NERC CIP Compliance Assessment

Download this page as a PDF

“It’s time to understand the NERC Cyber Security Standards – and how far you need to go.”

“Network & Security Technologies will help you measure the work required to attain compliance.”

Challenging New Cyber Security Requirements

In 2006, the North American Electric Reliability Corporation (NERC), which is responsible for the nation’s Bulk Electric System, adopted permanent reliability standards for cyber security, CIP-002-1 through CIP-009-1. These standards set a high bar for the security of Critical Cyber Assets. Responsible Entities must first identify their Critical Assets and the Critical Cyber Assets that are essential to their reliable operation. They must then implement a comprehensive set of strong procedural, electronic and physical security controls to protect those Cyber Assets against misuse as well as against malicious or accidental damage.

While the work done for compliance with NERC’s Urgent Action Standard 1200 will help Responsible Entities move control centers and other core infrastructure towards compliance with CIP-002 through CIP-009, the new Cyber Security Standards apply to a much broader set of assets. They affect every Bulk Electric System Asset, including substations and generation plants. These facilities utilize many types of Cyber Assets that support Bulk Electric System operations. All will have to be brought into compliance. Most organizations are likely to discover that the task of becoming fully and auditably compliant with these standards will require significant amounts of time and effort. They will often have to devote significant personnel resources just to planning their compliance projects. Simply reading, digesting, and understanding the NERC documents requires considerable attention from senior technical staff. For most Responsible Entities, the time spent on compliance will take time away from other, pressing operational matters. Moreover, few organizations possess sufficient personnel resources with experience in cyber security. Thus, drawing from existing staff does may not represent an efficient or effective means to achieving the required results.

The Energy Policy Act of 2005 creates additional urgency. NERC has become the NorthAmerican Electric Reliability Corporation and is moving towards becoming the ElectricReliability Organization reporting to the Federal Energy Regulatory Commission (FERC).While FERC is actively reviewing the NERC reliability standards, the comments of theFERC staff imply that the requirements for cyber security may become more, not less,stringent. Once implemented, NERC’s penalties for non-compliance with reliabilitystandards will be severe.

Where Do You Stand? How Much Work is Required?

As Responsible Entities kick off their compliance programs for the new Cyber Security Standards, two questions are immediately raised: “Where do we stand?” and “How much work will be needed to become compliant?” To answer these questions properly requires a detailed review of the Responsible Entity’s existing processes, documentation and records. These questions need to be asked not only for control centers, but for substations, generation plants, switching stations, and other remote facilities. To even ask the right questions requires comprehensive knowledge of the standards, the technology and the industry itself.

For each of the processes, documentation and records required for compliance, Responsible Entities will need to know how much time and money is required to create NERC-compliant artifacts. This will allow a company’s compliance program to be properly funded and supported. Also, since cyber security compliance is not done when the dates in the NERC Implementation Plan are met, understanding and correctly estimating the ongoing compliance burden of the CIP standards are critically important.

The Expert Help You Need with Gap Analysis

N&ST has been closely following the development of CIP-002 through CIP-009, and understands both the letter and spirit of the regulations. As an independent, product-neutral, expert consultancy, N&ST can help Responsible Entities measure the work required for compliance with the Cyber Security Standards. N&ST consultants have worked with Bulk Electric System participants to protect the cyber assets essential for the reliability of the Bulk Electric System even before Urgent Action Standard was written. These efforts have led to the creation of a simple but effective compliance assessment tool.

N&ST has a unique approach to measuring the work required for compliance with the Cyber Security Standards. N&ST’s custom compliance assessment (or “gap analysis”) tool helps Responsible Entities understand all of the required processes, documents and records. Where processes (including technology implementation), documents and records are missing or incomplete, N&ST estimates the work required to create or update those compliance artifacts. Each area that needs attention is prioritized based on the dates in NERC’s Implementation Plan, the work required for compliance, and dependencies in the compliance program. Finally, N&ST estimates the on-going effort required to maintain compliance with the Cyber Security Standards. All of these detailed findings are summarized in an Executive Report and an Executive Presentation. This report and presentation will help justify funding for the Responsible Entity’s compliance program for the Cyber Security Standards.

Once the gap analysis is complete, the Responsible Entity is left with a tool for organizing and prioritizing their remediation program. Working independently or with help from N&ST, the Responsible Entity can create a detailed remediation plan for compliance by the dates in NERC’s Implementation Plan. Then, the Responsible Entity can track their progress towards addressing the deficiencies identified during the gap analysis. N&ST’s compliance tool includes a detailed list of every process, document and record required to demonstrate full compliance with the eight Cyber Security Standards (CIP-002 - CIP-009).

N&ST has experience assessing all types of Critical Assets and Critical Cyber Assets. N&ST expert consultants have visited some of the nation’s largest generating facilities and substations to prepare those facilities for compliance with the NERC Cyber Security Standards. Understanding how the CIP standards apply to these environments and how to build appropriate security perimeters is essential to efficiently estimating the work required for a comprehensive NERC CIP compliance program.

On-time and On-budget

N&ST prides itself on delivering its projects on-time and on-budget using skilled resources. All N&ST consultants are full-time employees with years of computer networking, cyber security, and electric utility industry experience. Our projects are carefully managed to ensure complete client satisfaction within the quoted time frame and price. As a product-neutral vendor, N&ST is not simply trying to solve client problems using a specific device or product. Instead, N&ST is focused on delivering practical and innovative solutions to our clients most challenging compliance problems!

Download this page as a PDF



NEWS & EVENTS

2013 Implementation Plan
Preparing for the new approach to this year's audit? Start with NERC's 2013 Implementation Plan.
Download 2013 CMEP.

February 2012 Customer Testimonial
"I have never seen our technical staff actually ask for the same consultants again and again!" - Responsible Entity in the SPP region


ES-C2M2 Maturity Model
The Electricity Subsector Cybersecurity Capability Maturity Model, while not meant to replace NERC CIP Standards, is a common tool that can be used consistently across the industry, regardless of BPS criticality.
Download ES-C2M2 here.