Introduction to NERC CIP
The NERC Critical Infrastructure Protection (CIP), currently in its fifth iteration, is a mandatory standard that covers access control, personnel safety, physical security, network security incident response, and disaster recovery for large-scale power systems. These systems are part of the Bulk Electric System (BES), typically operating at 100 kV or higher and including assets for power generation, transmission, and distribution. BES infrastructure supports large-scale generation and transmission, ensuring the reliable flow of electricity over long distances across the U.S., Canada, and parts of Mexico, under the governance of the North American Electric Reliability Corporation (NERC). However, for generation facilities that produce less than 20 megawatts (MW) of electricity, these standards are only partially applicable. Smaller power generation systems, such as certain renewable energy sources, may not face the same stringent regulatory requirements as larger BES assets, although they still need to meet some baseline security and reliability standards. NERC and its regional entities enforce these standards through audits and other oversight protocols. The structure of the NERC CIP standard includes fourteen specific standards (CIP-002 through CIP-015), which require power system operators to develop and implement various security plans, controls, and risk management processes.
History and Evolution of NERC CIP
First formed by the electric utility industry in 1968, the North American Electric Reliability Corporation (NERC) was created to ensure the reliability of the power grid, making electricity dependable and consistent across North America. Initially, NERC worked with utility experts to develop voluntary standards, which played a critical role in stabilizing the North American power grid throughout the 1980s and 1990s.
As concerns about national infrastructure security grew, President Clinton issued Presidential Decision Directive 63 (PDD-63) in 1998. This directive acknowledged that the growing reliance on information technology (IT) posed new vulnerabilities, particularly in sectors essential to national security and economic stability. It called for collaboration between the federal government and the private sector to develop plans for safeguarding critical infrastructure, including the power grid. While PDD-63 didn’t directly single out NERC, this directive did increase awareness of cybersecurity risks to critical infrastructure. This prompted NERC to shift its focus toward cybersecurity, with some attention to physical security for issues that could impact interstate commerce.
In the early 2000s, NERC became a founding member of the Partnership for Critical Infrastructure Security (PCIS), signaling its active engagement in national security and critical infrastructure protection efforts. Their role in cybersecurity grew after 1999 when it launched the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), at the request of the Department of Energy. At this point, the idea was to make NERC the primary point of contact for national security and critical infrastructure issues within the electricity sector.
The devastating events of 9/11/2001 became a catalyst for significant changes in national security policy. One result was that this spurred discussions around creating a set of cybersecurity standards for the industry, with these conversations shaped by a newly provoked sense of urgency and danger. Timelines were compressed by several years from what participants had expected. Shortly thereafter, in 2003, NERC issued an Urgent Action Standard (UA 1200), a temporary emergency measure to fill gaps in critical infrastructure protection that became the precursor for the current NERC CIP standards.
The UA 1200 was issued in August 2003, closely following the Northeast blackout of 2003, which affected an estimated 55 million people. This massive outage impacted much of the northeastern U.S., Ontario, and Quebec, stemming from a software bug that disrupted the alarm system at the control room of FirstEnergy. As a result, operators were left unaware that overloaded transmission lines had drooped into foliage and required load redistribution. This should have been a local blackout that could be fixed manageably, but it cascaded into the collapse of most of the Northeast regional electricity distribution system. Due to the widespread impact of this blackout, UA 1200 was put in the spotlight and accelerated the development of NERC CIP. By 2005, NERC CIP Version 3 was drafted and released for public comment, reviewed by over 61 public entities, and eventually agreed upon and published. Though the drafting of Version 3 began in 2005, the standard was not formally adopted and enforced until 2009 -2010.
This version played a pivotal role in laying the foundation for the later, more comprehensive NERC CIP Version 5, which introduced more stringent protections and clearer guidelines for the industry. Version 5 is now the mandatory standard that the Bulk Electric System (BES) must comply with today.
Latest Updates to NERC CIP
The recent significant update to the NERC CIP standards took effect on October 1, 2022, following a Federal Energy Regulatory Commission (FERC) order to enhance the reliability standards for supply chain risk management. This update introduced several key changes across multiple CIPs, aiming to strengthen cybersecurity measures for Bulk Electric System (BES) components, especially those with medium to high impact. Notably, new provisions address electronic access control or monitoring systems (EACMS) and extend protections to physical access control systems (PACS), ensuring comprehensive coverage for critical infrastructure.
Key NERC CIP Standards for Supply Chain Risk Management
- CIP-005: Enhancing Vendor Remote Access Security
CIP-005 introduces new requirements (2.4 and 2.5) focused on identifying and disabling vendor remote access sessions for medium and high-impact BES Cyber Systems (BCS). These requirements aim to minimize risks associated with unauthorized access, ensuring that only verified, secure sessions can connect to critical network systems.
- CIP-010: Strengthening Software Integrity Verification
Under CIP-010, Requirement R1, Section 1.6 has been added to enforce strict entity authentication for software sources (R1.6.1) and verify the integrity of software downloaded from these sources (R1.6.2). This standard targets potential supply chain risks, such as threat actors tampering with vendor sites or injecting malicious code into software during the download process, thus safeguarding the integrity of all BCS used for medium- and high-impact operations.
- CIP-013: First Cyber Supply Chain Risk Management Standard
CIP-013 marks the introduction of a risk-based approach to cyber supply chain risk management (CSCRM). This revision establishes the first formalized set of requirements, guiding organizations in identifying, assessing, and mitigating supply chain risks associated with BES Cyber Systems.
On January 19, 2023, the Federal Energy Regulatory Commission (FERC) issued Order No. 887, which directs NERC to develop new or modified Critical Infrastructure Protection (CIP) Reliability Standards. These standards would mandate the use of Internal Network Security Monitoring (INSM) for all high-impact Bulk Electric System (BES) Cyber Systems and medium-impact BES Cyber Systems with External Routable Connectivity (ERC).
What is INSM and why must it be applied to ERCs?
ERC refers to network traffic or connections that can be routed outside of a defined security boundary to external networks, including the internet, representing a potential security risk for BES Cyber Systems in the context of NERC CIP standards. INSM allows entities to monitor network traffic within trusted zones, such as the Electronic Security Perimeter (ESP), to detect intrusions or malicious activity, mitigating the risks posed by ERC. Specifically, Order No. 887 directs NERC to develop Reliability Standards that address three key security issues in any new or modified CIP standards:
- Responsible entities must develop baselines of their network traffic within their CIP-networked environment.
- Responsible entities must monitor for and detect unauthorized activity, connections, devices, and software inside the CIP-networked environment.
- Responsible entities are required to identify anomalous activity to a high level of confidence, which can be accomplished by:
a) Logging of network traffic
b) Maintenance of network traffic logs and other collected data
c) Implementation of measures that minimize the likelihood or ability of an attacker to cover their tracks by erasing evidence of their tactics, techniques and procedures from compromised devices
In Order No. 887, FERC directed NERC to submit these revisions for approval within 15 months of the final rule’s effective date, meaning that they needed to submit the revisions by July 9, 2024. On top of that, Order No. 887 also tasked NERC with conducting a study that would examine the risks posed by both a) medium-impact BES Cyber Systems that lack ERC, and b) low-impact BES Cyber Systems. The study should also explore the pitfalls and potential solutions for implementing INSM within these more isolated systems.
Preparing for Compliance: What Energy Providers Need to Know
By staying informed on these updates, energy providers can better align their cybersecurity strategies with the latest NERC CIP standards. Ensuring compliance with enhanced supply chain risk management requirements and adopting internal network security monitoring practices will not only fulfill regulatory obligations but also significantly boost the resilience of critical energy infrastructure.
Understanding NERC CIP Standards: A Breakdown
In the following sections, this blog will provide a concise overview of the NERC CIP core cybersecurity standards that ensure the reliability of the Bulk Electric System (BES). These regulations are crucial for safeguarding BES cyber systems against various threats and vulnerabilities. The comprehensive landscape of these key standards primarily outlines the organizational requirements to identify critical assets, establish control mechanisms, enhance both logical and physical security of systems, and restore affected assets in the aftermath of a cybersecurity incident. This holistic approach underscores the importance of proactive risk management and resilience in maintaining the integrity of our energy infrastructure.
| Standard Number | Standard Title | Purpose | Effective Date of Standard |
| CIP-002-5.1a | BES Cyber System Categorization | To identify and categorize BES Cyber Systems and their associated assets in order to apply cybersecurity requirements based on the potential adverse impact that their loss, compromise, or misuse could have on BES reliability. Proper identification and categorization protects BES Cyber Systems against compromises that could lead to misoperation or instability in the BES. | December 27, 2016 |
| CIP-003-8 | Security Management Controls | To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. | April 1, 2020 |
| CIP-004-6 | Personnel & Training | To enforce personnel risk assessments, training, and security awareness that minimize the risk of compromise from individuals accessing BES Cyber Systems and prevent misoperation or instability in the BES. | July 1, 2016 |
| CIP-005-7 | Electronic Security Perimeter(s) | To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter (ESP) to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. | October 1, 2022 |
| CIP-006-6 | Physical Security of BES Cyber Systems | To manage physical access to BES Cyber Systems by specifying a physical security plan to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. | July 1, 2016 |
| CIP-007-6 | System Security Management | To manage system security by specifying select technical, operational, and procedural requirements to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. | July 1, 2016 |
| CIP-008-6 | Incident Reporting and Response Planning | To mitigate the potential risk a cybersecurity incident could pose to the reliable operation of the BES by specifying incident response requirements. | January 1, 2021 |
| CIP-009-6 | Recovery Plans for BES Cyber Systems | To recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES. | July 1, 2016 |
| CIP-010-4 | Configuration Change Management and Vulnerability Assessments | To detect and prevent unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. | October 1, 2022 |
| CIP-011-2 | Information Protection | To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. | July 1, 2016 |
| CIP-012-1 | Communications Between Control Centers | To protect the confidentiality and integrity of real-time assessment and real-time monitoring data transmitted between control centers in the BES. | July 1, 2022 |
| CIP-013-2 | Supply Chain Risk Management | To mitigate cybersecurity risks to the reliable operation of the BES by implementing security controls for supply chain risk management of BES Cyber Systems. | October 1, 2022 |
| CIP-014-3 | Physical Security | To identify and protect transmission stations and substations, and their associated primary control centers, that, if rendered inoperable or damaged by a physical attack, could result in instability, uncontrolled separation, or cascading within an interconnection. | June 16, 2022 |
| CIP-015-1 | Internal Network Security Monitoring | To address the gap in current CIP Reliability Standards by requiring Internal Network Security Monitoring (INSM) for all high-impact BES Cyber Systems and medium-impact BES Cyber Systems with External Routable Connectivity (ERC), ensuring early detection of anomalous network activity indicating an attack in progress. | July 9, 2024 |
The Role of Compliance in Enhancing Cybersecurity
NERC CIP serves as a mandatory standard that provides a comprehensive cybersecurity framework for the North American power industry. As a result, energy companies are compelled to allocate significant resources to meet these requirements, including technology upgrades, personnel training, and process optimization. NERC CIP employs a risk-based approach to cybersecurity management, which requires energy organizations to continuously assess threats and vulnerabilities within their environment and allocate resources based on the level of risk.
While NERC CIP provides guidance on “what” needs to be done, a robust assessment and compliance review system is still required to ensure strict adherence to the standards. That’s where the Compliance Monitoring and Enforcement Program (CMEP) comes into play. The combination of these two systems ensures that cybersecurity measures are not merely theoretical but are effectively implemented. NERC CIP sets the standards, while the CMEP monitors compliance, with feedback from enforcement informing future revisions of the standards. This creates a continuous improvement loop, allowing the framework to evolve over time.
CMEP adopts a risk-oriented regulatory approach, which means regulatory efforts are focused on the most critical areas and high-risk entities. Additionally, CMEP includes enforcement mechanisms, such as fines and sanctions, which provide strong incentives for energy companies to comply with NERC CIP standards. The rigorous enforcement of NERC CIP and CMEP helps enhance the cybersecurity resilience of the entire energy sector, which is essential for protecting critical infrastructure.
How to Achieve NERC CIP Compliance
NERC CIP standards provide objective-oriented control measures; however, identifying optimal solutions for an organization’s OT environment falls outside their scope. Asset owners must conduct their own compliance solution assessments – while this offers flexibility in selection, it necessitates independent testing and validation of solutions against standard requirements. Therefore, purpose-built solutions for OT environments are crucial in reducing evaluation time and accelerating deployment. Below, we detail how TXOne Networks delivers optimized cybersecurity solutions for energy providers:
CIP-002: BES Cyber System Categorization
TXOne Portable Inspector executes comprehensive asset scanning, generating detailed system information including IP addresses, MAC addresses, hostnames, OS versions, patch histories, and installed application inventories. This asset intelligence can be exported to CSV format through the ElementOne centralized console, facilitating asset inventory management, or transmitted to SIEM/Rsyslog servers for advanced analysis, including BES asset cataloging, impact level assessment, vulnerability identification, and cyber risk evaluation.
CIP-003: Security Management Controls
TXOne’s Stellar and Edge solutions provide real-time alerts for unauthorized access attempts within OT environments while supporting trust list-based security policy enforcement. Stellar monitors endpoint activities, encompassing controller operations, application controls, system configuration modifications, and file transfer events. Edge complements this by tracking network activities, protocol usage, affected devices, specific impacts, and temporal data. This comprehensive audit capability enables grid owners and operators to establish accountability frameworks and prevent malicious or erroneous activities that could compromise plant operations.
TXOne’s Portable Security addresses Transient Cyber Assets (TCA), including laptops, desktops, and diagnostic equipment that may interface with or support BES Cyber Systems. Following CIP-003-8 R2 requirements, the solution implements on-demand malware scanning upon system connection, enabling immediate threat detection and response. Enhanced scanning protocols are applied to irregularly connected devices requiring updates.
CIP-005: Electronic Security Perimeter(s)
TXOne’s network segmentation and access control solutions are engineered for CIP-005 compliance. Utilizing EdgeFire and EdgeIPS, the platform implements OT-aware segmentation to enhance BES asset security access management. This framework effectively restricts access to authorized devices, including Engineering Workstations (EWS) and Human-Machine Interfaces (HMI). EdgeIPS‘s robust segmentation mechanisms ensure BES asset interactions are limited to validated sources, significantly mitigating unauthorized access risks and the potential for vulnerability exploitation.
CIP-007: Systems Security Management
TXOne Stellar provides comprehensive anomaly detection capabilities for BES assets, identifying potential malicious actors and code deployment. The system monitors and logs all control commands and USB port I/O communications, ensuring prevention of unnecessary service utilization. In compliance with R4 security event monitoring requirements, it enables real-time identification and logging of unauthorized electronic access or operations on controllers, empowering OT security personnel to respond promptly to cybersecurity incidents or conduct post-incident forensic analysis.
For environments where endpoint agents cannot be installed, Portable Inspector offers an effective solution. This purpose-built tool is designed to detect, remove, and quarantine malware across Cyber Assets. Supporting both Windows and Linux systems, including legacy operating systems, Portable Inspector performs comprehensive asset scanning while collecting detailed information on installed patches and applications. Its portable nature uniquely addresses the challenge of inventorying standalone Cyber Assets that are inaccessible to traditional asset management systems. The collected patch data can be exported to CSV files or integrated with SIEM platforms (such as QRadar or Splunk) or Rsyslog servers for enhanced investigation and asset management capabilities.
CIP-008: Incident Reporting and Response Planning
SageOne functions as a central CPS protection hub, aggregating insights from security inspections, endpoints, and network traffic analysis. This comprehensive visibility across diverse product consoles enables more effective security management through a unified access point. The platform excels in identifying suspicious activities by correlating endpoint and network telemetry with operational context. This environment-specific baseline approach ensures accurate incident identification while minimizing false positives.
CIP-010: Configuration Change Management and Vulnerability Assessments
Stellar can establish a baseline configuration for each controller of BES assets and continuously monitor for configuration changes. Alternatively, it can utilize lockdown capabilities, supporting operational lockdowns, USB device lockdowns, data lockdowns, and configuration lockdowns to ensure endpoint operational integrity. At the same time, it effectively reduces opportunities for downtime and costs.
Additionally, EdgeIPS’s virtual patching capabilities provide networks with robust, up-to-date defense against known threats. Users can maintain enhanced control over the patching process, establishing preemptive defense mechanisms during incidents while ensuring supplementary protection for legacy systems.
CIP-012: Communications Between Control Centers
TXOne’s next-generation industrial-grade EdgeIPS features real-time monitoring capabilities, enabling precise tracking of data transmission between control centers. The system maintains detailed logs of source assets, target assets, and the communication protocols used. Through this comprehensive approach, EdgeIPS effectively prevents unauthorized data leakage and modifications, ensuring the security and integrity of real-time assessments and monitoring data transmissions between control centers and assets.
CIP-013: Supply Chain Risk Management
Portable Inspector delivers an agentless approach to asset security verification, enabling comprehensive health status monitoring of vendor assets. This portable scanning solution executes automated scans without requiring network connectivity, ensuring the security of critical assets prior to their integration into production facilities, thereby enhancing overall supply chain security integrity.
CIP-015: Internal Network Security Monitoring
TXOne Edge network solutions provide advanced network defense capabilities specifically engineered for Internal Network requirements and operational environments. This ensures optimal solution deployment across industries, accommodating their unique environmental needs through:
- Comprehensive OT protocol support
- Micro-segmentation capabilities
- Asset-centric automatic rule learning technology
- Operational continuity assurance
- Anomaly detection and prevention
- Malware landing prevention
The solution particularly leverages cutting-edge CPSDR (Cyber-Physical Systems Detection and Response) technology for early detection and prediction of anomalous network behavior. Through CPSDR implementation, OT networks can proactively mitigate network risks by intercepting potential threats before they escalate.
Conclusion
TXOne Networks’ comprehensive solution suite enables organizations to achieve and maintain NERC CIP compliance while ensuring operational reliability and security. Through integrated platform capabilities and advanced technological implementations, organizations can effectively manage cyber risks while maintaining operational efficiency.
