The North American Electric Reliability Corporation (NERC) serves more than 300 million people in North America as the electric reliability organization under the Federal Energy Regulatory Commission (FERC). In 2013, the FERC approved changes and additions to Critical Infrastructure Protection (CIP) Reliability Standards, also known as CIP v5, which are a set of requirements for securing the assets responsible for operating the bulk power system.
CIP is just one of 14 mandatory NERC standards that are subject to enforcement in the U.S. However, it gets a good deal of attention because this regulation is centered on the physical security and cybersecurity of assets deemed to be critical to the electricity infrastructure. Within CIP, there are eleven reliability standards currently subject to enforcement under CIP v5, but there are plans to introduce more in the future.
Obtaining compliance under CIP is more about policy and procedure than technology. The firms that help the responsible entities achieve CIP compliance aren't widely known to the public. Because cybersecurity requirements for the energy sector are so new, there isn't a lot of competition.
Most of the consultancies in this space have rarely strayed outside of critical infrastructure. They're specialized, and have a lot of institutional knowledge and previous experience with these types of systems. Some well-known commercial vendors are working in the space too, but most only sell products that address certain needs under CIP.
After talking with several experts and those familiar with CIP, as well as reading all of the NERC documentation, one thing became clear: CIP isn't about technical controls. If technical controls are considered, such as an IP camera or a firewall, the effectiveness of said control doesn't really come up.
CIP works on severity ratings when it comes to scope: high, medium, and low. Like any other regulatory matter, scope is what ultimately determines a pass or fail with CIP.
As expected, entities that need to comply with CIP will do all they can to lower the overall scope, which makes earning compliance easier. One expert, commenting on background, said he's seen examples where an asset owner wouldn't implement network security monitoring, because doing so would increase their regulatory footprint.
Another example: An electric provider addressing the severity ratings for their facility counted its buildings as separate assets. Overall, the facility was generating more than 3,000 MW, which would designate them as high impact. Because the company had two buildings, with turbines generating +/- 1500 MW each, it was able to lower its scope to medium impact. It didn't matter that both buildings were on the same property, nor did it matter that both were controlled from the same control room.
Sign up for CIO Asia eNewsletters.