NERC CIP Standards: Review, Compliance, and Training

Introduction

Industrial Control Systems (ICS) have been widely employed to supervise and control critical infrastructures in various sectors such energy, defense industrial base manufacturing, water treatment, transportation, nuclear, chemical, health, and maritime, just to name a few. This chapter is focused on one prominent application of ICS: the electric utility sector. ICS are originally designed to operate on air-gapped networks, but due to expanded operational requirements, the interconnectivity between Information Technology (IT) and Operational Technology (OT) became inevitable. Such interfacing augmented the attack surfaces on ICS and prompted the increased incidence of cyberattacks. These cyberattacks on ICS can have devastating effects, which may include:

• •

  Personal safety

• •

  Damage to assets

• •

  Damage to the environment

• •

  Financial loss

• •

  Compliance issues with legal and regulatory standards

• •

  Loss of trust

• •

  Loss of proprietary data

The serious consequences of a cyberattack prompted the development and implementation of standards and regulations to protect our nation’s critical infrastructures. Standards provide a set of rules that can be monitored for compliance by a specialized field’s authoritative bodies and related professionals. The grouping of rules and related concepts into appropriate frameworks furnishes the basic building blocks to identify and decide upon appropriate courses of action to address complex problems. Although the enumeration of an exhaustive set of standards and frameworks appropriate for a cybersecurity audit is beyond the scope of this article, we focus our attention to the standards created by the North American Electric Reliability Corporation—the CIP Standards.

This chapter highlights the NERC CIP Standards significance for the protection electric utility entities, and its mapping to the NIST Cyber Security Framework. We illustrate the compliance requirements, including a case study, and investigate the gaps and prospects for workforce development training in this crucial area. This work lays the foundation for the development of automated NERC CIP Standards compliance processes and toolkit, the feasibility of adopting the CIP Standards in other sectors, and the development of training materials in NERC CIP Standards for workforce development.

Background

The Critical Infrastructure Protection (CIP) set of standards is developed by the North American Electric Reliability Corporation (NERC) to ensure the protection of assets used to operate North America’s Bulk Electric Systems (BES). Any entity that owns or operates any type of BES in the United States and Canada must be compliant with the requirements of the NERC CIP Standards.

A closely related set of standards is the International Society of Automation/International Electrotechnical Commission (ISA/IEC) 62443 Standards (ISA/IEC, 2020), which addresses the Security of Industrial Automation and Control Systems (IACS). These standards were initially intended for the industrial sector but evolved and applied to building automation, medical device, and transportation sectors.

An early study on the viability and significance of the NERC CIP standards is made in (Zhang Z., 2011). The study focused on CIP-002 (Critical Cyber Asset Identification), which is the predecessor of the currently enforced CIP-002-5.1a (BES Cyber System Categorization) and concluded that the mandatory cybersecurity standards are beneficial and promoted an increase in technological products, better security management, personnel training, and public trust in the industry.

Design challenges on substation equipment upgrades in light of cybersecurity requirements by the NERC CIP standards are described in (Cole, 2016). The challenges are based mainly on the discovery of legacy and obsolete equipment to be replaced and exacerbated by the lack of up-to-date design and configuration documents. The contingencies that must be included in resource plans, budgets and schedules of equipment upgrades as required by the standards further the burden on the process.