NERC CIP compliance continues to grow in complexity, demanding significant time and energy from utilities. Cyber attacks on utilities and critical infrastructure have gained mainstream attention, prompting increased efforts from both government and industry authorities to enhance cybersecurity. For utilities, in particular, there is a heightened focus on securing the electric bulk system, maintaining resilience, and ensuring safe, reliable operations, overseen by FERC and NERC. Emerging NERC CIP requirements, such as internal network security monitoring, reflect these priorities. Evolving conversations around robust cybersecurity for the electrical grid now include new compliance and operational technology management considerations for low-impact assets and virtualization. These changes add layers of complexity and necessitate continuous adaptation and vigilance.
Implementing NERC CIP compliance can be complex and resource-intensive. To help guide you in efficiently and effectively meeting NERC CIP standards—whether you are experienced and trying to keep up with evolving standards or are new to compliance—we have created this NERC CIP guide. Industrial Defender has partnered closely with electric utilities and responsible entities since 2006. We hope reading through this guide will help you navigate the NERC CIP landscape and understand measures to protect the bulk power system.
NERC is Created
NERC Critical Infrastructure Protection (CIP) Standards Are Established
Evolution of the NERC CIP Standards
The NERC CIP Standards Today
The United States Federal Power Commission investigated and reported on the blackout and recommended:
"A council on power coordination made up of representatives from each of the nation’s Regional coordinating organizations to exchange and disseminate information on Regional coordinating practices to all of the Regional organizations, and to review, discuss, and assist in resolving matters affecting interregional coordination.”
⎯ Legislation proposed: Electric Power Reliability Act of 1967
Enter NERC (National Electrical Reliability Council), quietly formed on June 1st, 1968 as a voluntary organization by the electric utility industry to promote the reliability and adequacy of bulk power transmission in the electric utility systems of North America.
As the years went by, new regions and members were added, and in 1981 NERC changed its name to the North American Electric Reliability Corporation in recognization in Canada's participation. The organization analyzed and made recommendations to increase the overall reliability of the North American power grid. It also become very clear that utilities in many cases were operating as monopolies because they were not agreeing to a rate reduction for large industrial companies or allowing those customers to shop for better rates. The lack of flexibility within the electric utility monopoly created the drive for deregulation. NERC enters to help here, as well, regarding competition, fair pricing and how to work with independent power producers, marketers and brokers.
Who remembers Y2K? NERC was there to ensure that the grid was prepared and that there were no interruptions as NSYNC and Jessica Simpson rang us into the new Millennium. Right around this time, NERC stepped into the security arena and became the spearhead for issues related to national security and the power grid. To formalize these efforts, NERC became a founding member of the Partnership for Critical Infrastructure Security (PCIS). Deregulation is now running full steam, and California is lead into a power crisis due to a little company called Enron and their manipulation of the power market. Clearly this relationship is getting complicated.
Then in 2003, a butterfly flaps it wings in Ohio and creates one of the most widespread blackouts in history. People start asking questions. How can some foliage that affected transmission lines in Ohio impact power to the NYC subway system for 2 days? This blackout puts the NERC Urgent Action 1200 temporary standard on the map and fast tracks the development of NERC CIP (Critical Infrastructure Protection). Anyone who believes that NERC CIP was truly born from the need for cybersecurity was not a utility employee in the Northeast in August 2003. This is where the reliability vs. security dance really begins. Fast forward a few years to 2005, and the NERC CIP Version 3 is drafted and goes out for public review comments to over 61 separate entities. The standards are agreed to and published.
Utilities realize that to properly comply with these standards they need to make investments in time, training, processes and tools, none of which are planned or budgeted for, and rate hikes are not popular, so what happens? There is enough flexibility in the standard for utilities to do some interesting things. Entities were able to define their own risk-based methodologies. Weak contingency analyses are done. Infrastructure changes are made to minimize the footprint of the Electric Security Perimeter. Serial communications and non-routable protocols are frequently leveraged to take as many assets as possible out of scope. This also stunts the transition to IP connected devices and slows grid modernization. Data diodes become extremely popular as a method of limiting inbound communications and further reducing assets in scope.
The dance continues, and NERC CIP v5 is ratified in 2013. Modifications are created to remove some of the gray areas. It creates the concept of the BES (bulk electric system) and Cyber System Categorization. Bright-line criteria are published, and critical assets that do not have non-routable connectivity fall into scope. Utilities began budgeting and planning for the changes. Compliance and audits with the guidelines become more widespread. Even with this new clearer guidance utilities continue to employ strategies to keep as many assets as possible out of scope. Most commonly physically or logically breaking up High and Medium impact BES Cyber Systems to reduce their compliance requirements. Often this included large capital investments in new infrastructure purely to avoid having to comply with the new standards. Did this really make our nation’s infrastructure more secure?
2013 was also significant for another reason, but this time physical security was in the literal crosshairs with California in the spotlight once again. I’m talking about the sophisticated physical attack on a substation. A team of highly trained operatives cut the communications to the substation and systematically shot the cooling systems of several transformers with high powered rifles. The police arrived and were unable to enter the substation due to a locked gate. They surveyed the area to the best of their ability and ultimately left after finding nothing suspicious. All told, approximately $15M in damage was done to this utility’s equipment, and the substation was offline for approximately a month. Amazingly this attack did little to impact the stability of the grid as power was able to be re-routed from other parts of California. Now, I’m not one to normally don a tin foil hat, but something does not add up here. Like clockwork NERC introduces new standards (NERC CIP-014) around physical security to address the attack. I continue to maintain that these types of attacks are still the biggest threat vector to the grid, and it should not take another attack to decide we need more protections in place.
The standards continued to evolve, covering uncharted area like use of removable media, transient assets and supply chain. Again, more solid guidance, but the devil is in the implementation details.
As of today, NERC has 12 critical infrastructure protection requirements:
CIP-002-5.1a BES Cyber System Categorization — Identify and categorize BES cyber assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES cyber assets could have on the reliable operation of the BES.
CIP-003-8 Security Management Controls — Specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES cyber systems against compromise.
CIP-004-7 Personnel & Training — Minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES cyber systems by requiring an appropriate level of personnel risk assessment, training, and security awareness.
CIP-005-7 Electronic Security Perimeter(s) — Manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
CIP-006-6 Physical Security of BES Cyber Systems — Manage physical access to BES cyber systems by specifying a physical security plan in support of protecting BES cyber systems against compromise.
CIP-007-6 System Security Management — Manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES cyber systems against compromise.
CIP-008-6 Incident Reporting and Response Planning— Mitigate the risk to the reliable operation of the BES by specifying incident response requirements.
Remember that in 2021, following the SolarWinds attacks, NERC introduced new requirements within CIP-008-6 that mandate the reporting of "attempted" compromises (in addition to actual compromises) of their systems to national cybersecurity entities.
CIP-009-6 Recovery Plans for BES Cyber Systems— Recover reliability functions performed by BES cyber systems by specifying recovery plan requirements.
CIP-010-4 Configuration Change Management and Vulnerability Assessments — Prevent and detect unauthorized changes to BES cyber systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES cyber systems from compromise.
CIP-011-3 Information Protection— Prevent unauthorized access to BES cyber systems from compromise that would affect the stability of the BES.
CIP-013-2 Supply Chain Risk Management— Mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.
CIP-014-3 Physical Security — Identify and protect transmission stations and transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or cascading within an interconnection.
Updates are always emerging, and there a couple of new requirements coming out from Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) that we are urging organizations to promptly start addressing these changes if they haven't done so already.
CIP-015-01 Internal Network Security Monitoring (INSM), while not yet enforced, seems to be imminent, as it is filed and pending regulatory approval. The purpose is to improve the probability of detecting anomalous or unauthorized network activity in order to facilitate improved response and recovery from an attack.
This initiative was first introduced in January 2023. The directive mandates INSM for high-impact Bulk Electric System (BES) cyber systems, regardless of external routable connectivity, and medium-impact BES cyber systems that have such connectivity.
INSM, a targeted subset of network security monitoring, operates within a trusted zone like an Electronic Security Perimeter (ESP), delivering an extra protective layer when perimeter network defenses are breached. This addition is crucial, facilitating internal monitoring of communications and potential harmful activities. This development is part of a broader national drive to safeguard critical infrastructure, reflecting the initiatives of the National Cybersecurity Strategy, Transportation Security Administration (TSA), Environmental Protection Agency (EPA), and others.
Moreover, the approval of NERC CIP-003-9 in March signifies a significant shift in approach to managing supply chain risks associated with "low-impact" BES. This measure supersedes CIP-003-8, which was restricted to addressing high and medium-impact systems. Under the new rule, it is mandatory for organizations to incorporate vendor electronic remote access security controls into their cybersecurity policies. This change responds to risks such as the potential introduction of malicious code and unauthorized remote access by vendors' employees. It is important to highlight that many low-impact assets currently lack the same level of protection that their higher-impact counterparts enjoy. The risks escalate if multiple low-impact assets are compromised, or if access to higher-impact assets is obtained through these low-impact systems. As such, organizations are encouraged to address these issues promptly to enhance their overall security posture.
We continue to track developments around INSM requirements on this page here: https://www.industrialdefender.com/blog/ferc-and-nerc-strengthen-cip-standards
I can only draw parallels to the daily struggle of parenting and being a surrogate teacher for my kids during this pandemic. Things started fine. We had a plan; kids were on a schedule, get up, eat do your school and commitments and then you can have some free time. School work was being completed and after a few weeks I figured the kids were in a groove, so I started to relax my oversight to actually get some work done during the day. Without the constant oversight things quickly devolved. Sleeping in, poor hygiene, kids joining their afternoon virtual meeting with their teacher shirtless in 3 day old, stained pajama pants eating Lucky Charms.
So, father FERC I understand where you are coming from - time to rein the entities in a bit. But do it collaboratively or this dance will keep occurring between security professionals, utilities and you, and the regulatory bodies. Until all three come to the table to understand their strengths and weaknesses, risk and probability, and operational impact, NERC will keep pushing new CIP regulations. Utilities will keep adopting a compliance-based security methodology. And security practitioners will continue the hyperbolic conversations of what could happen next.
To learn more about the NERC CIP requirements, what each control seeks to achieve, and how to automate your compliance efforts, download our NERC CIP compliance guide. We also include bonus tips from cybersecurity experts who have real-world experience complying with NERC CIP regulations at North American utilities.
