Cybercriminals are increasingly focusing their criminal beams on utility companies. These attacks are increasingly becoming a major source of concern, thus pushing utility companies and operators to revise their security solutions, protect their infrastructure, and shield their customers. One reason these criminals continue to target utility companies or nerc is their worth. Utility companies cannot afford to shut down, which means they’ll compromise and offer payment to bail themselves out of any mess.
Despite the growing attacks on the industry, not all companies can confidently detect and repel an attack before it takes over their entire operations. In a survey by EY, 85% of power companies feel unequipped to monitor their digital ecosystem. This inadequacy creates a need for NERC CIP compliance software by Force 5, Inc. to plug the holes they are leaving to be exploited.
Taking the importance of keeping the electrical grid up and running seriously, The North American Electric Reliability Corporation (NERC) has developed the Critical Infrastructure Protection (CIP) standards for players in the industry to follow.
What is NERC CIP?
The NERC CIP standards came into operation in 2008. The standards were set to protect utility companies and secure their critical cyber assets from attacks. The standard sets the guidelines upon which utility companies operate their Bulk Electric Systems (BES), also known as the power grid.
Since establishing the standards in 2008, the guidelines have been updated multiple times to keep companies and players in the industry up to date with the latest standards. In recent years, four more standards have been introduced and will be enforced in the near future to keep operators compliant.
The standards set by the NERC CIP are also certified by the Federal Energy Regulatory Commission (FERC). These standards and guidelines help to protect the control centers, power plants, transmission stations, towers, and lines that make up the power grid. With an established control set, key players and major operators will have robust information on their security while quickly detecting unauthorized access or cyberattacks from internal and external sources.
Currently, there are 12 enforceable standards guiding operators in the utility sector. They are;
- CIP-002-5.1a Cyber Security – BES Cyber System Categorization
- CIP-003-8 Cyber Security – Security Management Controls
- CIP-004-6 Cyber Security – Personnel & Training
- CIP-005-6 Cyber Security – Electronic Security Perimeter(s)
- CIP-006-6 Cyber Security – Physical Security of BES Cyber Systems
- CIP-007-6 Cyber Security – System Security Management
- CIP-008-6 Cyber Security – Incident Reporting and Response Planning
- CIP-009-6 Cyber Security – Recovery Plans for BES Cyber Systems
- CIP-010-3 Cyber Security – Configuration Change Management and Vulnerability Assessments
- CIP-011-2 Cyber Security – Information Protection
- CIP-013-1 Cyber Security – Supply Chain Risk Management
- CIP-014-2 Physical Security
Over the next couple of years, the following newly introduced standards will become enforceable;
- CIP-005-7 Cyber Security – Electronic Security Perimeter(s)
- CIP-010-4 Cyber Security – Configuration Change Management and Vulnerability Assessments
- CIP-012-1 Cyber Security – Communications between Control Centers
- CIP-013-2 Cyber Security – Supply Chain Risk Management
Requirements under NERC CIP
Utility companies across North America are expected, in compliance with NERC CIP, to establish and adhere strictly to the standards set by the governing body. The standards are essentially aimed at protecting against cybersecurity attacks while ensuring that a certain baseline of security control is implemented to protect BES, its service delivery, and consumers rely on it for power generation.
The NERC CIP guidelines also help utility companies to safeguard against physical acts like vandalism, arson, et., that may cripple their operation and threaten energy delivery to customers.
All entities operating in the power sector are required to identify all critical assets and perform a regular risk analysis to ensure that they are covered and can forestall attacks. They are also required to define their policies relating to monitoring and reconfiguration of critical assets and who/what holds control of those critical assets.
Operators in the utility and energy sectors are also required to establish firewalls that meet certain standards. These firewalls will function to block vulnerable areas of the business in the event of a cybersecurity attack. Key players are expected to leverage monitoring tools, enforce IT controls to protect their critical assets, and implement comprehensive contingency plans in response to natural disasters, cyber-attacks, and other situations that threaten the performance and delivery of the power grids.
Are there penalties for noncompliance with NERC CIP standards?
Key operators in the energy sector, as well as utility companies, who have been found non-compliant with the NERC CIP standards, will face a fine of up to $1 million per violation detected per day. Although $1 million is the maximum fine any operator can face per violation per day, a company was recorded to have faced a $10 million fine in 2019 for 127 violations, some of which had been going on for days and others for months.