The NERC CIP standards are the mandatory security standards that apply to entities that own or manage facilities that are part of the U.S. and Canadian electric power grid.
They were initially approved by the Federal Energy Regulatory Commission (FERC) in 2008. Their wide-ranging requirements drive a significant amount of investment by the regulated utilities and have helped create a foundation of cybersecurity awareness among the electric utility sector in North America. But it is their foundation as a model for an emerging set of operating technology cybersecurity regulations around the world that should make studying them required reading for industrial operators worldwide.
Who is NERC and why do they get to set standards?
NERC is the North American Electric Reliability Corporation. It was founded in the late 1960s as the National Electric Reliability Council in response to the northeastern U.S. blackouts of the early and mid-’60s, as the need for utility cooperation became more apparent. The organization was quickly renamed to encompass “North America” as the integrated nature of the joint U.S./Canadian power grid made the need for cross-border cooperation clear.
NERC is a nonprofit body created and funded by the utilities themselves. It is subject to the Federal Energy Regulatory Commission (FERC), the United States government’s regulatory entity for energy. The original creation of NERC was to focus on the stability and reliability of the grid after a significant blackout on the East Coast of North America during the 1960s.
Over time, NERC worked with utility experts to create voluntary standards for operations for the industry, and those standards were highly influential in the establishment of stability within the North American power grid throughout the 1980s and 1990s.
As the need for protection of the national infrastructure, in general, became more apparent in the late 1990s, triggering a Presidential Decision Directive from President Bill Clinton in 1996, NERC shifted to focus on issues of cybersecurity, along with some consideration of physical security for issues that could have an impact on interstate commerce.
Discussions around the consideration of the creation of a set of cybersecurity standards for the industry began when the catalyzing events of Sept. 11, 2001, occurred and provided an increased sense of urgency to the effort. Timelines were compressed by several years from what participants at the time had expected, and NERC issued an Urgent Action Standard in 2003, which served as the predecessor of the current CIP standards.
In conjunction with that timeline, a significant outage in the northeastern U.S., Ontario and Quebec in 2003 led to calls and eventually action to strengthen the responsibilities of asset owners and operators to follow the NERC standards. Under the Energy Policy Act of 2005, NERC was designated as the official Electric Reliability Operator (ERO) for the U.S. power grid, to be managed with some restrictions by FERC, and NERC standards were given mandatory status, with the ability for NERC to issue fines with FERC approval. While most fines are in the low five-figure range, fines of more than a million dollars have been issued for systemic series of violations.
NERC standards are created by drafting teams composed of industry experts, often based upon general directives issued by FERC staff, and are subjected to multiple rounds of review and comment before being voted on and, usually, approved by the NERC membership, the NERC Board of Trustees and the FERC commissioners.
NERC standards belong to family groups, which are reflected in their names. For example, the BAL standards cover required activity by what is called Balancing Authorities, who balance the power generation needs within a region, and the MOD standards cover required modeling activity by transmission and generation operators. The CIP standards are named for the effort for Critical Infrastructure Protection, a general term that arose in the aftermath of the original Clinton directive.
What subjects are covered by the NERC CIP standards?
The first version of the NERC CIP standards was released in 2006 and approved by the Federal Energy Regulatory Commission in 2008. That core body of standards went through what are generally considered to be five versions before revision numbering was abandoned for the body as a whole in favor of tracking versions of individual standards. Versions three and five represented significant steps forward for the industry as a whole. With the change to per-standard revision monitoring, incremental changes such as the addition of a supply chain security standard and consideration for better support for virtualization have been possible.
The NERC standards encompass the same breadth of topics, generally, as other cybersecurity frameworks such as the NIST CSF or CIS Top 20 Controls, but they are more prescriptive than those frameworks and are enforceable on those entities that are subject to them, including the application of potentially large fines in cases of noncompliance.
Although all of these standards are important and can result in fines if not met, there are a few that warrant further detail and understanding.
CIP-002: Asset identification and classification
To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for the application of cybersecurity requirements commensurate with the adverse impact that loss, compromise or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES.
To understand this requirement two definitions are important:
BES: Bulk Electric System. The Bulk Electric System means the electrical generation resources, transmission lines, interconnections with neighboring systems and associated equipment, generally operated at voltages of 100 kV or higher.
BES Cyber System: A BES Cyber System was new in version five. The intent was to group “Cyber Assets” so that a responsible entity (i.e., utility) could consider how it would protect a system rather than each individual asset. For instance, the NERC documentation provides the example of anti-malware, which might be applied to a system as a whole, but not to each individual asset within that system.
“It becomes possible to apply requirements dealing with recovery and malware protection to a grouping rather than individual Cyber Assets, and it becomes clearer in the requirement that malware protection applies to the system as a whole and may not be necessary for every individual device to comply.”
The standard requires the entity to define these systems and assets as either high, medium or low potential impact on the power grid (or BES). NERC does provide prescriptive guidelines of what constitutes each level, with control centers as high, large transmission and generation facilities as medium and the other control centers and backups, generation, transmission or distribution protection assets as low impact.
The importance of defining these assets is that the levels of control or security maturity required for high- and medium-impact assets are much greater than those for low-impact assets. Therefore, comprehensively identifying all of an entity’s assets and then carefully categorizing them is a key component of successful compliance.
CIP-005: Network security – Electronic security perimeters
To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
CIP-005 focuses on controlling network access to those critical assets described in CIP-002. This is a particular issue today in a world of growing connectivity of industrial control systems. As the industry drives to ever greater analytics and remote connectivity, the risks to the electric system increase dramatically. CIP-005 is intended to try to reduce some of these risks. Monitoring and maintaining segmentation and access control over networking, especially vendor and other third-party remote access, is the focus of this requirement.
CIP-007: System security controls
To manage system security by specifying select technical, operational and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).
Of all the CIP standards, this may be the most controversial. Not because of the general recognition of the importance of system security controls, but because of the prescriptive nature of the standards. Several of the CIP standards are “procedural” in nature in that the entity needs to establish a process and then maintain that process. But others, such as CIP-007 are more “prescriptive” in nature, requiring the entity to take specific actions, regardless of outcomes, to meet the standard satisfactorily.
The particular control that comes under greatest scrutiny is that related to patch management (CIP-007-6 R2):
2.1: A patch management process for tracking, evaluating and installing cybersecurity patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cybersecurity patches for applicable Cyber Assets that are updateable and for which a patching source exists.
2.2: At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1.
2.3: For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take one of the following actions:
- Apply the applicable patches; or
- Create a dated mitigation plan; or
- Revise an existing mitigation plan.
Mitigation plans shall include the Responsible Entity’s planned actions to mitigate the vulnerabilities addressed by each security patch and a timeframe to complete these mitigations.
The patch management prescriptive requirements create significant debate among NERC CIP managers, auditors and commentators. Regardless of one’s view of the security efficiency-effectiveness trade-offs of the requirements, the reality is that this does require a significant investment of effort by the responsible entity to maintain their patch status. See more on ICS patch management here.
CIP-010: Change and vulnerability management
To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the Bulk Electric System (BES).
CIP-010 focuses on ensuring that the system, established initially to be secure, maintains that security over time. This applies to both configurations that may drift over time due to adjustments to ports, services, rules settings, etc. as well as to new vulnerabilities identified in software.
This standard creates many challenges for utilities, but two of the greatest are how to manage the change process so that the human processes involved in documenting and approving changes align with the technical realities of those changes on the systems themselves. Entities need to map their approval processes to the actual results on the system and be able to monitor and maintain records of these changes to demonstrate compliance to auditors.
Vulnerability assessments are also challenging due to the sensitive nature of the cyber assets themselves within industrial control systems. Traditional IT vulnerability scanning tools can cause damage to sensitive ICS devices. Therefore, entities need to define an ICS-safe approach to capturing these new vulnerabilities. Unfortunately, the growth in new ICS vulnerabilities is accelerating, with an increase of almost 50% in 2020 and similar rates in 2021.
CIP-013: Supply chain security
To mitigate cybersecurity risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.
CIP-013 has become one of the “hottest” topics in NERC CIP since the public announcement of the Solarwinds attack. Presidential orders, Congressional committees, software industry mandates, etc. are all the result of this attack, which made software supply chain risk a front-page story. CIP-013 was already in progress and working through committees, but the relevance and focus have accelerated since Solarwinds. The eventual compliance of CIP-013 will likely require detailed Software Bills of Materials for all new components deployed into BES and will likely over time have a significant impact on software development practices.
We would expect the requirements of this part of the standard to grow over time as more is learned about how to implement these supply chain risk management processes.
Because CIP compliance is mandatory and compliance is largely driven by self-reporting or through the audit cycle, a successful CIP compliance program will include a constant drive to produce and maintain evidence of compliance. Each procedure should produce evidence of its successful performance; that evidence should be sampled and reviewed periodically for completeness and correctness; and that evidence should be archived in easily retrievable manners so that compliance can be demonstrated quickly when needed.
Producing this evidence-based structure requires an integrated approach combining dedicated compliance personnel who design and gather evidence with input and cooperation from operations personnel who produce and supply the evidence. In large utilities, this structure is typically replicated across each business unit or functional organization.
Why should you care about NERC CIP standards?
If you are a North American electric utility, you care because the NERC CIP standards require significant investment – and risk of fines. While most fines are in the low five-figure range, fines of more than a million dollars have been issued for systemic series of violations. But the true negative impact of a poor audit finding is more than the fine. Self-reported violations or negative audit findings create management challenges with boards, shareholders, regulators and other stakeholders.
Beyond the power utilities, which are the specific focus of NERC CIP standards, however, industrial organizations across North America and the world need to begin to understand these standards and prepare for similar requirements in their industries. Although this may strike the NERC CIP critics as problematic, the reality is that the emerging operational technology (OT) cybersecurity regulations around the world lean more toward “prescriptive” than they have historically. While they may end up as “NERC CIP-LITE”, they will likely be more prescriptive in nature.
Recent examples of this include the TSA pipeline cybersecurity standards, which were recently released. According to the redacted version available online, security requirements include:
- Implementing network segmentation with a series of specific requirements of the way that segmentation should exist. For instance, prohibiting OT protocols from traversing the IT systems unless through an encrypted point-to-point tunnel
- Set antivirus scans across IT and OT on a weekly basis
- Implement patches (or have a documented reason why they have not been implemented) in a specific timeframe (similar to the debated CIP-007 mentioned above)
- And many others
Other examples are in Chile, where CEN (the government’s national electricity coordinator) has adopted the NERC CIP standards or in Middle East countries where regulators such as the DESC in Dubai have adopted more prescriptive OT cybersecurity requirements.
The future of OT cybersecurity regulation is clear – more prescriptive requirements and more auditing by regulatory bodies.
This will require a significant shift in mindsets, investments and efforts among industrial organizations around the world. It took the North American electric power sector eight years from the first approval of NERC standards to robust audits under the version five standard …and another five years to today. Because the risks are even greater, we would expect these new regulatory standards to be adopted with even greater urgency than NERC CIP was. This will mean less time to prepare and evolve than was the case in North America.
The good news is that after almost 15 years of trial and error, there are great learnings from the North American power industry of how to increase cybersecurity and address these growing regulatory prescriptions. They and industry partners have developed new technologies and processes. But one of the key learnings is this takes time. The earlier an organization begins its cybersecurity journey, the less painful the eventual regulatory burden is.
Cybersecurity is often referred to as defense in depth. Whether that phrase is a perfect summary for the modern threats, there is no question that success requires foundational elements, and those foundational elements take time. An organization cannot just jump to maturity “5.” The earlier it begins to draw its path – using NERC CIP and other frameworks as its guideposts – the more feasible achieving future regulatory compliance will be.