In 2020, it was suggested—by the World Economic Forum—that 54% of utility providers expected some form of cyber attack. The growth of cybersecurity incidents has heightened the concern about the security of their critical infrastructure. This ultimately puts pressure on utilities to ensure the reliability of their Industrial Control Systems (ICS) and maintain compliance. There are also external risks to consider as these risks extend across external organisations and utility companies are responsible for the data surrounding the people, processes and technologies that are linked to their operations.
What does Compliance Mean for Utilities?
Electric utilities fall under requirements set by the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Plan (CIP), which sets out policies for secure operational technology. The NERC was established in 1968 as a response to the 1965 blackout, and the organisation’s standards became mandatory in June 2007. The NERC CIP consists of nine stands and 45 requirements that cover the security of cyber assets as well as personnel and training, security management and disaster recovery planning.
NERC CIP Standards
Although there are nine standards in total, Tim Conway, Technical Director for ICS and SCADA Programmes at SANS Cyber Security Training, has highlighted the four most important standards that vendors and integrators working in NERC-CIP environments need to follow. The Implementation Guide for Vendors and Integrators Working in NERC-CIP Environments breaks down these four standards.
CIP-003 Security Management Controls
There are nine individual policies that exist within the CIP-003 standard, which establish the overall CIP programme structure in relation to High and Medium impact facilities and assets.
CIP-004 Personnel and Training
Compliance with this standard means that organisations meet the training requirements in relation to security awareness, personnel risk assessment (PRA) requirements—involving background check performance and processing, training in secure access granting and setting up access rights, as well as the requirements for revoking access due to transfer of personnel or termination.
CIP-011 Information Protection
CIP-011 is a complex set of rules, which has changed over time as CIP standards have matured and responded to an ever-growing data set across different locations.
CIP-013 Supply Chain Risk Management
This is a new standard that has been established to address long-term supply chain risk management issues. The requirements of CIP-013 provide organisations and individuals with the ability to implement the correct language to support their procurement processes.
For a more in-depth discussion about these standards, check out the report, which discussed the breakdown of requirements within these standards.