Updated 15 Mar 2022
The objective of this article is to give you a quick overview of NERC CIP and to help you understand whether it applies to your organization. The article also details the potential consequences of not being in compliance with NERC CIP when you are required to be. Finally, it also discusses compliance in the cloud and other ways to be in compliance with NERC CIP.
If it has a control system, you can be sure hackers somewhere have tried to attack it. And while it may not be the first system that comes to mind, the electric grid that provides power to North America has a control system and it is extremely vulnerable to attack. That’s where NERC comes in.
NERC, or the North American Electric Reliability Corporation (NERC), “is a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid. NERC’s area of responsibility spans the continental United States, Canada, and the northern portion of Baja California, Mexico.”
NERC has been around since the early 1960s, long before cyber-attacks were of any concern. But they are now, which is why NERC established NERC CIP.
Up until the Energy Policy Act of 2005, NERC regulations were voluntary. But the Act gave NERC the authority to establish mandatory regulations. In 2008, they created NERC CIP, or Critical Infrastructure Protection, which is a compliance framework designed to mitigate cyberattacks on the electrical grid.
NERC CIP consists of standards, 12 of which are subject to enforcement (and six of which will be subject to enforcement in the future). Of the 12 current standards, 11 focus on specific areas of cybersecurity. These topics include security controls, training, incident reporting, change management, etc. The twelfth standard is concerned with the physical security of the electrical grid.
Each of these standards details requirements which must be met to be in compliance with NERC CIP. Many of these requirements are for documentation, like plans and policies. Also included are Violation Severity Levels, which detail what constitutes a violation of a requirement and how severe that violation is. Compliance enforcement can take several forms, including audits, self-certification, spot-checking, and even violation investigations.
If your company is involved with bulk electronic systems (BES), there’s a good chance NERC CIP applies to you. According to NERC, BES includes “all Elements and Facilities necessary for the reliable operation and planning of the interconnected bulk power system.”
More specifically, BES applies to generation and transmission elements operated at 100kV or higher. Elements included here are transformers; generating resources (including plants and facilities); Blackstart Resources; dispersed power-producing resources aggregating greater than 75 MVA; and static or dynamic devices designed to absorb reactive power.
There are also some exclusions you should know about in which NERC CIP does not apply which you can find here. But generally speaking, if your company is involved in any of the activities detailed above, you are responsible for complying with NERC CIP.
Even if your company doesn’t own any of the BES assets, you may still have to comply. For example, independent system operators (ISO) and regional transmission organizations (RTO) don’t own any assets but are responsible for running the BES. They too fall under NERC CIP. In practical terms, if your contractors, suppliers, or subsidiaries are regulated, NERC CIP concerns you as well.
If NERC CIP applies to your company and you are not in compliance, you can be fined up to $1 million per violation per day. “That’s the maximum fine; violators are often fined less but the fines are no less hefty.”
“One of the largest penalties incurred by NERC was a 2019 fine of $10 million for 127 violations, some of which had been ongoing for months and others which had only been occurring for a few days. The unidentified organization was cited for violations including not identifying and categorizing assets correctly, as well as violations for not including assets in Disaster Recovery Plans, among several other items.”
In this case, “NERC identified issues which were common to contributing to the violations across all the different standards, including:
The good news? Maybe you’re already in compliance. “Many of the controls that enable compliance for critical infrastructure operators are common across the standards, so implementing a control once enables compliance across multiple standards.”
NERC, along with companies such as Microsoft, have even mapped many of these control standards to each other. In particular, they have mapped NERC CIP to NIST 800-53 to ISO27001. So, if your company is already implementing the controls applicable to either of those other two standards, there’s a good chance you’re already in compliance with NERC CIP.
If your company must comply with NERC CIP, and you have some or all of your control systems in a public cloud, you might be wondering how you can be sure your business is compliant. The short answer is, it depends.
The question isn’t whether public clouds are natively compliant with NERC CIP. The question is, do they provide the proper capabilities for their clients to be NERC CIP compliant if they choose? The answer in the case of two of the three major public cloud providers is yes.
AWS provides a freely-downloadable user guide to support compliance with NERC CIP standards. “The guide provides power and utility customers a path to get started planning their migration to the AWS Cloud and making cloud part of their CIP Compliance program.”
Microsoft’s Azure offers a similar NERC CIP compliance guide and cloud implementation guide. According to the company, “Microsoft has made substantial investments in enabling our BES customers to comply with NERC CIP in Azure. Microsoft engaged with NERC to unblock NERC CIP workloads from being deployed in Azure and Azure Government.”
As of writing, Google Cloud Platform (GCP) does not explicitly state their compliance status, so one probably has to undergo the checks for their platform with Google Partner to ensure their status.
One last thing to consider when deploying NERC CIP systems in the cloud. Just because the public cloud provider can be made compliant, doesn’t mean all of your third-party integrations are compliant. You will have to address each of those on a case-by-case basis.
This article introduced you to NERC CIP, who it applies to, different ways to comply, and what happens if you don’t comply. The article includes links to many resources where you can find more details on complying with NERC CIP.
Our newsletter (you’ll love it):