Blog
Modern life depends on the electricity that powers our homes, vital industrial infrastructures, and the entire global economy itself. That electricity comes from an extensive network of aggregate power generation plants and transmission facilities known as the Bulk Electrical System (BES). The continual operation of the BES is, of course, necessary for life as we know it.
To ensure overall BES reliability, safety, and continued efficacy in the event of disruptive cyberattacks, the government has issued specific compliance measures. And though remaining in compliance with these regulations is critical, it is also an extensive and sometimes complex task.
What is NERC CIP?
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is the central and mandatory set of standards developed to ensure BES protections and readiness against cyberattacks. Or, put more simply, the government regulations that the BES must follow and maintain to achieve compliance.
In May 2021, an executive order called Improving the Nation’s Cybersecurity called for a number of measures intended to bolster the nation’s defense posture against cyberthreats, including in the industrial and critical infrastructure sectors. Though guarding against cyber threats remains undeniably essential for the continued operations of the nation’s BES, it’s worth noting that simply following existing NERC CIP standards and protocols will position BES operators to be well-equipped to address vulnerabilities within their systems.
Though NERC CIP standards are admittedly numerous, they mainly involve:
- Identifying cyber assets
- Performing regular risk analyses
- Establishing oversight
- Effectively governing physical access to BES entities
- Establishing firewalls, maintaining cybersecurity tools, and enforcing IT controls
- Developing preventive and recovery-based plans
- Regular testing of protocols, physical and digital protections, and response plans
Essentially, NERC CIP is a rulebook for developing robust protections and contingency plans against both cyberattacks and digital disruptions that potentially threaten BES’s essential functions.
6 Time-Sensitive Compliance Standards
Staying compliant wth NERC CIP standards can be complicated due to the varying timeframes required for different standards. Some standards, however, have regular testing requirements that can be fairly easily embedded into normal or rote compliance processes. We examine six of those specific NERC CIP standards below.
1. NERC CIP-002-5.1a: Categorization (Continually Reassessed)
This standard (NERC CIP-002-5.1a) requires BES entities to identify and categorize all cyber assets, which is a reasonably straightforward standard.
NERC CIP defines categorization as evaluating all BES cyber assets and determining whether an interruption in those assets’ operations will impact the reliable electricity supply to customers. Measuring the impact of the cyber assets on electrical supply gives BES cybersecurity operators a valuable set of benchmarks they can use to better understand system vulnerabilities.
This is a somewhat obvious standard. NERC CIP-002-5.1a is a baseline procedure for adhering to NERC CIP compliance. But perhaps because of the standard’s foundational nature, it can sometimes be overlooked.
What’s important to note is that categorization carries a de facto requirement to reassess cyber assets after any BES additions, changes, or significant updates. After all, new and updated assets can change roles and interactions within the BES, altering vulnerability grade.
2. CIP-007-6 R2: System Security Controls (Every 35 Days)
CIP-007-6 outlines timelines for evaluating and installing cyber asset software and firmware security patches.
At least once every 35 days, BES security oversight staff must check the applicability of any new patches for their updateable cyber assets. Then, within an additional 35 days, they must apply the applicable patches, create a new and dated mitigation plan, or revise their existing mitigation plan.
Keep in mind, CIP-007-6 R2 is well known for being one of the most time- and effort-consuming NERC CIP standards. Unfortunately, ICS software and firmware patches are rarely simple. For that reason, it’s a common standard to contribute to lapsed compliance.
3. NERC CIP-010-3: Configuration Change Management and Vulnerability Assessments (Every 35 Days/15 Months)
NERC CIP-010-3 lists the BES requirements for regularly assessing potential unauthorized changes to cyber assets.
Once the initial baseline of authorized operating systems, software, devices, and connections has been established, every 35 days, BES entities must ensure the baseline remains consistent.
Note that in addition to the regular 35-day reassessment, a full cybersecurity vulnerability scan is required every 15 months.
4. NERC CIP-008-6: Incidence Reporting and Response Planning (15 months)
NERC CIP-008-6 requires that BES entities establish a cybersecurity incident response plan. This plan must specifically delineate how to identify and respond to any cyberattacks, disruptions, or infiltrations.
Once the incident response plan has been established, operators must test it every 15 months.
5. NERC CIP-009-6: Recovery Plans for BES Cyber Systems (15 months)
How do BES entities respond if a cyber incident creates a disruption? NERC CIP-009-6 standardizes how BES entities should establish cyberattack recovery plans. The NERC CIP requirements state that BES entities must establish a plan and clarify who should activate it and when.
Just like the incident response plan, operators should test their recovery plan every 15 months.
6. NERC CIP-006-6: Physical Security of BES Cyber Systems (Every 2 Years)
Finally, NERC CIP-006-6 addresses timeframes for testing the physical security of your BES systems.
NERC CIP outlines security guidelines for BES visitors and escorts. It also lists the proper protections for restricted areas. Specific components to note include the requirements that any visitor logs should be maintained for at least 90 days and operators should test the entire physical security plan once every two years.
An ICS Cybersecurity Solution with Operators in Mind
Whether it’s BES or any other industrial system, no one knows industrial control systems better than their operators. And, in the event of ICS disruption, no one is better equipped to identify the problem and find a solution.
That’s why EmberOT seeks to put the power of information in the hands of those most qualified: ICS asset owners and operators.
Our low-impact sensor-based ICS cybersecurity software gives operators full visibility into their industrial environments. Between operating complex systems and navigating a maze of compliance codes, operators have enough to keep track of, which is why we kept our solution simple. It’s easy to deploy, easy to use, and has minimal impact on your systems. EmberOT amplifies operators’ insights without overcrowding their industrial environments.
Contact us or schedule a demo to learn more about the visibility and detection software that was purpose-built for OT.
Become a Subscriber
EMBEROT WILL NEVER SELL, RENT, LOAN, OR DISTRIBUTE YOUR EMAIL ADDRESS TO ANY THIRD PARTY. THAT’S JUST PLAIN RUDE.
