Critical Infrastructure Protection (CIP)
The USA's Federal Energy Regulatory Commission (FERC) has chosen NERC as the
critical infrastructure protection coordinator for the electrical sector.
NERC's CIP standards were adopted in 2006. These standards specify the
minimum requirements to support the reliability of the electrical system.
All organizations who are involved with the bulk electrical network in North
America are subject to these standards.
NERC's implementation calendar plans for all organizations to be fully
compliant and pass audits by 2010.
www.nerc.com
NERC CIP Compliance
A simple security server is not sufficient to become CIP-compliant. NERC CIP compliance deals with physical, electronic and
personnel security, along with training and awareness programs.
NERC CIP standards are not just about centralized access. They are about
knowing everything that is in the field, how to access it and being able to
prove that it is secure. It's also about documenting and auditing all
critical infrastructure protection programs.
Utilities that make up the bulk electric system must:
- Keep an inventory of all electronics that either are part of the
critical assets list or a necessary to the operation of critical assets
- Protect access to these critical cyber-assets on a need to know basis
- Create an electronic security perimeter that prevents unauthorized
users from accessing any critical cyber-asset, whether they are outside or
inside the corporate network
- Ensure that all electronic cyber-assets are secure via user account
management, equipment password management, and secure networking policies
- Implement and test a critical cyber-asset recovery plan.
Physical Security (CIP-006)
Utilities must ensure the physical security of all critical cyber-assets:
- A physical security perimeter must be in place around all critical
cyber-assets
- All physical access points to critical cyber-assets must be identified
and controlled
- An access log must be maintained for all critical cyber-assets, via
keycards, video or manual log
Personnel Security (CIP-004)
Each person who accesses critical cyber-assets, including the utility's
personnel, contract workers and vendors, must be investigated to assess the
risk that that he or she poses to security.
Training and Awareness (CIP-004)
Everyone who has access to critical cyber-assets, including the utility's
personnel, contract workers and vendors, must be trained regarding
cyber-security.
All CIP standards make it mandatory to document and review all procedures
and policies every year.
Recovery Plans (CIP-009)
NERC's CIP makes having a recovery plan mandatory. A compliant recovery plan
includes:
- Backup strategies
- Data restoration strategies
- Spare parts and equipment
NERC, FERC, ERO: Where They Come Together
The North American Electric Reliability Council (NERC) was created in
1968 to ensure that North America's electrical network is secure, adequate
and reliable. Until 2005, NERC's standard were applied on a self-regulatory
basis.
The Federal Energy Regulatory Commission (FERC) oversees the transmission
of electricity, natural gas and oil in the USA.
With the Energy Policy Act of 2005 (EPAct), FERC and NERC came together.
The EPAct made FERC in charge of the commerce of electricity, along with its
reliability. Moreover, the EPAct created the Electric Reliability
Organization (ERO), which covers North America and is under the power of
FERC in the USA. The ERO's role is to ensure and enforce compliance with
reliability and security standards of electric power networks.
FERC chose NERC as the ERO for the USA, which makes compliance to NERC's
Critical Infrastructure Protection (CIP) standards mandatory.
NERC and FERC can now impose penalties on non-compliant utilities.
www.nerc.com
www.ferc.gov
For More Information
For more information on how Cybectec's products put you
on the path to NERC CIP compliance, request our white paper: "Meeting
NERC requirements with Cybectec Solutions"
Request a demo | Request a quote |
Download brochures |
