NERC & FERC Security Hardening
The NERC (North American Electric Reliability Corporation) and the FERC (Federal Energy Regulatory Commission) are the two regulatory bodies responsible for overseeing the security and reliability of the electric grid in the US. The NERC establishes and enforces the standards (NERC CIP Standards) put into place for the bulk power system. FERC has the authority to approve and enforce these standards.
Strengthening the security of the critical infrastructure of the electric grid is referred to as security hardening, and has become even more of a concern following recent substation attacks. This is a set of measures and practices designed to enhance the cybersecurity and physical security of the electric grid. There are specific requirements for security hardening to be approved by NERC and FERC. These are known as CIP’s, or Critical Infrastructure Protections. Below, you will find a list of some key CIPs that are important for approval.
NERC CIP Standards
1. Access Control(CIP-003):
• Establish and enforce access controls to protect CCAs (critical cyber assets).
• Document and implement physical and electronic access permissions.
• Multi-factor authentication is required for any personnel accessing CCAs.
• Monitor and log access attempts.
2. Security Management and Personnel Training (CIP-004):
• Design and implement a cybersecurity policy.
• Create roles and document the responsibilities for cybersecurity.
• Provide training programs to personnel with access to CCAs.
3. Personnel and Training (CIP-005):
• Background checks are required for those with access to CCAs.
• Any terminated employees should have access revoked immediately.
• Maintain an accurate record of who has access.
4. Electronic Security Perimeter (CIP-005-5):
• Implement an electronic security perimeter to protect CCAs.
• Establish firewalls, intrusion detection systems, and intrusion prevention systems to prevent unauthorized access.
• Perform regular security accesses to the electronic security perimeter.
5. Incident Response and Recovery Planning (CIP-008):
• Design an incident response plan.
• Test the incident response plan regularly.
• Report any cybersecurity issues to the appropriate authorities.
6. Recovery plans for CCAs (CIP-009):
• Create recovery plans for CCAs to ensure a quick recovery from any cybersecurity incident.
• Test and update plans regularly.
7. Physical Security(CIP-014):
• Create and implement physical security measures to protect against unauthorized access, vandalism, and acts of terrorism.
• Implement a physical security perimeter to protect critical substations and control centers.
8. Supply Chain Risk Management (CIP-013):
• Take measures to assess and manage the risks associated with the supply chain for critical infrastructure.
• Create a cybersecurity procurement process.
9. Vulnerability Assessment and Management (CIP-010):
• Identify the potential vulnerabilities in the system that could be exploited by attackers.
• Create and manage a vulnerability management program.
10. Incident Reporting and Response Planning (CIP-008-6):
• Establish an incident response plan that includes the procedures for recording and reporting cybersecurity incidents.
• Test this plan regularly.
Maintenance and Training
Ensuring the proper maintenance and training involved with these CIPs is crucial to the security hardening process. Utilities and organizations associated with NERC/FERC must undergo regular audits to ensure they are following the guidelines. If they are non-compliant, it can lead to penalties, fines, and sanctions.
The process involving security hardening is ongoing. Organizations must continuously assess and improve the systems they have in place to protect against potential threats. Regular risk assessments are integral to the process of continuous improvement. Keeping this in mind, you must also be looking for any emerging threats and technologies that could cause harm.
Many NERC and FERC organizations collaborate with each other. Sharing information can be extremely helpful and can help everyone improve their practices to ensure the overall safety of the electric grid.
NERC CIP Standards: In Summary
As you can see, being affiliated with the process of security hardening with NERC/FERC can involve a very comprehensive set of requirements. These practices help keep our electric grid safe and ensure reliability and resilience. Continuous improvement in these practices is extremely necessary to adapt to the ever-changing landscape of threats and technologies. See how FDC is helping with the StrongWeld Defender, our line of substation ballistic gates.