Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    The Cyber Security Of Our Electricity Grid

    Graig_Reeds_Headshot.jpgGuest Blogger Craig Reeds commented on the safety of our Electricity Grid.

    "Over the last couple of years, there has been a lot of discussion about the security of the electric grid. We hear stories about the power grid attack in the Ukraine and other possible dangers.

    Here in the United States, things are not as insecure as they are in Europe. This is because we have NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) plan which is a set of requirements designed to secure the assets required for operating North America's bulk electric system, or Power Grid.

    The NERC CIP plan consists of 11 standards and multiple requirements covering the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management and disaster recovery planning. The standards are:

    • CIP-002-5.1a: Cyber Security – Bulk Electrical System Cyber System Categorization
    • CIP-003-6: Cyber Security – Security Management Controls
    • CIP-004-6: Cyber Security - Personnel and Training
    • CIP-005-5: Cyber Security - Electronic Security Perimeters
    • CIP-006-6: Cyber Security - Physical Security of Bulk Electric System Cyber Assets
    • CIP-007-6: Cyber Security - Systems Security Management
    • CIP-008-5: Cyber Security - Incident Reporting and Response Planning
    • CIP-009-6: Cyber Security - Recovery Plans for Bulk Electric System Cyber Assets
    • CIP-010-2: Cyber Security – Configuration Change Management and Vulnerability Assessments
    • CIP-011-2: Cyber Security – Information Protection
    • CIP-014 -2: Physical Security of critical substations

    The CIP program coordinates all of NERC's efforts to improve the North American power system's security. These efforts include standards development, compliance enforcement, assessments of risk and preparedness, the dissemination of critical information and raised awareness regarding key security issues. NERC's standards for governing critical infrastructure apply to entities that "materially impact" the reliability of the bulk power system. These entities include owners, operators and users of any portion of the system.

    Under NERC CIP, covered entities are required to identify critical assets and to regularly perform a risk analysis of those assets. Policies for monitoring and changing the configuration of critical assets need to be defined, as do policies governing access to those assets.

    In addition, NERC CIP requires the use of firewalls to block vulnerable ports and the implementation of cyber-attack monitoring tools. Organizations are also required to enforce IT controls protecting access to critical cyber assets. Systems for monitoring security events must be deployed, and organizations must have comprehensive contingency plans for cyber-attacks, natural disasters and other unplanned events.

    Penalties for non-compliance with NERC CIP can include fines up to $1M per day per infraction, sanctions or other actions against covered entities. Because NERC is a trans-national organization, the exact penalties vary from country to country.

    DNV GL is in the business of helping utilities be compliant. We do this by installing cyber security programs, performing Cyber Vulnerability Assessments, per CIP-010-2 and Mock Audits of NERC 693 and CIP programs at utilities to ensure that they have evidence of compliance when they are audited by NERC or one of the regional authorities. "

    Need Keep Track Of NERC CIP Controls? 

    Here is a great way to get through audits in half the time and at half the cost. The KnowBe4 Compliance Manager (KCM) simplifies the complexity of getting compliant and eases your burden of staying compliant year round:

    • Quick Implementation with Compliance Templates - Pre-built requirements templates for the most widely used regulations like NIST, and NERC CIP is easy to add. 
    • Enable Users to Get the Job Done - You can assign responsibility for controls to the users who are responsible for maintaining them.
    • Dashboards with Automated Reminders - Quickly see what tasks have been completed, not met, and past due. With automated email reminders, your users can stay ahead of any gaps in compliance.

    See for yourself how you can minimize the busy work associated with audits and compliance, and how easy this becomes using KCM. Request a demo: 

    https://www.knowbe4.com/demo_kcm

     

     

     

    Return To KnowBe4 Security Blog

    Topics: Cybersecurity

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews