History and Future of NERC CIP

Overview:

The term “NERC CIP” refers to a family of 14 cybersecurity standards that are developed and audited by NERC, a nonprofit organization owned by its members, which are referred to as “NERC Entities”. NERC entities primarily include North American electric utilities and Independent Power Producers (IPPs). The latter include oil and gas-burning generators and renewable power producers (mostly wind and solar energy producers). 

All NERC standards (including the CIP standards) are enforced in the US under the supervision of the Federal Energy Regulatory Commission (FERC) and in Canada under the supervision of the provincial governments. The standards are enforced through regular audits conducted by auditors employed by the six NERC “Regional Entities”. Penalties for non-compliance with just one of the approximately 45 CIP requirements can run into tens or hundreds of thousands of dollars per requirement violated; the largest NERC CIP fine so far (which covered extended violations of many requirements) was $10 million. Needless to say, NERC entities are very concerned about maintaining compliance with the CIP standards.

Because cybersecurity threats are constantly changing and are often difficult to define, there is much concern in the NERC community about how to interpret the CIP standards, especially since NERC is not allowed by their Rules of Procedure to provide compliance guidance to NERC Entities. Training by outside experts is the most effective way to train employees on CIP compliance.

Why you should Attend:

There are three groups of people that should attend this course. The first is people who work for NERC Entities that must comply with CIP, including anybody who is involved in power industry operations (e.g., people who work in control centers, substations, and power generation facilities, including renewables generation facilities). It also includes people who work in areas like NERC Compliance, Transmission and Distribution, Substation Engineering and Generation.  

The second group is people who work for an organization that provides products or services to electric utilities or Independent Power Producers, including renewables producers. Even though those organizations do not themselves need to comply with any NERC CIP standard, two of the standards - CIP-004 Personnel and Training and CIP-013 Supply Chain Risk Management - impose direct requirements on vendors through their NERC Entity customers. Those customers can literally be fined if one of their suppliers maintains poor security practices.

The third group is people outside the power industry who are interested in learning about the NERC CIP standards, since they are some of the most rigorous cybersecurity standards in the private sector. NERC CIP has been in place since 2008 and has gone through many revisions; there are many lessons to be learned from the power industry’s experience with the standards.

Areas Covered in the Session:

• History of NERC from founding in 1968 through implementation of the 2005 Electric Power Act
• FERC’s approval of CIP version 1 in January 2008
• Development of CIP versions 2 and 3 in response to FERC orders
• Development of “bright line criteria” in CIP version 4, which was never implemented
• Development of CIP version 5 from 2011 through FERC approval in 2013 and implementation in 2016. CIP v5 was a complete rewrite of the CIP standards and put in place the structure we follow today: BES Cyber Systems (BCS), Electronic Security Perimeter (ESP), BES Cyber System Information (BCSI), etc
• New and revised standards since 2016, including CIP v6; major revisions to CIP-003 and CIP-008; CIP-012; CIP-013; CIP-014; and CIP-015 (to be implemented in 2018)
• Revisions to CIP-004 and CIP-011 to accommodate BES Cyber System Information (BCSI) in the cloud (another course titled “CIP-011, CIP-004 R6, BCSI and the Information Protection Program” is available)
• Brief discussion of the current effort to revise the CIP standards (and perhaps the NERC Rules of Procedure) to allow full use of the cloud by all systems subject to CIP compliance (this is the subject of the course “NERC CIP and the Cloud”

Who Will Benefit:

• CISO and staff, Training Department, NERC Compliance Department, T&D Operations, and other departments in target companies who are concerned with operational security and compliance.
• Sales and Technical Support Departments (for vendors to the power industry)
• Individual employees who know NERC CIP is important to the company and want to learn about it to further their career. 

People who work in other industries (or for consulting organizations), who would like to hear what lessons can be learned from the power industry’s experience with CIP.