The NERC Critical Infrastructure Protection (CIP) standards are a set of requirements for generator and transmission owners/operators to protect bulk electric systems from physical and cyber threats. The goal of NERC compliance consulting solutions is to ensure generator owners and operators meet the necessary physical and cyber security measures designed to protect the Bulk Electric System (BES) from possible threats.
The CIP standards include requirements for identifying, protecting, and securing critical cyber assets and their associated systems. To comply with the CIP standards, entities must identify BES Cyber Assets and related equipment, then develop and implement a comprehensive program, including security, incident response, and training that meets the requirements of the relevant standard.
CIP-002-5.1a is a standard used to identify and assess the cyber security risks associated with BES systems and facilities. The process starts with a list and categorization of a facility’s cyber assets and associated equipment (such as electronic access points). The categorization is based on the asset’s impact rating on the Bulk Electric System (BES). The list and categorization are required to be reviewed and approved every 15 months.
Facilities must develop, implement, and document electronic security plans that restrict remote access to BES Cyber Systems and their associated assets. The security plan must include the following:
1. List of Cyber Assets, connected to a network, with external, routable protocol
2. List of Cyber Assets not connected to a network via an external, routable protocol
3. List of Electronic Access Points (EAP’s).
4. List, drawing, or other documentation showing all Electronic Security Perimeters (ESP’s).
5. All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined Electronic Security Perimeter (ESP).
6. All applicable BES Cyber Systems and Protected Cyber Assets (PCA), connected to a network, with external, routed connectivity, must be connected through an identified Electronic Access Point (EAP).
Facilities must develop, implement, and document a physical security plan that restricts access to BES Cyber Systems and their associated assets. The security plan must include the following:
1. Defined procedural or operational controls which restrict access to applicable systems
2. Physical access control for all unescorted personnel who have authorized unescorted physical access
3. Physical security perimeters
These policies should be checked and updated on a regular basis in order to ensure effectiveness.
Facilities shall implement a security awareness training program that includes:
1. Reinforcing cyber security practices, conducted every quarter
2. Cyber security policies
3. Electronic access
4. Physical access
5. Cyber security incident identification and response
6. Recovery plans for BES Cyber Systems
The training periodicity for medium and high-impact facilities is every 15 months unless noted above.
Medium and high-impact facilities are required to develop at least one Cyber Security Incident Response Plan, including:
1. Processes to identify, classify, and respond to Cyber Security Incidents
2. Criteria to evaluate and define attempts to compromise (BES Cyber Systems)
3. processes to determine if an identified Cyber Security Incident is a Reportable Cyber Security Incident or an attempt to compromise
4. Notification requirements
5. Roles and responsibilities of Cyber Security Incident response groups or individuals
The above are summaries of the major NERC CIP standards. Combined Cycle Solutions offers NERC compliance consulting solutions for CIP and PRC standards compliance. Services include plan development, training, and auditing for all of the above.