Fortinet: Tim Conway Explains NERC Standards for secure ICS

Tim Conway highlights the importance of NERC CIP standards and breaks down the requirements for the electric utility industry

In 2020, it was suggested—by the World Economic Forum—that 54% of utility providers expected some form of cyber attack. The growth of cybersecurity incidents has heightened the concern about the security of their critical infrastructure. This ultimately puts pressure on utilities to ensure the reliability of their Industrial Control Systems (ICS) and maintain compliance. There are also external risks to consider as these risks extend across external organisations and utility companies are responsible for the data surrounding the people, processes and technologies that are linked to their operations. 

What does Compliance Mean for Utilities? 

Electric utilities fall under requirements set by the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Plan (CIP), which sets out policies for secure operational technology. The NERC was established in 1968 as a response to the 1965 blackout, and the organisation’s standards became mandatory in June 2007. The NERC CIP consists of nine stands and 45 requirements that cover the security of cyber assets as well as personnel and training, security management and disaster recovery planning. 

NERC CIP Standards

Although there are nine standards in total, Tim Conway, Technical Director for ICS and SCADA Programmes at SANS Cyber Security Training, has highlighted the four most important standards that vendors and integrators working in NERC-CIP environments need to follow. The Implementation Guide for Vendors and Integrators Working in NERC-CIP Environments breaks down these four standards.

CIP-003 Security Management Controls

There are nine individual policies that exist within the CIP-003 standard, which establish the overall CIP programme structure in relation to High and Medium impact facilities and assets. 

CIP-004 Personnel and Training

Compliance with this standard means that organisations meet the training requirements in relation to security awareness, personnel risk assessment (PRA) requirements—involving background check performance and processing, training in secure access granting and setting up access rights, as well as the requirements for revoking access due to transfer of personnel or termination.

CIP-011 Information Protection

CIP-011 is a complex set of rules, which has changed over time as CIP standards have matured and responded to an ever-growing data set across different locations.

CIP-013 Supply Chain Risk Management

This is a new standard that has been established to address long-term supply chain risk management issues. The requirements of CIP-013 provide organisations and individuals with the ability to implement the correct language to support their procurement processes.

For a more in-depth discussion about these standards, check out the report, which discussed the breakdown of requirements within these standards.


Featured Articles

UK and US announce energy partnership

The agreement will work towards reducing global dependency on Russian energy exports, stabilising energy markets, and stepping up collaboration

Alfa Laval to supply world’s largest green hydrogen plant

The facility is being built in NEOM, the US$500bn futuristic city being developed in Saudi Arabia

COP27 agrees to climate compensation fund

The deal is said to be a historic first in acknowledging the vast inequities of the climate crisis

North America's natural gas can help mitigate energy crisis

Oil & Gas

COP27: Egypt and Norway to build 100MW green hydrogen plant

Renewable Energy

Renewable energy company Masdar opens office in Saudi Arabia

Renewable Energy