AICPA SOC Service Organizations - Certrec
NERC Primers

NERC CIP Cheatsheet


NERC Critical Infrastructure Protection (NERC CIP) are a set of requirements designed to secure the assets required for operating North America’s bulk electric system. Meeting NERC CIP compliance is a very important aspect of a NERC-registered energy supply organization’s operational success. If an organization fails NERC’s audits, NERC1 can levy large fines and require that extensive remediation work be done to bring systems back into compliance, leading to lost productivity, reputational damage, and lost revenues; even the inherent acquisition value of the plant may be affected.

Here we explore some of the main NERC CIP standards and what they really mean.

NERC CIP-002-5 – BES System Categorization

With this standard, energy companies can identify and classify BES Cyber Systems or Assets. The objective of the NERC CIP-002-5 standard is to ensure the enhanced protection of assets. At the same time, this standard makes sure there are no compromises that might make the BES unstable or disrupt operations.

The level of categorization is all about grading several BES Cyber Assets or Systems based on the degree of interruption to the power supply. It focuses the entity on the period of interruption rather than the cause of the power disruption.

The broad categorization of Cyber Systems in this standard includes:

  • Protected Cyber Assets
  • PACS or Physical Access Control Systems
  • Electronic Access Control
  • NERC CIP-003-8 – Security Management Controls.

The focus of this standard is to help energy companies increase transparency and accountability across the board and further protect BES Cyber Assets. Practically, utilities need to rely on an experienced senior manager to develop sustainable policies around security controls.

CIP-002 is designed to provide entities the capability to identify and categorize their Bulk Electric Systems (BES) Cyber Systems and associated BES Cyber Assets. Once identification and categorization of BES Cyber Systems has been completed, impact levels determine which standards are applied based on the identification. Registered entities are categorized as low, medium and high impact. The standard also outlines additional controls such as the frequency of categorization review and review approval. Also note that any single entity may have more than one impact level, which is why it is important to understand all applicable impact levels so that the correct standards are applied based on the categorization.

Once the impact level has been defined, standards are applied. For examples, security management controls for low impact BES Cyber Systems are addressed in the CIP-003 standard. Medium and high impact system protection requirements are addressed in CIP-003 through CIP-011. CIP-012 is applicable to all impact levels and addresses protection of communication links and transmission of sensitive data between BES communication centers. More recently, risks to the BES supply chain have come to the forefront. CIP-013 seeks to mitigate risks to Medium and High impact BES Cyber Systems with the implementation of security controls defined in the standard as it relates to the supply chain. Finally, while not based on impact level but where applicable, CIP-014 addresses protection of Transmission Stations and Transmission Substations which, if physically attacked, could result in instability, uncontrolled separation, or cascading within the interconnection.

NERC CIP-003-8 – Security Management Controls

Security management controls are addressed in CIP-003, and are designed to ensure that consistent and sustainable security controls are applied, based on the system categorization, to mitigate risk that could result in mis-operation or instability of the BES. Additionally, CIP-003 addresses security controls as they relate to low impact systems, and identifies which security management controls relate to medium and high impact systems. For example, the domains of cyber security awareness, physical and electronic controls, cyber incident response plans and malicious code mitigation for transient cyber assets and removable media for low impact systems are addressed in CIP-003. Moreover, the standard covers review of policies and the plans required to support policies as well as who is responsible for BES cyber security policy review. Additionally, for medium and high impact systems, CIP-004 – Personnel and training; CIP-005 – Electronic Security Perimeters; CIP-006 – Physical security of BES Cyber Systems; CIP-007 – System security management; CIP-008 – Incident reporting and response planning; CIP-009 – Recovery plans for BES Cyber Systems; CIP-010 – Configuration and change management and vulnerability assessments; CIP-011 – Information protection; and declaring and responding to CIP Exceptional Circumstances are identified as being applicable to medium and high impact levels. Of interest is the fact that requirements differ based on impact level and external communications needs (e.g., does the entity have remote connectivity, is it at a control center?).

NERC-CIP-Cheatsheet-image - Certrec
NERC CIP-004-6 – Personnel & Training

This NERC CIP standard aims to train contractors and employees. With sufficient training, NERC CIP 004-6 standard will help companies reduce the likelihood of cyber-attacks targeted to BES Cyber Systems. The personal training consists of raising cyber security awareness among staff. In addition, it paints a clear picture of the access and risk management controls for employees and contractors.

Personnel and training are the focus of CIP-004-6. The intent of this standard is to ensure that appropriate levels of risk assessment for personnel are addressed, and that training and cyber awareness are incorporated into the entity’s programs, plans and procedures. Types of personnel reviews, based on need, are outlined as are the timeline review requirements regarding personnel risk assessments. Requirements for frequency of training events, and training content are also outlined in this standard as are requirements related to access and access revocation.

NERC CIP-005-6 – Electronic Security Perimeter

This standard aims to heighten the protection level of BES Cyber Assets and prevent potential instability and operational interruption. Furthermore, the NERC CIP-005-6 standard focuses on having complete control over network access to all critical assets.

In any case, this standard propels utilities to develop a dedicated ESP or Electric Security Perimeter around their cyber assets. Once a virtual barrier exists, entities can track interconnected data flows. And any critical assets outside the boundaries of ESP must become part of the leading network via a dedicated Electronic Access Point (EAP). Companies should also maintain their network segments, control remote access points, and use data encryptions.

This standard aims to heighten the protection level of BES Cyber Assets and assist with the prevention of potential instability and operational interruption by establishing an Electronic Security Perimeter (ESP) using Electronic Access Control or Monitoring Systems (EACMS) to allow only authorized inbound and outbound traffic to BES Cyber Systems. Cyber assets outside the ESP are routed through controlled Electronic Access Points (EAP). Requirements are established for remote interactive access to include dial-up requirements, encryption and multi-factor authentication. Software for systems protection is also addressed in the standard and may include Intrusion Detection Systems (IDS) and application firewalls. Additional requirements the capability to identify remote vendor access and the capability to terminate remote vendor access on demand.

NERC CIP-006-6 – Physical Security of BES Cyber Systems

This standard involves physical and operational controls in connection with a physical security perimeter, testing and maintenance program, and a visitor control program. In the physical security perimeter, entities must restrict their physical access via procedural controls and existing operational documents.

In the visitor control program, entities must implement a protocol to manage all visitors in the last 90 days. And the testing and maintenance program of this standard requires entities to test electronic Physical Security Perimeter on an annual basis.

Plans are established to define operational and procedural controls for physical access. Controls address unescorted physical access, unauthorized physical access, alarms and personnel notification to personnel and groups identified in the entity’s Incident Response (IR) plan. Specifics such as monitoring for physical access control systems, automated logging of personnel based on level of access, retainment of logs and protection of cabling and other components used for communication within an ESP. If physical restrictions are not available, implementation of other types of controls to mitigate risk are required and methods are addressed.

The standard also addresses visitor control such as requirements for visitor escorts, logging requirements, and visitor log retention. Additional requirements, depending on impact level and physical access control configurations, include maintenance and testing of physical access control systems.

NERC CIP-007-6 – System Security Management

Here, entities must define operational and technical elements and processes. The idea is to enhance the security of systems in the ESPs of BES Cyber Systems. Typically, these components include security patches, system access controls, security event monitoring, ports and services, and prevention of malicious code.

Applicable protection requirements may include port management in that only required ports are enabled, port ranges are managed. Physical port managed is required as well, in particular, where removable media is concerned. Another aspect of system security management addresses patch management to include processes for tracking patches on a regular basis, evaluating applicability of those patches and installation of patches based on applicability. Plans should also have processes that address when a patch shall be applied, explanations if a patch can’t be installed as planned. Should patch installation be delayed, mitigations should be in place, or should be implemented, if the patch cannot be installed as planned. Requirements for mitigation of malicious code introduction are defined as well as management of virus software to include signature or definition management, and system hardening.

Monitoring is another key aspect of CIP-007. Required logging of specific events are identified, alert requirements are defined based on event type, log retention requirements and review of those logs are covered. Other requirements include a means to enforce authentication of interactive user access, management of generic group accounts and personnel that have access to those group accounts, user password parameter requirements, password change requirements, and limitations regarding unsuccessful authentication attempts are addressed.

NERC CIP-008-6 – Incidence Reporting and Response Planning

Here, entities must prepare incident reports and create guidelines that work as a response. The incident reporting and response planning standard allow energy entities to document, identify, classify, report, and respond to incidents associated with critical assets.

At its core, this CIP standard compliance divides into incident response plan, implementation of incident response, and final review and communication of the incident response plan.

Roles and responsibility requirements for response groups and individuals are addressed along with the procedures that define incident handling to include containment, eradication and incident resolution. Time requirements for incident response plan testing, types of testing, any lessons learned and requirements to update the incident response plan based on testing are also addressed. Evidence requirements related to evidence retainment for reportable cyber security events are included in the standard.

NERC-CIP-Cheatsheet - Certrec
NERC CIP-009-6 – Recovery Plans for BES Cyber Systems

Here, entities must find the best way to recover from a potential cyber incident that may impact the BES systems. With this standard, entities must put in place a recovery plan and follow predetermined plans for business continuity and disaster recovery.

Plans will include conditions for activation, roles and responsibilities of those involved with the recovery process, how backup and storage of information is implemented, data backup validation and preservation of data related to a cyber security incident as it relates to activation of the plan. Test requirements of the plan regarding the test environment, actual data used for testing, recovery plan updates for lessons learned, and notification of those with a role in the plan where an update is required and has been implemented are additional security requirements of this standard.

NERC CIP-010-3 – Configuration Change Management and Vulnerability Assessments

In this standard, entities must highlight all the requirements related to their security policy to ensure there are no unauthorized modifications to the BES Cyber Systems. This standard aims to increase the current protection level by performing vulnerability testing and checking system configuration controls. On top of configuration change management, the CIP-010-3 standard covers compliance areas like configuration monitoring, which requires 35 days for unauthorized baseline changes and vulnerability evaluation every 15 months.

Here, entities are required to develop baseline configurations for Operating Systems, open-source software, custom software, network ports and implemented security patches. Baseline changes evolve and must go through a process that include authorization of proposed change, documentation and updating of the official baseline configuration after a baseline change has been implemented for the defined time period. Cross checking of the potential effects of the change, as it relates to other CIP standards, is required to ensure security requirements are not impacted by changes to the baseline. Testing in the appropriate environments, requirements for software verification and monitoring the baseline configuration for changes are addressed. Vulnerability assessments are another component of CIP-010, and address requirements such as how often to test, types of tests and documented assessments when new Cyber Assets are to be introduced into the production environment.

NERC CIP-011-2 – Information Protection

Information protection, addressed in CIP-012, seeks to mitigate risks to the BES by specifying requirements related to the protection of BES information. The first step in protection is to properly identify BES Cyber System Information which should be included in the entity’s information protection plan as should how information is handled, stored, transmitted and used. The plan shall address how assets, used in conjunction with BES Cyber System Information, will be handled if the asset is to be reused, or if the asset is to be disposed.

NERC CIP-012-1 – Communications Between Control Centers

Protection of communication between control centers is the focus of CIP-012. Plans are required to address the protection of Real-time Assessment (RTA) and Real-time Monitoring (RTM) data from modification, unauthorized use, and unauthorized disclosure. Requirements addressing shared responsibilities between separately owned entities are defined as well.

NERC CIP-013-2 – Supply Chain Management

The need to address supply chain cyber security risks are becoming well known, and CIP-013 addresses those needs. This standard is applicable to medium and high impact systems as well as their Electronic Access Control and Monitoring System; and Physical Access Control Systems. Security risk management plans, and approval requirements, are at the heart of the standard and include risk assessments for procurement of vendor equipment, software and services. Risks associated with transitioning from one vendor to another are also addressed. Other items include requirements for vendor notification of incidents related to their products, how vendor incidents will be addressed by the vendor, vendor access, notification by the vendor if remote or onsite access is no longer required, and other vendor actions.

NERC CIP-014-2 – Physical Security

Instability, uncontrolled separation, or cascading within an Interconnection are major concerns for Transmission stations and Transmission substations. CIP-014-2 seeks to mitigate risks associated with these potential events through the implementation of NERC requirements. Requirements include risk assessments by the Transmission Owner that identify transmission stations or transmission substations that, if damaged, could cause the aforementioned events. Verification of risk assessments performed by the Transmission Owner, verification standards, notifications and timelines associated with notifications by the Transmission Owner are documented in CIP-014. Criteria required of the Risk Assessment evaluation include physical characteristics, history, intelligence gathering methods, other evaluation criteria and report parameters also fall under CIP-014.

[1] North American Electric Reliability Corporation

Just Getting Started with Nerc? Check Out Some of Our Resources