The Lighthouse: CIP low impact from the ground up – Part 1, Introduction to NERC and the Reliability Standards
By Lew Folkerth, Principal Reliability Consultant, External Affairs
In this recurring column, I explore various questions and concerns related to the NERC Critical Infrastructure Protection (CIP) Standards. I share my views and opinions with you, which are not binding. Rather, this information is intended to provoke discussion within your entity. It may also help you and your entity as you strive to improve your compliance posture and work toward continuous improvement in the reliability, security, resilience and sustainability of your CIP compliance programs. There are times that I also may discuss areas of the standards that other entities may be struggling with and share my ideas to overcome their known issues. As with lighthouses, I can’t steer your ship for you, but perhaps I can help shed light on the sometimes-stormy waters of CIP compliance.
Photo: Seul Choix Pointe, Gulliver, Michigan (Lew Folkerth)
Introduction
This is the first in a series of articles in which I’ll explore the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards applicable to low impact Bulk Electric System (BES) Cyber Systems. These articles are my opinions only – consider them to be my advice to you. Most of this advice will reference the enforceable language of the standards, and I’ll quote the applicable wording or provide links to the applicable documents. The enforceable language of the standards will always govern, and if you think my advice conflicts with this language, please let me know.
In providing this advice, I will tell you what you must accomplish and what you should accomplish with your compliance program. But I cannot tell you how to be compliant. How you implement these standards is individual to each organization.
In this series, I’m going to assume you are new to the CIP Standards. I will begin with some foundational material and progress to more advanced topics. I’ll also provide links so you can build your own reference library.
Why is “low impact” important?
Why do we need cybersecurity for what the CIP Standards call “low impact” assets? If these assets are really low impact, why does anyone care?
These assets may be “low impact” individually, but aggregated together they can have a significant impact on electric reliability. Many of these assets have similar configurations, and a vulnerability discovered in one asset will likely have a large impact when additional assets of the same type are considered.
The first pillar of the National Cybersecurity Strategy is “Defense of Critical Infrastructure.” Internationally, critical infrastructure is targeted when an adversary wishes to disrupt and distract an opponent. We in North America need to be aware of this behavior and prepare for actions against us. If we wait to prepare until the threat is imminent, it will be too late.
Further reading:
Dragos 2023 Year in Review Report
The NERC CIP Standards are part of the NERC Reliability Standards. But what are these standards and why are they necessary?
NERC History
To understand the need for NERC and the Reliability Standards, we need to go back about 60 years. On Nov. 9, 1965, a cascading outage resulted in a blackout affecting significant parts of Ontario and the northeast United States. This and subsequent smaller, but still significant, outages demonstrated the need for a national coordinating organization. The National Electric Reliability Council (NERC) was formed in 1968. In 1981 the name was changed to North American Electric Reliability Council, retaining the NERC acronym. During this period NERC developed voluntary reliability standards to improve grid reliability.
On Aug. 14, 2003, another major blackout affected portions of Canada and the northeast United States. One of the major contributing factors of this blackout was determined to be a failure to follow the voluntary reliability standards. In response, the Energy Policy Act of 2005 placed the Federal Energy Regulatory Commission (FERC) in charge of electric reliability in the United States and empowered FERC to establish an Electric Reliability Organization (ERO). NERC was designated as the ERO and became the North American Electric Reliability Corporation on Jan. 1, 2007, again keeping the NERC acronym.
For more information about the history of NERC, see The History of the North American Electric Reliability Corporation by David Nevius
On June 18, 2007, the first mandatory and enforceable Reliability Standards became effective. The first version of the CIP Standards became mandatory and enforceable on July 1, 2008. Mandatory means that NERC registered entities (owners and operators of BES assets) must follow the applicable standards. Enforceable means that these entities are audited for compliance with the applicable standards, where non-compliance carries potential financial penalties.
Getting started
To begin with CIP compliance, you will need to obtain some relevant documents, including the Reliability Standards themselves. The sidebar will give you a starting point for the low impact requirements. If you’re at the medium or high impact level, that will be a different discussion that I’ll provide later.
CIP Low Impact Reference Links
NERC Reliability Standards page with all standards
NERC Reliability Standards One Stop Shop
CIP-002-5.1a – BES Cyber System Categorization
CIP-003-8 – Security Management Controls
CIP-012-1 – Communications between Control Centers
Let me first give you advice on how to read a Reliability Standard. For example, I’ll be discussing the content of CIP-002-5.1a first. The standard number can tell you a lot about the standard (see image below).
Within the Reliability Standards there are several sections, and these can vary somewhat with the age of the standard. In general, there will be:
• Title and Number to identify the standard.
• Purpose gives the intent of the standard.
• Applicability designates those entities that must comply with the standard.
• Effective Dates provide the date the standard became (or becomes) mandatory and enforceable. This is frequently a link to an Implementation Plan.
• Requirements are the reason for the standard’s existence. The requirements set out the actions that you must take or the results that you must achieve.
• Measures show possible methods to demonstrate compliance.
• Compliance Enforcement Authority details who will monitor compliance.
• Compliance Monitoring and Enforcement Program indicates how compliance monitoring works.
• Evidence Retention provides instructions on the length of time compliance evidence must be kept.
• Violation Severity Levels are used in the enforcement process to help determine the severity of any violation.
• Glossary terms are contained in the Glossary of Terms Used in NERC Reliability Standards. These terms are capitalized in the text of the standard.
• Interpretations, if any, are attached as appendices to the standard.
There may be additional sections of the standard, including attachments, tables, background or technical information, etc.
Of all these items that make up a Reliability Standard, the enforceable parts are the applicability, the effective dates, and the requirements. Glossary terms are incorporated into the standard by reference and are also enforceable in the context in which they are used. Interpretations are also enforceable, as they officially explain what the language of the standard means. Attachments, tables, etc. may also be enforceable if they are referenced in a requirement. For example, CIP-003-8 Requirement R2 references Attachment 1 in CIP-003-8 and therefore Attachment 1 is enforceable.
All other sections of a standard are considered explanatory material that may help in understanding the meaning of the standard, but are not themselves enforceable. For example, if you don’t comply with a measure for a requirement, but are able to demonstrate compliance in a different way, that is not a violation of the standard.
In addition to the language of the standard, an important aspect of each version of a standard is its status. Here are some of the most common values for a standard’s status as it appears on the NERC Reliability Standards page and in the Reliability Standards One Stop Shop:
• Subject to Enforcement – Currently mandatory and enforceable
• Subject to Future Enforcement – Approved by FERC but has not yet reached its effective date
• Filed and Pending Regulatory Approval – Filed with FERC but no action has been taken
• Pending Regulatory Filing – Approved by the NERC Board of Trustees but not yet filed with FERC
In addition, a standard may be in development. Standards in development have their own section of the NERC website, which I’ll discuss in a later article.
For an online class that brings this all together, see SERC University’s NERC Reliability Standards course.
Conclusion
In the following articles in this series, I’ll discuss the CIP Standards that affect low impact systems in detail, compliance guidance, audit tools, using the NERC website, and other topics you need to know to be successful with CIP compliance.