NERC CIP Compliance: North American Electric Reliability Corporation Critical Infrastructure Protection Compliance

For electrical utilities that are keen on maintaining strong cyber security standards across their enterprise and substations, NERC Critical Infrastructure Protection (CIP) Compliance would mean necessary cyber resilience. NERC Reliability Standards define the reliability requirements for planning and operating the North American bulk power system and are developed using a results based approach that focuses on performance, risk management, and entity capabilities.
NERC's jurisdiction includes users, owners, and operators of the bulk power system, which serves more than 334 million people. NERC Standards CIP-001 through CIP-011 provide a Cyber Security Framework for the identification and protection of critical Cyber Assets to support reliable operation of the bulk electric system (BES). Listed below are the NERC CIP domains and objectives for infrastructure protection. Compliance to each of the domain will strengthen the security posture.
1) CIP 001: Sabotage Reporting The objective is to have an appropriate reporting structure in place. Disturbances or unusual occurrences, suspected or determined to be caused by sabotage, shall be reported to the appropriate systems, governmental agencies, and regulatory bodies.
2) CIP 002: BES Cyber System Categorization To identify and categorize BES Cyber Systems and their associated assets for cyber security requirements. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to inappropriate operation or instability in the BES.
3) CIP 003: Security Management Controls To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to inappropriate operation or instability in the BES.
4) CIP 004: Personnel and Training To minimize the risk against compromise that could lead to inappropriate operation or instability in the BES from individuals accessing BES Cyber System. The provisions require an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.
5) CIP 005: Electronic Security Perimeter The mandate is to identify and protect the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter.
6) CIP 006: Physical Security of BES Cyber Systems To manage physical access to BES Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to inappropriate operation or instability in the BES.
7) CIP 007: Systems Security Management To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to inappropriate operation or instability in the BES.
8) CIP 008: Incident Reporting and Response Planning The provisions of Standard CIP-008 imply the identification, classification, response, and reporting of cyber security incidents related to critical cyber assets.
9) CIP 009: Recovery Plans for BES Cyber Systems Standard CIP-009 mandates that recovery plan(s) are put in place for critical cyber assets. These plans should follow established business continuity, disaster recovery techniques and practices.
10) CIP 010: Configuration Change Management and Vulnerability Assessments To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to inappropriate operation or instability in the BES.
11) CIP 011: Information Protection The recommendations are to prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to inappropriate operation or instability in the BES.

Rate this article: 
0
No votes yet
Article category: 

Comments

For the last 7 to 10 years, state-sponsored hackers have been working to penetrate critical infrastructure with two primary goals in mind:
1. Steal intellectual property.
2. Insert trojans and other malware to enable disruption as a prelude to Cyberwarfare.
As indicated in NERC 2) above in this article, knowing what is in your systems is of paramount importance. Assume nothing is as it should be, or belongs where it is. Engage your knowledge workers to look at everything and bless its bonafides. A big project, but one perhaps we cannot afford to ignore or defer.

How does NERC CIP impact offshorability of IT services?

The compliance is expected to be Mandetory soon. The compliance will have a positive impact
on the offshorability of IT services. The clients will look forawrd to couple of references
to offshore part of IT services.

Pages