Getting to know the NERC CIP standards

There's been a lot of buzz in the news lately about the new security regulations that electric utilities need to meet. In this tip, we'll cover how security solution providers can help utilities become compliant.

These rules have been mandated by the Federal Energy Regulatory Commission (FERC) -- a Federal organization overseeing interstate transportation and marketing of energy. In turn, these requirements are being written and enforced by the North American Electric Reliability Corporation (NERC) and associated regional coordinating councils, with substantial input from the utilities themselves. NERC is headquartered in Princeton, N.J., and is an international, independent, self-regulatory, not-for-profit organization, whose mission is to ensure the reliability of the bulk power system in North America.

The nine rules being imposed are called the NERC Critical Infrastructure Protection (CIP) standards and are often referred to as NERC CIP-001 to CIP-009. The standards constitute about 47 requirements and approximately 100 sub-requirements.

The standards are organized by topic as follows:

• CIP-001 – Sabotage reporting
  
• CIP-002 – Critical cyber asset identification
  
• CIP-003 – Security management controls
  
• CIP-004 – Personnel and training
  
• CIP-005 – Electronic security perimeters
  
• CIP-006 – Physical security of critical cyber assets
  
• CIP-007 – Systems security management
  
• CIP-008 – Incident reporting and response planning
  
• CIP-009 – Recovery plans for critical cyber assets
  

The overriding goal of CIP-002 through CIP-009 (CIP-001 generally isn't tied to cybersecurity) is to ensure the bulk electric system is protected from unwanted and destructive effects caused by cyberterrorism and other cyberattacks, including attacks...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data breach and leak prevention Data protection fueled by data leakage prevention products and services Data breach prevention techniques: Helping customers avoid data breaches Security solution providers find new opportunities amid bleak economy What are the best data leakage prevention strategies for my clients? Data security: Alternatives to data leak prevention Pair data leak prevention product sales with consulting services Data leak prevention: Finding data before it's lost Data leak prevention strategies for security service providers Government security breaches bring work to channel Cyber insurance supplements, not replaces, data breach security Business risk assessment and risk analysis Loss leaders: Security products and services to get a foot in the door The intersection of security and disaster recovery Remote vulnerability scanning: Process, roles and responsibilities How to perform a network security audit for customers Creating your checklist and Summary How to generate revenue from unified threat management Unified threat management: Migration and management techniques Unified threat management: An intro for solution providers Podcast with Dr. Paul Rohmeyer on choosing a remote management platform Have you created a map of the to-be architecture? Information Security Threats Mitigating zero-day vulnerabilities in customers' environments UTM appliances bundle security, give VARs multiple revenue streams Remote vulnerability scanning: Process, roles and responsibilities Data breach prevention techniques: Helping customers avoid data breaches Full disk encryption: A hot opportunity for VARs Top security tips for solutions providers Common injection attacks Checklist: Five steps to assessing a customer's antivirus protection Polymorphic malware attacks and in-line scanning Use hosted email filtering for virus protection

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

from within the utility (i.e., insider threats). Essentially, FERC -- through NERC -- wants assurance that the main electric grid in North America will not fail due to cyber-related vulnerabilities and subsequent attacks.

The bulk electric system includes electrical generation resources, transmission lines, interconnections with neighboring electric grids, and associated equipment, generally operated at voltages of 100,000 volts or higher. Large transmission towers and the huge substations on the transmission grid are part of the bulk electric system. However, the distribution power lines and equipment -- operating at a much lower voltage in neighborhoods -- are not included in the NERC CIP standards.

To ensure that utilities and affected electric energy companies are focused on the right systems, the NERC CIP standards offer a sequenced approach to identifying critical cyberassets. But companies must first understand what their "critical" assets are. These are facilities, systems and equipment which, if destroyed, degraded or otherwise rendered unavailable, would affect the reliability or operability of the bulk electric system. These assets normally include system control centers, large generation facilities and critical substations, to name a few.

Companies then must closely examine these critical assets and identify the cyber aspects that could directly affect the more general critical assets in the event of a hacking or failure. Such an event could result in a negative impact to the critical asset, and eventually cascade to the bulk electric system.

This represents an opportunity for solution providers, as some utilities may need assistance with creating this asset inventory and identifying the "critical assets."

The standards themselves are primarily focused on programs and processes and not so much on implementing specific technologies. Interestingly enough, most Supervisory Control and Data Acquisition (SCADA) systems are on the "edge" of inclusion in the NERC CIP standards because they tend to operate in layer 2 of the OSI model, whereas, the primary focus of the NERC CIP standards is on those systems that are TCP/IP or layer 3-based.

Many utilities will need assistance with system penetration and vulnerability testing of the critical cyber assets, as well as cyber systems used to provide physical protection of critical cyber assets. In these cases, a utility may be interested in assistance from a trained and experienced solution provider to provide the vulnerability testing, and detailed reports for audits.

The NERC CIP standards needed to be implemented by June 30, 2009 for substations, system control centers and other affected systems except for electricity generation assets. The generation assets must be compliant by Dec. 31, 2009. In addition to these deadlines, the NERC regional entities are now performing spot checks (essentially a limited audit) at utilities with a narrow focus on the first 13 standards that needed to be fulfilled in 2008 for system control centers.

Right now, most utilities are moving at break-neck speed to ensure they are compliant with NERC CIP standards. Their primary motivation is that NERC may -- and has -- imposed fines on utilities for non-compliance with the NERC CIP standards.

The primary way solution providers can help the utilities is by assisting them in implementing what I call "holistic, pragmatic security," and that can include a number of things. Some need help writing policies, standards and procedures that meet the NERC CIP standards. Other utilities need help with establishment of Electronic Security Perimeters (from CIP-005) with firewalls and other perimeter technologies. Still other utilities need help with personnel training and personnel background checks as well as strong, well organized physical and logical access control systems (CIP-004, CIP-006 and CIP-007).

Overall, this is just the beginning for the electric energy sector. NERC continues to provide reports on its audit findings and deliver analyses of electric grid events to FERC. Version 3 of the NERC CIP standards is currently under development, and will focus on inclusion of the level-2 SCADA protocols, encryption of communications, forensics following a cyber incident and closer alignment with the National Institute of Science and Technology (NIST) standards for cyber security. These future areas of inclusion for the CIP standards may be an area where security solution providers can assist utilities in their compliance activities going forward, as they can help lead utilities in developing information and infrastructure security programs that more closely resemble some programs in place in other industries. Regardless, revised standards are already expected in 2010 or 2011.

What's next? Hold on to your hat!