North American Electric Reliability Corporation (NERC) Critical Infrastructure Program (CIP) Compliance and Risk Analysis
NERC CIP Cybersecurity Standard
North American Electric Reliability Corporation (NERC) Critical Infrastructure Program (CIP) was formed to advance the physical and cyber security of the critical electricity infrastructure of North America. In 2007, FERC designated NERC the ERO in accordance with Section 215 of the Federal Power Act, enacted by the Energy Policy Act of 2005. Upon FERC’s approval, NERC’s reliability standards became mandatory within the US. These mandatory reliability standards include CIP Standards 001 through 009, which address the security of cyber assets essential to the reliable operation of the electric grid.
To date, these standards (and those promulgated by the Nuclear Regulatory Commission) are the only mandatory cybersecurity standards in place across the critical infrastructures of the US. Subject to FERC oversight, NERC and its Regional Entity partners enforce these standards, developed with substantial input from industry and approved by FERC, to accomplish our mission to ensure the security and reliability of the electric grid.
NERC’s nine mandatory CIP standards address the following areas:
- CIP-001: Covers Sabotage Reporting.
- CIP-003: Requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets.
- CIP-004: Requires that personnel with access having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness.
- CIP-005: Requires the identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter.
- CIP-006: Addresses implementation of a physical security program for the protection of Critical Cyber Assets.
- CIP-007: Requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the other (non-critical) Cyber Assets within the Electronic Security Perimeter(s).
- CIP-008: Ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets.
- CIP-009: Ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices.
In December 2010, NERC approved an enhancement to its Critical Cyber Asset Identification standard (CIP-002 version 4) that establishes bright-line criteria for the identification of critical assets. This enhanced standard was filed with the Federal Energy Regulatory Commission (FERC) in February 2011, and FERC approved the standard on April 19, 2012. The implementation of the CIP standards under the bright-line approach is currently underway.
Praetorian Secure NERC CIP Services:
Praetorian Secure has significant experience in supporting the federal government and commercial organizations alike in the security and compliance arena. Our Managed Security Services, as well as many other unique offerings parallel the requirements of NERC CIP Standards and allow our clients to attain and maintain compliance, all while reducing the cost associated with some of our larger competitors.
Threat Assessment Vulnerability Assessment Penetration Testing Enterprise Security Enterprise Risk Management Security Engineering Managed Security Services
Our engineers are ready to support your organizational NERC CIP requirements and feel confident we can tailor an approach that is as effective at meeting compliance, as it is with meeting your budget. Please contact us today to setup a meeting to discuss your NERC CIP project.
Additional NERC CIP Resources: