Fortinet: Tim Conway Explains NERC Standards for secure ICS

Tim Conway highlights the importance of NERC CIP standards and breaks down the requirements for the electric utility industry

In 2020, it was suggested—by the World Economic Forum—that 54% of utility providers expected some form of cyber attack. The growth of cybersecurity incidents has heightened the concern about the security of their critical infrastructure. This ultimately puts pressure on utilities to ensure the reliability of their Industrial Control Systems (ICS) and maintain compliance. There are also external risks to consider as these risks extend across external organisations and utility companies are responsible for the data surrounding the people, processes and technologies that are linked to their operations. 

What does Compliance Mean for Utilities? 

Electric utilities fall under requirements set by the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Plan (CIP), which sets out policies for secure operational technology. The NERC was established in 1968 as a response to the 1965 blackout, and the organisation’s standards became mandatory in June 2007. The NERC CIP consists of nine stands and 45 requirements that cover the security of cyber assets as well as personnel and training, security management and disaster recovery planning. 

NERC CIP Standards

Although there are nine standards in total, Tim Conway, Technical Director for ICS and SCADA Programmes at SANS Cyber Security Training, has highlighted the four most important standards that vendors and integrators working in NERC-CIP environments need to follow. The Implementation Guide for Vendors and Integrators Working in NERC-CIP Environments breaks down these four standards.

CIP-003 Security Management Controls

There are nine individual policies that exist within the CIP-003 standard, which establish the overall CIP programme structure in relation to High and Medium impact facilities and assets. 

CIP-004 Personnel and Training

Compliance with this standard means that organisations meet the training requirements in relation to security awareness, personnel risk assessment (PRA) requirements—involving background check performance and processing, training in secure access granting and setting up access rights, as well as the requirements for revoking access due to transfer of personnel or termination.

CIP-011 Information Protection

CIP-011 is a complex set of rules, which has changed over time as CIP standards have matured and responded to an ever-growing data set across different locations.

CIP-013 Supply Chain Risk Management

This is a new standard that has been established to address long-term supply chain risk management issues. The requirements of CIP-013 provide organisations and individuals with the ability to implement the correct language to support their procurement processes.

For a more in-depth discussion about these standards, check out the report, which discussed the breakdown of requirements within these standards.


Featured Articles

Honeywell debunks hydrogen energy and its global challenges

Maya Gomez, Director of Green H2 CCM at Honeywell, uncovers the different types of hydrogen and the challenges of applying them for more sustainable energy

ABB Motion & WindESCo partner to strengthen wind energy

ABB Motion invests in WindESCo to sustain wind turbine performance, in a renewable energy drive that will help ABB in its net zero ambitions

Shell Energy UK and Germany acquired by Octopus Energy

Octopus delivers industry leading service whilst investing in clean energy systems — we will deliver this to the new customers too, says CEO Greg Jackson

Sustainability LIVE links to energy and electrification


Green energy: A hot topic at Sustainability LIVE 2023


Sustainability LIVE London sells out on 2023 conference