The NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) plan is a set of requirements designed to secure the assets required for operating North America’s bulk electric system.
The NERC CIP plan consists of 9 standards and 45 requirements covering the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management and disaster recovery planning. .
Under NERC CIP, covered entities are required to identify critical assets and to regularly perform a risk analysis of those assets. Policies for monitoring and changing the configuration of critical assets need to be defined, as do policies governing access to those assets.
In addition, NERC CIP requires the use of firewalls to block vulnerable ports and the implementation of cyberattack monitoring tools. Organizations are also required to enforce IT controls protecting access to critical cyber assets.
Compliance with the NERC CIP standards is mandatory. The Critical Infrastructure Protection Committee (CIPC) helps NERC work directly with industry partners to obtain feedback, revise the standards and draft new standards. NERC and its regional partners work to monitor and ensure compliance with industry partners.
To be NERC CIP compliant, bulk power supply owners and operators must ensure they’ve enacted the measures contained in all of the enforceable CIP standards. CIP-002 outlines the categorization system used to determine which assets are “critical.” Identifying which items are critical assets is the first step in becoming compliant.
The other standards:
- CIP-003 outlines controls for managing security
- CIP-004 provides standards for training personnel to be CIP compliant
- CIP-005 and 006 focus on creating security perimeters, both electronically and physically
- CIP-007 provides information on managing system security
- CIP-008 and 009 deal with what happens after an incident occurs: how to report it and implement recovery plans
- CIP-010 addresses change management and vulnerabilities
- CIP-011 lays out standards for protecting information
- CIP-014 addresses the need for physical security
Want to learn more? Tonex offers Critical Infrastructure Protection (CIP) NERC Training, a 2-day course that teaches participants the CIP standards developed by Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) and will help you to understand the requirements for personnel and training, physical security of Bulk Electric Systems (BES) cybersecurity and information protection.
Additionally, Tonex offers nearly three dozen more courses in Cybersecurity Foundation. This includes cutting edge courses like:
—Cybersecurity Fundamentals (2 days)
—Electric Grid Cybersecurity Master Certification (4 weeks)
—Network Security Training (2 days)
—Software Security Training (2 days)
—ICS Cybersecurity Training (4 days)
For more information, questions, comments, contact us.