Why NERC CIP is Important to Our National Cybersecurity Strategy
What Is NERC CIP?
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) has established a set of standards and guidelines designed to ensure the reliability and security of the electric power grid in North America. These standards are crucial to the national cybersecurity strategy because they establish a framework for protecting one of the country’s most critical infrastructures.
The electric power grid is a vital component of the nation’s infrastructure, providing the energy needed to power homes, businesses, hospitals, and other essential services. It is a complex system that involves the generation, transmission, and distribution of electricity, and any disruption or attack on this system could have serious consequences.
The NERC CIP standards were introduced in 2008 in response to the growing threat of cyber attacks on the electric power grid. These standards provide a set of guidelines that help utilities and other organizations responsible for managing the power grid to establish a cybersecurity program that can identify and protect against cyber threats.
What Does NERC CIP Cover?
The NERC CIP standards cover a wide range of areas, including access control, cybersecurity training and awareness, incident response, physical security, and risk assessment. These guidelines are designed to ensure that organizations responsible for managing the bulk electric system are taking the necessary steps to protect their systems from cyber threats.
One of the most significant benefits of the NERC CIP regulations is that they establish a consistent and uniform approach to cybersecurity across the electric power grid. By mandating all registered entities to comply with a common set of standards, NERC CIP helps to safeguard the bulk electric system from potential cyber threats.
In addition, the NERC CIP standards are regularly updated to reflect the changing threat landscape. As new cyber threats emerge, the NERC CIP standards are updated to provide organizations with the latest guidance on how to protect their systems.
Another important aspect of the NERC CIP standards is that they are enforceable. Organizations responsible for managing the bulk electric power grid can be audited to validate that they are complying with the standards. This ensures that organizations take the necessary steps to protect their systems and that there are consequences for failing to do so.
Compliance with NERC CIP Reliability standards requires electric utilities to adopt precise procedures and verify their implementation. Proper documentation requires compiling the right evidence and artifacts. Here are some ways to help registered entities with preparing:
- Develop and maintain robust policies and procedures: Develop a comprehensive set of policies and procedures that meet the NERC CIP requirements, and ensure that they are kept up to date with any changes in the regulations. Make sure your policies and procedures are easily accessible to your team and that they are trained on them.
- Conduct regular internal assessments: Conduct regular internal assessments to identify gaps in your compliance program and to address any issues before they become a problem. Ensure that your assessments cover all relevant areas of your compliance program, including physical security, cyber security, and training.
- Conduct regular training and awareness programs: Train your employees on the NERC CIP requirements, and conduct regular awareness programs to keep them up to date with any changes in the regulations. Ensure that your employees are aware of the importance of compliance and understand the consequences of non-compliance.
- Conduct regular testing and monitoring: Test your compliance program regularly to ensure that it is working effectively and identify any potential vulnerabilities. Monitor your systems and networks for any unusual activity, and respond quickly to any potential threats or incidents.
- Document everything: Document all your compliance activities, including policies, procedures, training, assessments, and testing. Keep accurate records and ensure that they are easily accessible in case of an audit.
Overall, the NERC CIP standards are essential to the national cybersecurity strategy because they provide a framework for protecting one of the country’s most critical infrastructures. By establishing a consistent and uniform approach to cybersecurity across the electric power grid and regularly updating the guidelines to reflect the changing threat landscape, the NERC CIP standards help to ensure that the electric power grid remains secure and reliable.
Cybersecurity regulations such as NERC CIP also serve as a catalyst for change and innovation. We are observing today that other critical infrastructure sectors are considering adopting and establishing regulatory guidelines of their own. The sooner similar standards are adopted across other sectors, the safer we all can sleep.
Robin Berthier is Co-Founder and CEO of Network Perception, a startup dedicated to designing and developing highly-usable network audit solutions. Berthier has over 15 years of experience in the design and development of network security technologies. He received his PhD in the field of cybersecurity from the University of Maryland College Park and served the Information Trust Institute (ITI) at the University of Illinois at Urbana-Champaign as a Research Scientist.
