Comply with NERC CIP to Safeguard Critical Energy Infrastructure
Cyberattacks on power grids can be devastating, not only causing widespread power outages but also creating economic disruption, safety issues, and turmoil as utilities work to restore service. The U.S. power grid is a complex web to protect, with 200,000 miles of transmission lines, 55,000 substations, and 5.5 million miles of distribution lines.
So far this year, more than two out of every three utility organizations across the globe have been hit by some type of ransomware attack. Within this group, nearly all (98%) say the attackers attempted to compromise their backups as well.
At the root of these attacks are:
- Exploited vulnerabilities (49%)
- Compromised credentials (27%)
- Malicious emails (14%)
- Phishing (7%)
- Downloads (2%)
- Brute force attacks (1%)
That’s why it’s critical to understand how to protect your mission-critical systems—and it starts with NERC CIP standards.
These standards evolve over time to align with the ever-changing threat landscapes that power transmission and distribution companies face. For example, CIP-015, Internal Network Security Monitoring, was added in 2023 to guide utilities in detecting anomalous or unauthorized network activity so they can identify and respond to an attack quickly. In June of this year, NERC filed with FERC for approval. Once approved, the clock begins on this standard.
What Is NERC CIP?
NERC CIP standards are a set of Critical Infrastructure Protection (CIP) standards developed by the North American Electric Reliability Corporation (NERC). These regulations are designed to protect the North American bulk electric system (BES) from cyberthreats that range from malware and ransomware to DDoS attacks.
The baseline set of cybersecurity measures it provides to the industry is meant to act as a framework to secure critical infrastructure and verify that the right security controls are in place to maintain resilient, safe, and reliable operations.
NERC was established in the late 1960s to develop the electric industry’s first set of reliability principles in response to the 1965 Northeast Blackout, which was caused by a faulty relay that left 30 million people in the dark for hours.
The NERC CIP standards as we know them today were first approved by the Federal Energy Regulatory Commission in 2008.
Who Is NERC CIP Designed For?
NERC CIP standards govern the mission-critical infrastructure for all stakeholders that impact BES reliability, including owners, operators, and users. These standards apply to electric utilities and power generation, transmission, and distribution companies.
What Does NERC CIP Cover?
NERC CIP provides prescriptive guidance across broad categories. The standard is broken up into different areas based on these categories. (Note: CIP-001 is retired and not part of active CIP standards.)
Asset Identification and Classification (NERC CIP-002)
This standard requires utilities to categorize their BES cyber systems based on how they impact grid reliability: high, medium, or low impact. It also maps out required security controls based on impact levels.
Policy and Governance (NERC CIP-003)
CIP-003 helps power transmission and distribution companies establish and oversee their cybersecurity and security management plans. It also outlines requirements for developing and maintaining security policies and procedures.
Personnel & Training (NERC CIP-004)
To minimize the possibility of BES compromise caused by in-house teams, which could lead to downtime or instability, this standard offers guidance about cybersecurity awareness and training. It also covers risk and access control management, such as removing personnel privileges when someone leaves a company.
Electronic Security Perimeter (NERC CIP-005)
CIP-005 provides requirements to help utilities control network access to mission-critical assets through electronic security perimeters or virtual barriers to monitor data flow. It also includes guidance for things like remote access.
Physical Security (NERC CIP-006)
Cybersecurity isn’t solely about network components—it involves physical security components, too. This CIP standard outlines steps to create physical security plans, including visitor control, surveillance, and physical intrusion detection systems.
System Security Management (NERC CIP-007)
To minimize the attack surface of BESs, this standard offers guidelines on how to manage, control, and limit access to network components like ports and services. It also provides guidance on security patch management and updates, as well as how to monitor for potential security events.
Incidence Reporting and Response Planning (NERC CIP-008)
When utilities experience a cyberattack, they need to be prepared to respond. CIP-008 offers guidelines on how to form and maintain a cybersecurity incident response plan, including how to report attempted and actual compromises—and who to report them to.
Recovery Plans (NERC CIP-009)
Fast recovery after a cybersecurity incident is vital. CIP-009 guides utilities on the planning and continuity of their operations to ensure the ability to recover critical assets after a disruption.
Change and Vulnerability Management (NERC CIP-010)
To maintain a secure environment, these CIP standards outline requirements for managing changes to cyber assets and addressing vulnerabilities. Users will find insights on how to manage configuration changes and conduct vulnerability assessments.
Protection of BES Cyber System Information (NERC CIP-011)
To help utilities protect information related to the BES, the CIP-011 requirements describe how to identify, classify, and handle sensitive BES information to keep it safeguarded.
Control Center Communications (NERC CIP-012)
To ensure reliable grid operations, control, and management, this standard maps out requirements for secure, reliable communications systems, such as encryption and authentication, to prevent cyberattacks and unauthorized access.
Supply Chain Risk Management (NERC CIP-013)
Added to NERC CIP standards in late 2020, CIP-013 implements security controls to manage supply chain risk, addressing the concerns that have become a priority over the past few years in the industry. It helps utilities assess and manage the risk associated with procuring and installing BES components from vendors by sharing guidance on how to ensure the security of hardware, software, and services used in utility operations.
Physical Security of Substations (NERC CIP-014)
This standard focuses on the prevention of threats to critical substations, which act as a link between power stations and users. It explains the requirements for conducting substation risk assessments, developing security plans to protect them from sabotage and unauthorized access, and reporting suspicious activity impacting substations.
Internal Network Security Monitoring (NERC CIP-015)
To strengthen the security of the grid, CIP-015 is the latest addition to NERC CIP standards. It explains how to monitor traffic within zones to detect malicious activity and potential unauthorized access so utilities can identify and respond to nefarious activity sooner.
How Often Is the Standard Updated?
Based on technology changes, trends, and emerging concerns and cyberthreats, NERC CIP standards change over time. For example, CIP-001, which focused on sabotage reporting, was retired. As recently as last year, updates have been made to requirements in response to the shifting industry landscape. CIP-015, which we mentioned earlier, is a good example.
Does My Company Have to Follow NERC CIP Requirements?
Because these standards are regulations, they are also requirements—which means they’re mandated by law. Electric utilities and power transmission and distribution companies must comply with these requirements.
Through off-site and on-site audits and spot checks, NERC tracks, assesses, investigates, evaluates, and enforces compliance through its Compliance Monitoring and Enforcement Program.
If your company does not comply, then there are potential consequences, including monetary fines, sanctions, and other actions.
Helping You Protect Power Infrastructure
Our industry experts have decades of experience in helping utilities prepare for the future while optimizing the operation and value of legacy equipment. Our digital automation consultants, solution consultants, and solution architects understand the complexities of the electric utility industry, have worked in the field, and know the challenges you face first-hand. If you have questions about how to best apply NERC CIP standards, then we’re here to help.
The experts at our Customer Innovation Centers work closely with you to assess your utility’s network strengths, deficiencies, and workflows. From there, we can help define practical cybersecurity goals, show you how to increase value and address operational KPIs, and create a blueprint that acts as your guide along the way.
As NERC CIP standards continue to change, we’ll keep you updated. Stay tuned for more educational content from us on the latest, including more information about CIP-015.
Learn more about Belden’s energy solutions.