With a recent surge in energy attacks involving cyber incidences, utilities must increase their NERC CIP compliance initiatives. According to a report released by the ICT-CERT (Industrial Control System- Cyber Emergency Response Team), 53 percent of cyber incidences reported to the agency from October 2012 to May 2013 came from the energy sector. Fortunately, the attacks did not result in any security breaches, although the ICS-CERT report warns stakeholders to be “constantly vigilant” of network threats.
NERC training and NERC continuing education dedicated to CIP compliance, controlling, and auditing access to critical cyber assets cannot be put off. Like it or not, there’s no shortcut to avoid this type of training. Companies should view it as a window of opportunity and an investment that will pay off someday.
What complicates matters is that some of the provisions of the standard are—for lack of a better term—nasty since they often cause confusion among utilities. Even though experts calculate that most companies are around 80 percent compliant, it doesn’t change the fact that complying with CIP requirements is still an arduous undertaking.
For those of you who want to refresh your memory, below is an overview of the NERC CIP Compliance Checklist version 3:
CIP-002 Critical Cyber Asset Identification. Requires utilities to create and maintain an inventory of devices that are considered critical assets or are essential to the operation of critical assets.
CIP-003 Security Management Controls. Refers to limiting and monitoring access to critical cyber assets (CCAs).
CIP-005 Electronic Security Perimeters. Pertains to creating an electronic security perimeter that locks out any unauthorized users from gaining access to critical cyber assets, regardless of network source or location.
CIP-007 Systems Security Management. Requires entities to ensure the security of CCAs with account and password management and networking regulations.
CIP-008 Incident Reporting and Response Planning. Enforces the establishment of procedures for identifying cyber incidences, and the development a response plan to address such incidences.
CIP-009 Recovery Plans for Critical Cyber Assets. Requires companies to have a recovery or back-up plan for compromised critical cyber assets.
CIP-006 Physical Security Standard. Requires companies to create a physical security plan that aims to control physical access to critical cyber assets.
CIP-004 Personnel and Training. Refers to the need for establishing and documenting a security awareness training program for workers who have authorized access to CCAs.
The Energy Policy Act of 2005 strictly enforces compliance with the NERC CIP’s 42 cyber security requirements. Otherwise, be ready for settlement negotiations and hefty fines, even amounting to $1 million per day. In any case, having an internal robust compliance program will help NERC-registered companies as a regulatory guide and in penalty reduction; the Federal Energy Regulatory Commission stated so in its Policy Statement on Enforcement.