Fortinet: Tim Conway Explains NERC Standards for secure ICS

Tim Conway highlights the importance of NERC CIP standards and breaks down the requirements for the electric utility industry

In 2020, it was suggested—by the World Economic Forum—that 54% of utility providers expected some form of cyber attack. The growth of cybersecurity incidents has heightened the concern about the security of their critical infrastructure. This ultimately puts pressure on utilities to ensure the reliability of their Industrial Control Systems (ICS) and maintain compliance. There are also external risks to consider as these risks extend across external organisations and utility companies are responsible for the data surrounding the people, processes and technologies that are linked to their operations. 

What does Compliance Mean for Utilities? 

Electric utilities fall under requirements set by the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Plan (CIP), which sets out policies for secure operational technology. The NERC was established in 1968 as a response to the 1965 blackout, and the organisation’s standards became mandatory in June 2007. The NERC CIP consists of nine stands and 45 requirements that cover the security of cyber assets as well as personnel and training, security management and disaster recovery planning. 

NERC CIP Standards

Although there are nine standards in total, Tim Conway, Technical Director for ICS and SCADA Programmes at SANS Cyber Security Training, has highlighted the four most important standards that vendors and integrators working in NERC-CIP environments need to follow. The Implementation Guide for Vendors and Integrators Working in NERC-CIP Environments breaks down these four standards.

CIP-003 Security Management Controls

There are nine individual policies that exist within the CIP-003 standard, which establish the overall CIP programme structure in relation to High and Medium impact facilities and assets. 

CIP-004 Personnel and Training

Compliance with this standard means that organisations meet the training requirements in relation to security awareness, personnel risk assessment (PRA) requirements—involving background check performance and processing, training in secure access granting and setting up access rights, as well as the requirements for revoking access due to transfer of personnel or termination.

CIP-011 Information Protection

CIP-011 is a complex set of rules, which has changed over time as CIP standards have matured and responded to an ever-growing data set across different locations.

CIP-013 Supply Chain Risk Management

This is a new standard that has been established to address long-term supply chain risk management issues. The requirements of CIP-013 provide organisations and individuals with the ability to implement the correct language to support their procurement processes.

For a more in-depth discussion about these standards, check out the report, which discussed the breakdown of requirements within these standards.


Featured Articles

UK Government awards £54mn in heat network funding

Funding will support the development of schemes in London, Bedfordshire and Woking that use low-carbon heat sources

Shell posts $11.5bn second quarter profit

Shell's earnings fuelled by ongoing price rises and geopolitical instability as the energy major places greater focus on natural gas investments

bp opens first electric truck fast-charging facilities

Operated by bp’s Aral brand, the retail site at Schwegenheim in Rheinland-Pfalz has two 300kw chargers intended for electric trucks

Shell commits to developing Jackdaw gas field in North Sea

Oil & Gas

Prospex Energy raises £1.87m for Selva gas field development

Oil & Gas

Shanghai Electric Group launches low carbon business