nerc cip

NERC CIP – Stronger, Easier

The NERC CIP standards specify cybersecurity measures required in the North American Bulk Electric System (BES) for grid control centers, large power plants and high-voltage substations. The standards are also used as guidance by many other stakeholders, even in other industries, around the world. A problem with the standards, however, is that they are written in abstract language that is difficult to interpret. For example, the standards effectively forbid OT systems to use IT Active Directory forests, and strongly encourage the use of Unidirectional Gateways – but neither the words “Active Directory” nor “Unidirectional Gateway” appear anywhere in the standards.

This is unfortunate, because Unidirectional Gateways really do strengthen and simplify NERC CIP security and compliance programs. Unidirectional Gateways are used routinely at the IT/OT interface in power plants – providing OT data to IT users and applications, with no risk at all of cyber attacks “leaking” through the gateways back into protected networks. Unidirectional Gateway technology is currently deployed to protect roughly 1/3 of the power produced in the North American grid. Unidirectional Gateways are also used to protect inter-utility ICCP connections in Balancing Authorities (BA’s) and Transmission System Operators (TSO’s). And the gateways are starting to be used to protect sub-networks of protective relays in power plants and high voltage substations.

NERC CIP Standards Subject to Enforcement

Number Title Specifies
BES Cyber System Categorization
Which kinds of computer systems must use which rules
Security Management Controls
How a CIP program must be documented
Personnel & Training
Background checks, training programs, etc.
Electronic Security Perimeters
Network segmentation & remote access rules
Physical Security of BES Cyber Systems
Physical security for areas containing CIP-covered systems
Systems Security Management
Anti-virus, security updates & other host-based measures
Incident Reporting and Response Panning
Security incident response rules
Recovery Plans for BES Cyber Systems
Backups & related measures
Configuration Change Management & Vulnerability Assessments
Planning for, documenting, & testing changes + periodic assessments
Information Protection
Rules for protecting design information, erasing systems before disposal, etc.
Communications Between Control Centers
Encrypted communications between grid control centers
Supply Chain Risk Management
Supplier risk assessments & related measures
Physical Security
Physical security measures for high-voltage substations

NERC CIP Unidirectional Exemptions

NERC CIP standards recognize that Unidirectional Gateways are stronger than firewalls and in fact provide engineering-grade protection to industrial operations, rather than only IT-grade protection.
The standards express this recognition by providing exemptions from 37 requirements for unidirectionally-protected BES Cyber Systems – 37 out of the roughly 125 requirements in the standards family. It is unfortunate that, while the CIP drafting team clearly understood the benefits of using Unidirectional Gateways, their abstract language makes it difficult for readers of the standard to understand these same benefits.

The resources on this page are provided in hopes of clarifying the role of Unidirectional Gateways in simplifying and reducing the cost of strong NERC CIP security and compliance programs.

Free consultation with one of Waterfall's unidirectional NERC CIP expert

Read more about NERC CIP

NERC CIP Tricky Bits - Active Directory Servers

NERC CIP Tricky Bits – Active Directory Servers

NERC CIP is written in an abstract language – independent of technologies and network designs. Interpreting the standard for specific technologies and networks can be tricky. In this article, we look at one of the tricky bits in the standard: mixed-trust Active Directory servers.

Read More »

Insights from the NERC CIP Emerging Technologies Round Table

I recently attended the NERC CIP Emerging Technologies Round Table meeting on Cloud & IoT, where a primary focus was Bulk Electric System (BES) Cyber Systems in the cloud. BES Cyber Systems are systems with an adverse effect on the BES within 15 minutes of failure or compromise. Interestingly, the most thought-provoking discussion at the end of the day had to do with the Internet, not with the cloud. Can electric utilities withstand the most sophisticated of Internet-based cyberattacks? Imagine a massive distributed denial of service (DDoS) attack that targets, not Microsoft Azure or Amazon, but one or more electric

Read More »