligent about vendor risk and vendor risk management. Third-party vendors are regularly involved in the production or installation of SCADA systems to control major infrastructure operations, including utilities, making it important to conduct a vendor risk assessment prior to hiring or utilizing a third-party.

Vendor risk can include poor password protections for an ICS architecture or allowing their databases to be compromised by attackers. Increasing use of digital technologies to connect critical infrastructure systems can lead to more risk in any supply chain. Critical infrastructures like bulk power grids should properly vet vendors by performing a vendor risk assessment before leveraging any type of third-party service or technology.