What Maintaining NERC CIP Compliance Really Means

Posted in: Command & Control , Government , Security , Transportation , Utilities

By Jason Bubnis on Mar 29, 2021

Doomsday scenarios and wide-scale blackouts are often depicted in the media and tossed around hypothetically. Yet, as many in the utilities and critical infrastructure industry know, there has been an ostensible rise of attempted cyberattacks in recent years on these complex systems and grids that entire cities, nations and economies rely on.

Enter the U.S. government’s creation of the North American Electric Reliability Corporation (NERC), a framework designed to strengthen cyber resilience at critical operation centers by putting in place regulations to protect the Bulk Electric System (BES) of North America. Born out of this initiative was the critical infrastructure protection (CIP) standard, which became a mandate for utilities seeking to protect their control centers to follow guidelines and devise specific network security protection measures.

Owners, operators and users on the bulk power system are required to comply with an ever-evolving list of security standards. So, when technology integrators are contracted to deploy solutions within these control centers, it’s imperative that they play a proactive role in maintaining NERC CIP compliance.

Understanding Critical Energy Infrastructure

Before even starting on the path of preparing and coordinating for NERC CIP, it’s just as vital for integrators to fully grasp how these companies operate and maintain the BES —particularly if you’re planning on contributing to the greater control room design and configuration. The majority of these entities monitor the power grid and dispatch when a problem is diagnosed within their perimeter. But, the different system processes, software and platforms can take on a variety of arrangements when it comes to day-to-day monitoring, forecasting and control; some are on a smart-grid and highly centralized, while others may rely on interfaces that are more fragmented.

Whether it’s energy management, outage management, customer and delivery tracking, synchrophasor measurements, system model validation, wide-area visualization or numerous others, it’s mission-critical to ensure that all connected components and applications of the control room function both securely and precisely as grid operators need them to.

Elements of NERC CIP

On its surface, the fundamentals of NERC CIP are straightforward:

  • Identify and monitor critical assets
  • Train users and prepare management
  • Perform risk assessments
  • Establish an electronic security perimeter
  • Enforce physical security protocols
  • Restrict access to devices
  • Stay abreast of the latest cybersecurity practices

It all really boils down to physical and network security measures—or the people and the technology. As mentioned, under NERC CIP, utility companies operating on the BES are required to identify and categorize critical assets in the control room. Why? To regularly perform a risk analysis of those assets, implement cyber-monitoring tools and reduce network vulnerabilities in general. Makes sense, but the policies for governing modifications and access to those assets change frequently and can be complicated to comply with.

The purpose of CIP deals with laying the groundwork so that operation centers are prepared to deal with potential threats and keep the national and regional critical infrastructure as secure as possible. But, is the onus of keeping up with new policy amendments and ensuring compliance solely on the utility companies?

Working Together

The short answer is no. The longer answer? Still no, and in fact, the longevity of control room systems depends on technology integrators having full comprehension of NERC CIP standards.

From the supply chain to system testing to installation and configuration, technology providers have to be vetted by end-users to make sure that they are compliant with all CIP requirements. Therefore, control room integrators must be willing to go through the necessary training, pass evaluations and provide clear documentation that all personnel and equipment deemed as “critical assets” will be compliant and air-gapped when possible, whether that’s a video wall, large-format display, audio system, touch panel or processor.

The value of that relationship goes further than simply following regulations; it’s a mutual understanding that NERC CIP compliance means something specific to their unique solution and their operation center design. Taking the time and effort to gain a deep knowledge of the technical and people-centered requirements—along with following security protocols employed to protect data—demonstrates that security and system integrity is a priority and not just a hoop to jump through.

Navigating the Future of Security & Control

The NERC CIP program was a direct response to the infamous Northeast black out of 2003. Research shows that since then, data and network protection measures continue to improve in tandem with the advancement of cyber threats. And as less people are needed in the control room with big data aggregation and artificial intelligence taking hold, it will only become more crucial to establish up-to-date cyber defenses and recognize what NERC CIP means to a utility’s control center.

The Vistacom Control Room Solutions team likes to say that we speak CIP. We understand what it takes to securely integrate technology as operations become more and more agile, and we have the expertise to keep users in compliance.

Get in touch with one of our control room specialists.

Last Post
Back to Blog
Next Post