Becoming NERC CIP-Compliant

By Jay Abshier

A sea change is sweeping through the North American bulk electricity system in the wake of the U.S. Energy Policy Act of 2005 (EPAct). Previously voluntary reliability programs under the aegis of the North American Electric Reliability Council (NERC) are transitioning to mandatory standards under the Federal Energy Regulatory Commission (FERC), with substantial financial penalties for noncompliance.

The enforcement timeline for the CIP Standards commenced on January 1, 2007, with auditable compliance being required in 2010. The exact dates depend on the functional entity(ies) for which the utility is registered (transmission operator, generation operator, etc.).

 Penalties for noncompliance use the standard Federal Energy Regulatory Commission (FERC) and North American Reliability Council (NERC) penalty matrix, with fines ranging from $1,000 to $1,000,000.

In July 2007, the FERC staff recommended to its Board that the CIP standards and implementation schedule be approved. FERC has also recommended that NERC revisit the CIP standard and has recommended specific areas that need modification. Observers think if the CIP standard is modified, new implementation schedules will also be adopted for conformance to any approved changes.

Reliability Standards Emerge

Reliability standards had their genesis following the major North American power outage in November 1965, with the implementation of voluntary operating policies and planning standards. These were designed to ensure the reliability of the bulk power system in the U.S. and Canada. Subsequent outage events, such as the summer 1996 Western grid blackouts and the August 2003 Northeast blackout, led to further emphasis on these standards.

As a result of EPAct, FERC certified NERC in 2006 as the Electric Reliability Organization (ERO) with full oversight for enforcing reliability standards compliance. An additional result of EPAct is that FERC now has full authority to approve all reliability standards. To date, NERC has submitted 107 standards to FERC for approval; 83 have been approved, while 24 are awaiting approval pending further refinement. Many of the approved standards received conditional approval and will require updating—a process that may require up to two, and in some cases, three years to complete. Furthermore, FERC has identified issues with CIP (Critical Infrastructure Protection) 002-009 and has solicited comments. This article will focus on CIP 002-009, the standards for cyber security.

Scope of CIP 002-009

Any entity that owns, operates or uses any portion of the bulk power system must comply with these new mandatory reliability standards. The compliance process itself involves periodic, formal NERC audits by the Regional Reliability Councils. The process also involves active self-certification, periodic reporting of compliance data and statistics and self-reporting of any noncompliance with NERC policies, procedures or standards.

Briefly, NERC CIP 002-009 covers the following topics:

• CIP 002 – Critical Assets. Requirements for defining methodologies for identifying critical assets and critical cyber assets and using those methodologies to document these assets.
• CIP 003 – Security Management Controls. Requirements for establishing the governance of an entity’s CIP compliance program and for key elements of an effective cyber security program: policies and procedures, information protection, change control and configuration management.
• CIP 004 – Personnel and Training.  Requirements for security awareness and training, personnel risk assessments and documenting access to critical cyber access.
• CIP 005 – Electronic Security Perimeter.  Requirements for defining, documenting, monitoring and controlling access to the electronic security perimeter, within which are located the critical cyber assets.
• CIP 006 – Physical Security of Critical Cyber Assets  Requirements for defining, documenting, monitoring and controlling access to the physical security perimeter, within which are located the critical cyber assets.
• CIP 007 – Systems Security Management. Requirements for securing, monitoring, documenting and controlling access to critical cyber assets.
• CIP 008 – Incident Reporting and Response Planning. Requirements for developing, testing and executing incident response plans, and for reporting incidents to the appropriate agencies.
• CIP 009 – Recovery Planning.  Requirement for developing, testing and exercising plans for backup and recovery and disaster recovery.
• FAQs. These are answers to frequently asked questions, and were treated by NERC CIP Training as having equal importance to the requirements in CIP 002-009. 

A Typical CIP Compliance Project

NERC CIP compliance should be undertaken in a four- phase approach. CIP 002, with the leadership portion of CIP 003, should be undertaken and completed first to determine the number and type of critical assets and critical cyber assets. Once this is finalized, Phase 2 establishes the electronic and physical security perimeter(s) and conducts a gap analysis between the client’s current state and that required for compliance. Phase 3 implements the policies, procedures, documentation and, if required, infrastructure upgrades that allow the client to achieve compliance.  Compliance mechanisms—basically identifying the documents required for compliance and implementing mechanisms for capturing these documents—also must be put in place.  Phase 4 is the collection of one calendar year’s worth of documentation identified by the compliance mechanisms to achieve “auditably compliant” status. 

Crucial to the success of the project will be the availability of key client stakeholders and support staff to assist with this effort, and establishing an effective governance structure for both cyber security in general and CIP compliance.