NERC CIP Standards in OT and ICS Security

Background and Role of NERC

Origin of NERC

NERC is the North American Electric Reliability Corporation. NERC was founded in the late 1960s as the National Electric Reliability Council in response to the northeastern U.S. blackouts of the early and mid-’60s, as the need for utility cooperation became more apparent. The organization was quickly renamed to encompass “North America” as the integrated nature of the joint U.S./Canadian power grid made the need for cross-border cooperation clear.

NERC is a non-profit body created and funded by the utilities themselves. It is subject to the Federal Energy Regulatory Commission, the United States government’s regulatory entity for energy. The original creation of NERC focused on the stability and reliability of the grid after a significant blackout on the east coast of North America during the 1960s.

Development and Evolution

Over time, NERC worked with utility experts to create voluntary standards for operations for the industry, and those standards were highly influential in establishing stability within the North American power grid throughout the 1980s and 1990s.

As the need for protection of the national infrastructure, in general, became more apparent in the late 1990s, triggering a Presidential Decision Directive from President Clinton in 1996, NERC shifted to focus on issues of cybersecurity, along with some consideration of physical security for issues that could have an impact on interstate commerce.

After 9/11, the accelerating nature of threats and pressure of organizations or entities to comply increased sense of urgency to the effort. Timelines were compressed by several years from what participants had expected, and NERC issued an Urgent Action Standard in 2003, which served as the predecessor of the current NERC CIP standards.

In parallel, a significant outage in the northeastern U.S., Ontario, and Quebec in 2003 reinforced the need to strengthen responsibilities and enforcement. This eventually resulted in the call for asset owners and operators to follow the NERC standards.

List of NERC CIP Standards

Below is an overview of the NERC CIP standards and the critical topics they address. These standards serve as the backbone of security measures, maintaining the resilience and protection of our crucial energy infrastructure.

You can find detailed information on each standard on the NERC website.

The NERC CIP standards generally encompass the same breadth of topics as other cybersecurity frameworks, such as the NIST CSF or CIS Top 20 Controls. Still, they are more prescriptive than those frameworks. They are enforceable on those entities subject to them, including applying potentially hefty fines in cases of non-compliance.

Although all of these standards are important and can result in fines if not met, there are a few that warrant further detail and understanding.

Understanding the Core NERC CIP Requirements

Below, we’ll explore the essential NERC CIP requirements that form the backbone of cybersecurity and reliability in the Bulk Electric System (BES). These standards help play a pivotal role in protecting BES Cyber Systems from threats and vulnerabilities. We’ll dissect the key standards, shedding light on their specific objectives and significance within the energy sector.

NERC CIP-002: Asset Identification and Classification

To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for applying cybersecurity requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES.

To understand this requirement, two definitions are important:

• BES: Bulk Electric System. The Bulk Electric System refers to the electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, generally operated at 100 kV or higher voltage.
• BES Cyber System: A BES Cyber System was new in Version 5. The intent was to group “Cyber Assets” the prior term of art so that a responsible entity (i.e., utility) could consider how it would protect a system rather than each asset. For instance, the NERC documentation provides an example of anti-malware, which might be applied to a system as a whole but not to each asset within that system.

“It becomes possible to apply requirements dealing with recovery and malware protection to a grouping rather than individual Cyber Assets, and it becomes clearer in the requirement that malware protection applies to the system as a whole and may not be necessary for every individual device to comply.”

A key focus of NERC CIP-002 is identifying and classifying critical cyber assets, which are essential components in maintaining the resilience and security of the bulk power system. The standard requires the entity to define these systems and assets as having a high, medium, or low potential impact on the power grid (or BES). NERC does provide prescriptive guidelines of what constitutes each level, with control centers as High, large transmission and generation facilities as Medium, and the other control centers and backups, generation, transmission, or distribution protection assets as Low impact.

Defining these assets is important because the levels of control or security maturity required for High and Medium-impact assets are much greater than those for Low-impact assets. This task can be particularly arduous and prone to error due to the complexity of OT environments.

NERC CIP-005: Network Security – Electronic Security Perimeters

To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

CIP-005 focuses on controlling network access to those critical assets described in CIP-002. This presents a significant challenge today given how increasingly connected industrial control systems are. Add third-party remote access and network segmentation in and it increases the complexity. As the industry drives to ever greater analytics and remote connectivity, the risks to the electric system increase dramatically. CIP-005 is intended to try to reduce some of these risks. It's essential to reinforce the focus of this requirement as the ongoing monitoring and maintenance of segmentation and access control over networking, with particular attention paid to vendors and other third-party remote access.

NERC CIP-007: System Security Controls

To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).

Of all the CIP standards, this may be the most controversial, not because of the general recognition of the importance of system security controls but because of the prescriptive nature of the standards. Several of the CIP standards are “procedural” in that the entity needs to establish and maintain a process. But others, such as CIP-007, are more “prescriptive” in nature, requiring the entity to take specific actions, regardless of outcomes, to meet the standard satisfactorily.

Controversy Within NERC CIP-007

The controversy surrounding these prescriptive requirements—particularly those related to patch management—can stem from the perceived lack of flexibility combined with the significant resource burden they impose.

Critics argue that a one-size-fits-all approach may not always be the most effective security strategy for every organization’s unique environment and risk profile. Not to mention, the strict timelines for evaluation and application can be challenging to meet. This is especially the case when dealing with a high volume of patches or complex system configurations—leading to debates about the practicality and overall value of such rigid mandates.

The particular control that comes under the greatest scrutiny is that related to Patch Management (CIP-007-6 R2):

2.1: A patch management process for tracking, evaluating, and installing cybersecurity patches for applicable cyber assets. The tracking portion shall include identifying a source or sources that the Responsible Entity tracks for the release of cyber security patches for relevant cyber assets that are updateable and for which a patching source exists.

2.2: At least once every 35 calendar days, evaluate security patches released since the last evaluation from the source or sources identified in Part 2.1 for applicability.

2.3: For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take one of the following actions:

• Apply the applicable patches or
• Create a dated mitigation plan; or
• Revise an existing mitigation plan.
• Mitigation plans shall include the Responsible Entity’s planned actions to mitigate the vulnerabilities addressed by each security patch and a time frame to complete these mitigations.

The patch management prescriptive requirements create significant debate among NERC CIP managers, auditors, and commentators. Regardless of one’s view of the security efficiency-effectiveness trade-offs of the requirements, the reality is that this requires a significant effort by the responsible entity to maintain its patch status.

NERC CIP-010: Change & Vulnerability Management

To prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the Bulk Electric System (BES).

CIP-010 ensures that the system, established initially to be secure, maintains that security over time. This applies to configurations that may drift over time due to adjustments to ports, services, rules settings, etc., and to new vulnerabilities identified in software.

This standard creates many challenges for utilities. However, two of the greatest are managing the change process so that the human processes involved in documenting and approving changes align with the technical realities of those changes on the systems themselves. Entities need to map their approval processes to the actual results on the system and be able to monitor and maintain records of these changes to demonstrate compliance to auditors.

Vulnerability assessments are a challenge within industrial control systems due to the sensitivity of cyber assets. Unlike traditional IT environments, running standard vulnerability scans on ICS devices can carry a significant risk of disrupting critical operations or even causing physical damage.

NERC CIP-013: Supply Chain Security

To mitigate cybersecurity risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.

CIP-013 has become one of the “hottest” topics in NERC CIP since the public announcement of the SolarWinds attack. Presidential Orders, Congressional committees, software industry mandates, etc., are all the result of this attack, which made software supply chain risk a front-page story. CIP-013 was already underway and working through committees, but the relevance and focus have accelerated since SolarWinds. The eventual compliance of CIP-013 will likely require detailed “Software Bills of Materials” for all new components deployed into BES. It will probably have a significant impact on software development practices over time.

We would expect the requirements of this part of the standard to grow over time as more is learned about how to implement these supply chain risk management processes.

Because CIP compliance is mandatory and compliance is primarily driven by self-reporting or through the audit cycle, a successful CIP compliance program will include a constant drive to produce and maintain evidence of compliance. Each procedure should have evidence of its successful performance; that evidence should be sampled and reviewed periodically for completeness and correctness; that evidence should be archived in easily retrievable manners so that compliance can be demonstrated quickly when needed.

Producing this evidence-based structure requires an integrated approach combining dedicated compliance personnel who design and gather evidence with input and cooperation from operations personnel who have and supply the evidence. This structure is typically replicated across each business unit or functional organization in large utilities.

Impact on North American Electric Utilities

If you are a North American electric utility, adhering to the NERC CIP standards requires a significant investment and carries the risk of fines. While most fines are in the low five-figure range, systemic violations resulted in fines exceeding one million dollars. But, the negative impact of a poor audit finding is more than the fine. Self-reported violations or negative audit findings can create significant management challenges that impact relationships with boards, shareholders, regulators, and other critical stakeholders.

This is why it’s essential to view a compliance program as a channel for building operational resilience and safeguarding the organization’s brand and reputation.

Global Relevance: The Shift Towards Prescriptive OT Cyber Security Regulations

The NERC CIP standards are instrumental in maintaining the security and efficiency of the North American power system, particularly in the face of evolving cyber threats. This underscores their importance beyond compliance, highlighting their role in maintaining a resilient and secure energy infrastructure. Beyond the power utilities, which are the focus of NERC CIP, industrial organizations worldwide need to understand these standards and prepare for similar requirements in their industries. Although this may strike the NERC CIP critics as problematic, the reality is that the emerging OT cybersecurity regulations worldwide lean more towards “prescriptive” than they have historically. While they may end up as “NERC-CIP-LITE,” they will likely be more prescriptive.

Impact on the Future of OT Security Regulation

The future of OT cyber security regulation is clear —more prescriptive requirements and more auditing by regulatory bodies.

This will require a significant shift in mindsets, investments, and efforts among industrial organizations worldwide. It took the North American electric power sector eight years from the first approval of NERC standards to robust audits under the “version 5” standard and another five years to today. Because the risks are even more significant, we would expect these new regulatory standards to be adopted more urgently than NERC CIP was. This will mean less time to prepare and evolve than in North America.

The good news is that after 15 years of trial and error, there are significant learnings from the North American power industry in increasing cybersecurity and addressing these growing regulatory prescriptions. They and their industry partners have developed new technologies and processes. But one of the key learnings is this takes time. The earlier an organization begins its cybersecurity journey, the less painful the eventual regulatory burden is.

Cybersecurity is often referred to as “defense in depth.” Whether that phrase is a perfect summary of the modern threats, there is no question that success requires foundational elements, and those foundational elements take time. An organization cannot just jump to maturity “5”. The earlier it begins to draw its path—using NERC CIP and other frameworks as its guideposts—the more feasible it will be to achieve future regulatory compliance.