Introduction to the NERC CIP Cybersecurity Standards

Overview:

The term “NERC CIP” refers to a family of 14 cybersecurity standards that are developed and audited by NERC, a nonprofit organization owned by its members, which are referred to as “NERC Entities”. NERC entities primarily include North American electric utilities and Independent Power Producers (IPPs). The latter include oil and gas-burning generators and renewable power producers (mostly wind and solar energy producers). 

All NERC standards (including the CIP standards) are enforced in the US under the supervision of the Federal Energy Regulatory Commission (FERC) and in Canada under the supervision of the provincial governments. The standards are enforced through regular audits conducted by auditors employed by the six NERC “Regional Entities”. Penalties for non-compliance with just one of the approximately 45 CIP requirements can run into tens or hundreds of thousands of dollars per requirement violated; the largest NERC CIP fine so far (which covered extended violations of many requirements) was $10 million. Needless to say, NERC entities are very concerned about maintaining compliance with the CIP standards.

Because cybersecurity threats are constantly changing and are often difficult to define, there is much concern in the NERC community about how to interpret the CIP standards, especially since NERC is not allowed by their Rules of Procedure to provide compliance guidance to NERC Entities. Training by outside experts is the most effective way to train employees on CIP compliance.

Why you should Attend:

There are three groups of people that should attend this course. The first is people who work for NERC Entities that must comply with CIP, including anybody who is involved in power industry operations (e.g., people who work in control centers, substations, and power generation facilities, including renewables generation facilities). It also includes people who work in areas like NERC Compliance, Transmission and Distribution, Substation Engineering and Generation.  

The second group is people who work for an organization that provides products or services to electric utilities or Independent Power Producers, including renewables producers. Even though those organizations do not themselves need to comply with any NERC CIP standard, two of the standards - CIP-004 Personnel and Training and CIP-013 Supply Chain Risk Management - impose direct requirements on vendors through their NERC Entity customers. Those customers can literally be fined if one of their suppliers maintains poor security practices.

The third group is people outside the power industry who are interested in learning about the NERC CIP standards, since they are some of the most rigorous cybersecurity standards in the private sector. NERC CIP has been in place since 2008 and has gone through many revisions; there are many lessons to be learned from the power industry’s experience with the standards.

Areas Covered in the Session:

• Brief history of NERC and NERC CIP (note: full courses titled “Introduction to NERC”, “Introduction to FERC”, and “History of NERC CIP” are also available)
• The concepts on which the standards are based, including BES Cyber System, Electronic Security Perimeter, Protected Cyber Asset, Interactive Remote Access, and BES Cyber System Information
• Short introduction to each of the 14 current or future NERC CIP standards, numbered CIP-002 through CIP-015 (full courses are available on CIP-002, CIP-003, CIP-005, CIP-007, CIP-010 and CIP-013. Courses on the remaining standards can be easily developed)
• How the NERC CIP standards are developed, implemented and enforced
• Current issues and controversies regarding the NERC CIP standards

Who Will Benefit:

• CISO and staff, Training Department, NERC Compliance Department, T&D Operations, and other departments in target companies who are concerned with operational security and compliance
• Sales and Technical Support Departments (for vendors to the power industry)
• Individual employees who know NERC CIP is important to the company and want to learn about it to further their career

People who work in other industries (or for consulting organizations), who would like to hear what lessons can be learned from the power industry’s experience with CIP.