The modern world depends on the electricity that powers our homes, vital industrial infrastructures, and economy as a whole. The extensive network of aggregate power generation plants and transmission facilities responsible for our power is known as the Bulk Electrical System (BES). The continued operation of the BES is, of course, necessary for life as we know it.
Governmental compliance measures have been instituted to ensure overall BES reliability, safety, and continued efficacy in the event of disruptive cyberattacks. Remaining in compliance with regulations is critical, though it’s an extensive and sometimes complex task.
What is NERC CIP?
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is the central set of standards regulating BES protections and readiness against cyberattacks.
In May 2021, a U.S. government decree regarding cyberattacks on critical infrastructure drew a great deal of newsworthy attention. Though cyber threats are important to monitor, operators of BES remain well-equipped to address their systems’ vulnerabilities when following NERC CIP compliance standards and protocols.
NERC CIP standards are numerous, but they mainly involve:
- Identifying cyber assets
- Performing regular risk analyses
- Establishing oversight
- Effectively governing physical access to BES entities
- Establishing firewalls, maintaining cybersecurity tools, and enforcing IT controls
- Developing preventive and recovery-based plans
- Regular testing of protocols, physical and digital protections, and response plans
Essentially, NERC CIP is the rulebook for developing robust protections and contingency plans against cyberattacks and digital disruptions that could impact the BES’ essential functions.
6 Time-Sensitive Compliance Standards
Maintaining NERC CIP compliance can be complicated with its various timeframes for different compliance standards. While complete familiarity with NERC CIP is vital for BES security managers and operators, certain standards are worth noting due to their regular testing requirements.
That’s why we’ve highlighted these 6 NERC CIP standards to schedule as regular steps in your compliance procedures.
1. NERC CIP-002-5.1a: Categorization (Continually Reassessed)
This standard (NERC CIP-002-5.1a) requires BES entities to identify and categorize all cyber assets – which is a reasonably straightforward standard.
NERC CIP defines categorization as evaluating all BES cyber assets and determining whether their interruption will impact reliable electricity supply to customers. By measuring cyber assets’ potential impact on electrical supply, BES cybersecurity operators are provided valuable benchmarks for understanding vulnerabilities in the system.
To be sure, this is a somewhat obvious standard. NERC CIP-002-5.1a is a baseline procedure for adhering to NERC-CIP compliance. But perhaps because of the standard’s foundational nature, it sometimes can be overlooked.
What’s important to note is that cyber assets must be reassessed after any BES additions, changes, or significant updates. After all, new and updated assets can change roles and interactions within the BES, altering vulnerability grade2. s.
2. CIP-007-6 R2: System Security Controls (Every 35 Days)
CIP-007-6 outlines timelines for evaluating and installing cyber asset software and firmware security patches.
At least once every 35 days, BES security oversight staff must check the applicability of any new patches for their updateable cyber assets. Then, within an additional 35 days, they will need to apply the applicable patches, create a new and dated mitigation plan, or revise their existing mitigation plan.
Keep in mind, CIP-007-6 R2 is well known for being one of the most time- and effort-consuming NERC-CIP standards. Unfortunately, ICS software and firmware patches are rarely simple. For that reason, it’s a common standard to contribute to lapsed compliance.
3. NERC CIP-010-3: Configuration Change Management and Vulnerability Assessments (Every 35 Days/15 Months)
NERC CIP-010-3 lists the BES requirements for regular assessments of potential unauthorized changes to cyber assets.
Once the initial baseline of authorized operating systems, software, devices, and connections has been established, every 35 days, BES entities are to ensure the baseline remains consistent.
In addition to the regular 35-day reassessment, a full cybersecurity vulnerability scan is required every 15 months.
4. NERC CIP-008-6: Incidence Reporting and Response Planning (15 months)
NERC CIP-008-6 requires that BES entities establish a cybersecurity incident response plan. This plan would clarify how to identify and respond to any cyberattacks, disruptions, or infiltrations.
Once the incidence response plan has been established, operators must test it every 15 months.
5. NERC CIP-009-6: Recovery Plans for BES Cyber Systems (15 months)
How do BES entities respond if a cyber incident creates a disruption? NERC CIP-009-6 standardizes how BES entities should establish cyberattack recovery plans. The NERC CIP requirements state that BES entities must establish a plan, and clarify who should activate it and when.
Just like the incidence response plan, operators should test their recovery plan every 15 months.
6. NERC CIP-006-6: Physical Security of BES Cyber Systems (Every 2 Years)
Finally, NERC CIP-006-6 addresses timeframes for testing the physical security of your BES systems.
NERC-CIP requires guidelines for BES visitors and escorts, and proper protections for restricted areas. Any visitor logs should be maintained for at least 90 days, and operators should test the entirety of the physical security plan once every two years.
An ICS Cybersecurity Solution with Operators in Mind
Whether it’s BES or any other industrial system, no one knows industrial control systems better than their operators. And, in the event of ICS disruption, no one is better at identifying the problem and finding solutions.
That’s why SynSaber seeks to put the power of information in the hands of those most qualified: ICS asset owners and operators.
Our low-impact sensor-based ICS cybersecurity software gives operators full visibility into their industrial environments. With complex systems and compliance codes, operators have enough to keep track of, so we’ve kept our solution simple. Easy to deploy, easy to use, and with minimal impact on your systems. SynSaber amplifies operators’ insights without overcrowding their industrial environments.
Contact us or schedule a demo to learn more about the visibility and detection software that was purpose-built for OT.
Become a Subscriber
SYNSABER WILL NEVER SELL, RENT, LOAN, OR DISTRIBUTE YOUR EMAIL ADDRESS TO ANY THIRD PARTY. THAT’S JUST PLAIN RUDE.