Guest Blogger Craig Reeds commented on the safety of our Electricity Grid.
"Over the last couple of years, there has been a lot of discussion about the security of the electric grid. We hear stories about the power grid attack in the Ukraine and other possible dangers.
Here in the United States, things are not as insecure as they are in Europe. This is because we have NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) plan which is a set of requirements designed to secure the assets required for operating North America's bulk electric system, or Power Grid.
The NERC CIP plan consists of 11 standards and multiple requirements covering the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management and disaster recovery planning. The standards are:
- CIP-002-5.1a: Cyber Security – Bulk Electrical System Cyber System Categorization
- CIP-003-6: Cyber Security – Security Management Controls
- CIP-004-6: Cyber Security - Personnel and Training
- CIP-005-5: Cyber Security - Electronic Security Perimeters
- CIP-006-6: Cyber Security - Physical Security of Bulk Electric System Cyber Assets
- CIP-007-6: Cyber Security - Systems Security Management
- CIP-008-5: Cyber Security - Incident Reporting and Response Planning
- CIP-009-6: Cyber Security - Recovery Plans for Bulk Electric System Cyber Assets
- CIP-010-2: Cyber Security – Configuration Change Management and Vulnerability Assessments
- CIP-011-2: Cyber Security – Information Protection
- CIP-014 -2: Physical Security of critical substations
The CIP program coordinates all of NERC's efforts to improve the North American power system's security. These efforts include standards development, compliance enforcement, assessments of risk and preparedness, the dissemination of critical information and raised awareness regarding key security issues. NERC's standards for governing critical infrastructure apply to entities that "materially impact" the reliability of the bulk power system. These entities include owners, operators and users of any portion of the system.
Under NERC CIP, covered entities are required to identify critical assets and to regularly perform a risk analysis of those assets. Policies for monitoring and changing the configuration of critical assets need to be defined, as do policies governing access to those assets.
In addition, NERC CIP requires the use of firewalls to block vulnerable ports and the implementation of cyber-attack monitoring tools. Organizations are also required to enforce IT controls protecting access to critical cyber assets. Systems for monitoring security events must be deployed, and organizations must have comprehensive contingency plans for cyber-attacks, natural disasters and other unplanned events.
Penalties for non-compliance with NERC CIP can include fines up to $1M per day per infraction, sanctions or other actions against covered entities. Because NERC is a trans-national organization, the exact penalties vary from country to country.
DNV GL is in the business of helping utilities be compliant. We do this by installing cyber security programs, performing Cyber Vulnerability Assessments, per CIP-010-2 and Mock Audits of NERC 693 and CIP programs at utilities to ensure that they have evidence of compliance when they are audited by NERC or one of the regional authorities. "
Need Keep Track Of NERC CIP Controls?
Here is a great way to get through audits in half the time and at half the cost. The KnowBe4 Compliance Manager (KCM) simplifies the complexity of getting compliant and eases your burden of staying compliant year round:
- Quick Implementation with Compliance Templates - Pre-built requirements templates for the most widely used regulations like NIST, and NERC CIP is easy to add.
- Enable Users to Get the Job Done - You can assign responsibility for controls to the users who are responsible for maintaining them.
- Dashboards with Automated Reminders - Quickly see what tasks have been completed, not met, and past due. With automated email reminders, your users can stay ahead of any gaps in compliance.
See for yourself how you can minimize the busy work associated with audits and compliance, and how easy this becomes using KCM. Request a demo: