Print
The Critical Infrastructure Protection (CIP) Standards are a set of mandatory requirements for owners and operators of electric utilities to protect bulk electric systems from physical and cyber threats. The standards were developed by the North American Electric Reliability Corporation (NERC), an international regulatory authority.
The goal of the CIP Standards is to ensure that electric utilities have the necessary physical and cyber security measures in place to protect critical infrastructure from threats. By developing NERC Compliance programs and implementing these standards, utilities can help to ensure the continuity of power supplies and the protection of public safety.
The NERC CIP standards include requirements for the identification, protection, and security of critical infrastructure assets. They also establish procedures for responding to and recovering from incidents. To comply with the NERC CIP standards, entities must develop and implement a comprehensive security program that meets the requirements of the relevant standard.
At the time of publishing, twelve NERC CIP standards are subject to enforcement. Standards include, but aren’t limited to:
The Basic Energy Sciences (BES) Cyber System Categorization is a tool used to identify and assess the cybersecurity risks associated with BES systems and facilities. The categorization process begins with an evaluation of the system’s purpose, design, and operation. This information is used to identify the system’s Critical Mission Functions (CMF), which are those functions that must be performed for the system to achieve its mission.
Once the CMFs have been identified, the next step is to determine the cybersecurity risks posed by each CMF. These risks are then used to generate a Cyber Risk Score for the system.
The Cyber Risk Score is a numeric representation of the overall risk posed by the system, and it is used to help prioritize security efforts. By using the BES Cyber System Categorization, utilities can ensure their security efforts are focused on those systems that pose the greatest risk.
Security management controls are critical for utilities to protect critical infrastructure, stymie theft and pilferage, and maintain continuity of operations. Depending on the size and scope of a utility, security management controls vary.
At a minimum, all utilities should have comprehensive policies and procedures in place that encompass:
These policies and procedures should be reviewed and updated regularly in order to ensure effectiveness and address the ever-changing landscape of security threats.
In addition to comprehensive policies and procedures, utilities should also consider implementing various physical security measures such as CCTV cameras, alarms, access control systems, fencing, bollards, or other security devices. By taking a proactive approach to security management controls, utilities can help keep their employees safe, their facilities secure, and their operations running smoothly.
One of the key components of the CIP standards is personnel and training. To ensure that utility employees can effectively protect critical infrastructure, they must receive comprehensive training on cybersecurity threats and best practices for prevention and response.
Furthermore, personnel responsible for cybersecurity should be adequality staffed and have the necessary resources to carry out their duties effectively. By adhering to these standards, utilities can help to ensure that their systems are better protected against the ever-evolving threat of cyberattacks.
Another key aspect of the NERC CIP standards is incident reporting and response planning. Incidents that affect the bulk-power system can have significant impacts on critical infrastructure and economic activity, so they need to be reported in a timely and effective manner.
The CIP Standards establish processes and procedures for reporting incidents, as well as for responding to them. This includes specifying who needs to be notified in the event of an incident, what information needs to be collected, and how responses should be coordinated.
The CIP Standards address both physical and cyber security threats, and they include requirements for supply chain risk management. This means that electric utilities must implement processes and procedures to identify and assess risks associated with the procurement of goods and services. In addition, utilities must have controls in place to mitigate these risks.
There are many benefits to being NERC CIP compliant. First, compliance demonstrates a commitment to protecting critical infrastructure and maintaining the reliability of the electric grid. Second, it helps to ensure that entities are prepared to respond to and recover from potential security incidents. Third, compliance can help to improve an entity’s overall cyber security posture. Finally, being NERC CIP compliant can provide peace of mind knowing that important safeguards are in place to protect critical infrastructure.
Other benefits of being NERC CIP compliant include:
Facilities that are not in compliance with these standards are at risk of being subject to fines, damages, and other penalties. In some cases, non-compliant facilities may even be required to shut down operations. The consequences of non-compliance can have a significant impact on both the facility and the surrounding community.
In addition to financial penalties, non-compliant facilities may also be subject to increased scrutiny from government regulators. This can result in a loss of public trust and confidence in the facility. In severe cases, non-compliance with the NERC CIP standards can result in blackouts or other disruptions to the electric grid.
NERC CIP compliance is a complex and ongoing process. Entities must continually assess their security posture and make changes as necessary to maintain compliance. ScottMadden has supported transmission, generation, and IT groups with building, deploying, educating, monitoring, and validating their NERC compliance programs for more than 35 years. We can help you address the challenges of NERC compliance.
To learn more, visit our NERC Compliance Consulting Services page, or contact us to start the conversation.
View MoreSussex Economic Advisors is now part of ScottMadden. We invite you to learn more about our expanded firm. Please use the Contact Us form to request additional information.
