North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a set of requirements designed to secure the assets required for operating North America’s bulk electric system.
These frameworks are comprised of 11 control families, with another five subject to enforcement in the future. These are mandated for energy and utility companies operating within the Bulk Electric System to minimize the risk of cyberattacks and manipulation by bad actors seeking to cause damage.
For example, CIP-002-5.1a cybersecurity – BES Cyber System Categorization is a framework that prioritizes the inventory of any connected systems that fall within the scope of the NERC CIP. As with any cybersecurity framework, knowing what you and your organization are protecting is paramount to success – if you don’t know how many assets you’re protecting you leave yourself open to unexpected threats.
CIP-003-7 cybersecurity – Security Management Controls is a framework that mandates organizations to outline the controls that they have in place to secure the assets that they scoped for the previous section. This sits at the highest level and is most relevant to cybersecurity program managers and CISOs, this enables visibility into the security activities and steps taken to secure the assets of the organization.
Another one, CIP-010-2 cybersecurity – Configuration Change Management and Vulnerability Assessments goes hand-in-hand with access control – to make sure that you have systems and processes in place in the event that configurations are changed. This can pose a great security threat and you must make sure that there are systems in place to protect against unauthorized or unsupervised configuration changes.
The greatest burden of the NERC CIP framework for many security leaders lies in the scoping and awareness of what assets need to be secure. In that capacity, an integrated risk management platform is critical to success and ongoing compliance.
Static spreadsheets and assessments are outdated the moment their completed – a continuous, integrated, risk-based approach to NERC CIP compliance and security management enables security leaders to gather assessment data into a single source of truth and report out to both technical and business-side stakeholders much more effectively and efficiently.
Want to learn more? Tonex offers NERC CIP Training Bootcamp, a 4-day course designed and created to meet the needs of the electric in regards to CIP compliance: cybersecurity for NERC CIP Versions 5 & 6 Compliance.