Ask an Expert
Tel: +1-281-673-2800
Find an Office
Email Us

NERC CIP Compliance Management: Protecting Critical Cyber Assets

ABS Group Safety, Risk and Compliance Services

NERC Cybersecurity Standards

The North American Electric Reliability Corporation (NERC) Cybersecurity Standards are known as Critical Infrastructure Protection (CIP) Standards 002 through 014. The CIP standards are mandatory for certain entities and require the protection of all critical cyber assets that could impact bulk electric system reliability.

These standards are intended to protect against losing control of the bulk electric system through improper cyber and/or physical access to control equipment (i.e. a cyber-attack). This loss of control could result in equipment damage and blackouts, compromising not only commercial interests but the public sector as well.  

Critical Infrastructure Defined

The Energy sector (comprising electricity, oil and natural gas) is one of 16 Critical Infrastructure sectors identified in Homeland Security Presidential Directive (HSPD) 21. Critical Infrastructure is defined by the U.S. Department of Homeland Security (DHS) as the assets, systems and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

All critical sectors are inter-dependent on the others to some degree. However, of the 16 identified critical sectors, the Energy sector may be seen as the backbone for all of the other sectors. To demonstrate the potential impacts of one sector on another, consider the following scenarios:

  • The Financial Services sector cannot function properly without the Cyber sector, and the Cyber sector is dependent on the Energy/Electric sector.
  • Likewise, the Transportation sector is dependent on both the Cyber sector and the Energy/Electric sector. For example, in metropolitan areas, whenever the systems operating traffic lights fail, it does not take long for traffic to come to a halt in the confusion.
  • The Water and Wastewater sector also depends on energy to power the pumps that supply fresh water to public infrastructure systems. Imagine an office complex without functioning wastewater systems to remove wastewater from the restrooms. The building would become uninhabitable very quickly.

According to DHS, the U.S. electricity segment contains more than 6,413 power plants (this includes 3,273 traditional electric utilities and 1,738 nonutility power producers) with approximately 1,075 gigawatts of installed generation. The NERC CIP 014-2 requirements provide guidance for the physical protection of these electric utilities, the infrastructure and operation of which are critical to the nation's overall quality of life and security.    

NERC CIP 014-2: Third Party Reviews

In April 2013, an attack on a California substation by unknown individuals highlighted the need for increased attention to Physical Security practices. On May 13, 2014, NERC approved the NERC CIP 014-1 standard to specifically address substation physical security. NERC subsequently amended its CIP 014-1 standard and issued NERC CIP 014-2, which became effective on October 2, 2015. The NERC CIP 014-2 standard consists of six major requirements and 18 sub-requirements for compliance.

A brief explanation of the requirements are as follows:

Requirement 1: Outlines elements of a risk assessment, which must be completed at least once every 30 months
Requirement 2: Specifies third party review of the risk assessment by an unaffiliated entity
Requirement 3: Pertains to control centers that control the critical substations
Requirement 4: Defines the elements for conducting a required threat analysis
Requirement 5: Describes the fundamentals of a physical security plan
Requirement 6: Specifies a third party review of Requirement 4 and Requirement 5 by an unaffiliated entity

Our Approach: Industrial Security Solutions

ABS Group has the safety, risk and cybersecurity asset management expertise to conduct independent third party reviews as well as extensive experience in managing compliance with NERC CIP cybersecurity standards. Our Industrial Security Solutions team recognizes that each company has different operational and functional requirements that are unique to the operating environment and can tailor our approach to suit these needs. Explore our Compliance Management solutions and NERC CIP Compliance services to learn more.

Back to top