NERC CIP: What Is It?

In the US, power control systems and electric utilities are among the vital infrastructures that hackers frequently attack. The significance of safeguarding vital infrastructures was brought to light by the ransomware assault on Colonial Pipeline in 2021 and the hack on SolarWinds in 2020.

Read More: NERC CIP Compliance Solution

A program called Critical Infrastructure Protection (CIP) was created by the North American Electric Reliability Corporation (NERC) to assist reduce hazards to vital cyber assets in bulk electric systems. Any company or “responsible entity” operating within the electrical segment of the energy sector is required to participate in the CIP program.

NERC Critical Protection for Infrastructure (CIP)

One of the biggest blackouts in history occurred in 1965, affecting a sizable portion of the northeastern United States and parts of Canada. The blackout was brought on by a series of transmission line trippings. The National Electric Reliability Council was established in 1968 as a result of this catastrophe, and it later changed its name to the North American Electric Reliability Corporation (NERC). NERC’s mandate grew in coordination and collaboration, and the electric sector came to associate it with these qualities.

NERC is an international regulatory body that operates without profit with the goal of minimizing threats to the security and dependability of the American power system. To do this, NERC creates and implements Reliability Standards, such as NERC CIP, the Critical Infrastructure Protection program.

The first iteration of the CIP standards were developed in 2003, during a much larger outage in the United States. In the end, the Federal Energy Regulatory Commission certified the rules in 2008 after they were authorized for use on May 2, 2006. Although the NERC CIP standard was developed in North America, it is also in use in Mexico, Colombia, and Brazil, among other nations.

Since then, NERC CIP has undergone many version updates, and improvements and addenda are still being made to the controls to keep them current with regards to developing threat landscapes and technology advancements.

NERC-CPI security measures

For companies involved in the production, transmission, and distribution of electricity, the CIP offers security measures. The standards and risk management necessary to safeguard “critical assets” of the Bulk Electric System (BES) Cyber System Information (BCSI) that might be utilized to get unauthorized access or jeopardize the security of a BES are outlined in the NERC CIP standard.

According to NERC, “critical assets” are “facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the Bulk Electric System’s reliability or operability.”

Ten cybersecurity requirements, including those pertaining to people, procedures, and technology, are covered by the NERC CIP, a set of required security measures.

Adherence to NERC CIP

CIP program compliance is monitored, evaluated, and enforced by the NERC Compliance Monitoring and Enforcement Program (CMEP). The Federal Power Act’s section 215(e) and 18 C.F.R. ยง39.7 specify the CMEP’s statutory responsibilities, which apply to all owners, operators, and consumers of bulk power systems. Registering with NERC through the relevant Regional Entity is a requirement for responsible entities.

What impact does NERC CIP have on a company?

By 2025, 30% of critical infrastructure businesses, according to Gartner, are expected to suffer a serious cyberattack. Organizations like the FBI’s Internet Crime Complaint Center (IC3), which keeps track of critical infrastructure assaults, support this trend. In 2022, IC3 discovered that, out of the 16 NIST-classified critical infrastructures, at least one member had been the victim of a ransomware attack in 14 sectors. NERC CIP controls are required for two important infrastructures in the following sectors, as examples:

Vitality

In 2022, the energy sector was the target of over 11% of reported cyberattacks, according to IBM’s 2023 Threat Intelligence Index. Any nation needs energy, and the loss of the grid may have a significant effect on society for a long time. Financial gain, state-sponsored terrorism, and geopolitical instability all pose threats to and disrupt utilities like energy. For energy providers to develop a strong IT/OT infrastructure, they must adhere to the CIP’s principles. In order to guarantee that threats like as ransomware are identified and neutralized before an event takes place, a Zero Trust platform can assist in adhering to CIP regulations.

Producing

Manufacturers of transportation equipment and key metals are considered critical. The massive shipping and logistics company Maersk was hit by a Petya ransomware assault in 2017 that cost between $200 and $300 million and severely disrupted the supply chain. Manufacturers are required to adhere to CIP rules in order to stop ransomware attacks and other viruses. Insecure IT/OT systems or illegal access are common causes of ransomware infections. The degree of protection required across large and complicated OT/IT systems is provided by a Zero Trust security methodology.