A Primer on NERC CIP Standards

Who uses NERC Reliability Standards?

Cybersecurity professionals who work within the electrical grid and other critical infrastructure supply industries are mandated to comply with NERC CIP (CIP meaning critical infrastructure protection).

NERC CIP standards are enforced by audit, so energy organizations must allocate substantial time, resources and budgets to making sure that their systems stay in compliance with the standard. This can be difficult and expensive and very time consuming, as the CIP standards require they implement a complex set of cybersecurity controls around their physical and cyber assets and maintain ongoing proof of NERC compliance for auditors. The standards also change frequently, and NERC CIP experts are hard to find!

Organizations often implement cybersecurity software and hardware solutions to automate NERC CIP compliance within their systems.

Is there training I can receive on NERC CIP?

Yes. The NATIONAL INITIATIVE FOR CYBERSECURITY CAREERS AND STUDIES introduces the Critical Infrastructure Protection (CIP) concept, Security Threats to Industrial Control Systems (ICS), and the Reliability Standards developed by the North American Electric Reliability Corporation (NERC). It’s a live, 5-day training course that empowers students with knowledge of the “what” and the “how” of the version 5/6 standards.

Who do the NERC CIP standards apply to?

The industries affected by NERC CIP standards are those that make up the bulk power system (BPS), both power and infrastructure. In real terms this includes every party involved with the electric grid and power systems across North America.

According to the US Department of Energy, the electric system and power grid break down into three main areas or industries:

• Generation
• Transmission
• Distribution

Electricity is generated by converting other renewable and non-renewable primary energy sources into electrical charge. Then, it’s transmitted across the nation and distributed to its various end-users.

Ownership of these industries is spread across a wide variety of entities:

• Investor-Owned Utilities (IOUs) are private, monopoly utilities that generate and distribute power to the electric customer, over their defined service territory. Typically, electricity from IOUs comes from a combination of producing their own power and purchasing electricity from public and private markets. About 130 IOUs own about 40 percent of generation, 80 percent of transmission, and 50 percent of the distribution.
• Publicly-Owned Utilities and Cooperatives – There are about 2,900 such entities who own about 15 percent of generation, 12 percent of transmission, and 50 percent of the distribution. See APPA
• Independent Power Producers – Around 2,800 of these independent entities own about 40 percent of generation. See IEPA
• Electric Power Marketers – A combined 211 such marketers own about 19 percent of sales of electricity to consumers.
  The Federal Government – There are nine agencies owned by the government, which collectively account for seven percent of generation and eight percent of transmission.

Beyond ownership, the management of the grid comes down to a couple of other parties, of which the following two are probably the most important ones helping to run the grid:

• Independent system operators (ISOs)
• Regional transmission organizations (RTOs)

Another interesting point to note is that nuclear power plants are NOT measured by NERC CIP standards.

1. Background

2. The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), developed the CIP Reliability Standards that require certain users, owners and operators of the Bulk-Power System, including generator owners and operators, to comply with specific requirements to safeguard critical cyber assets. In January 2008, pursuant to section 215 of the Federal Power Act (FPA).

The Commission approved the CIP Reliability Standards. In addition, pursuant to section 215(d)(5) of the FPA.

The Commission directed the ERO to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission.

3.  Each CIP Reliability Standard includes an exemption for facilities regulated by the NRC. For example, Reliability Standard CIP-002-1 provides:

The following are exempt from Standard CIP-002: Facilities regulated by the U.S. Nuclear Regulatory Commission * * *.

4. In an April 8, 2008 public joint meeting of the Commission and the NRC, staff of both Commissions discussed cyber security at nuclear power plants. While indicating that the NRC has proposed regulations to address cyber security at nuclear power plants, NRC staff raised a concern regarding a potential gap in regulatory coverage.

In particular, NRC staff indicated that the NRC’s proposed regulations on cyber security would not apply to all systems within a nuclear power plant. NRC staff explained:

The NRC’s cyber requirements are not going to extend to power continuity systems. They do not extend directly to what is not directly associated with reactor safety security or emergency response. * * * 

As a result, and when you look at the CIP standards that were issued, there is a discrete statement in each of the seven or eight standards where it specifically exempts facilities regulated by the United States Nuclear Regulatory Commission from compliance with those CIP Standards. So there is an issue there in the sense that our regulations for cyber security go up to a certain point, and end.

5. On September 18, 2008, the Commission issued an Order on Proposed Clarification.

Explaining its concern that a gap may exist in the regulatory process due to the provision in each of the CIP Reliability Standards exempting “facilities regulated by the U.S. Nuclear Regulatory Commission.” On the understanding that some facilities within a nuclear power plant would not be subject to compliance with cyber security regulations developed by the NRC, the Commission proposed to clarify that the facilities within a nuclear power plant in the United States that are not regulated by the NRC are subject to compliance with the CIP Reliability Standards approved in Order No. 706. The Commission explained its proposal and sought comment on not only the Proposed Clarification, but also two additional questions: (1) Whether a clear delineation exists between those facilities in a nuclear power plant which relate to safety and security, and the non-safety related “balance of plant,” and if a clear delineation does not exist, whether there is a need for owners and/or operators of nuclear power plants to identify the specific facilities that pertain to reactor safety, security or emergency response and are subject to NRC jurisdiction, and the balance of plant that is subject to the eight CIP Reliability Standards; and (2) if nuclear power plants were to be required to implement the CIP Reliability Standards, whether Table 3 of the implementation plan approved in Order No. 706 should control the implementation schedule.

See the order dismissing compliance filing here.