The NERC CIP (North American Reliability Corporation Critical Infrastructure Protection) version 5 standards are designed to secure the assets required for operating North America’s Bulk Electric System (BES). The Version 5 standards as described below introduce a tiered impact rating system which classify the BES cyber systems into high, medium and low impact categories – all cyber assets that could impact BES facilities are in the scope for the CIP standards. In terms of ICS cybersecurity protection of high impact systems, 005-5 Electronic Security Perimeter is most relevant for discussion.
|CIP-002-5||Cyber Security – BES Cyber System Categorization|
Identifies and categorizes BES Cyber Systems and their associated BES Cyber Assets for the application of cyber security requirements in relation to the impacts that misuse, loss or compromise of those systems could have on the reliable operation of the BES.
|CIP-003-5||Cyber Security – Security Management Controls|
Specifies consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise.
|CIP-004-5||Cyber Security – Personnel & Training|
Guidance for minimizing risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems. Requires an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.
|CIP-005-5||Cyber Security – Electronic Security Perimeter(s)|
Guidance for managing electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise.
|CIP-006-5||Cyber Security – Physical Security of BES Cyber Systems|
Physical access management to BES Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise.
|CIP-007-5||Cyber Security – Systems Security Management|
Specifies technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise.
|CIP-008-5||Cyber Security – Incident Reporting and Response Planning|
Guidance for mitigating risk to the reliable operation of the BES as the result of a cybersecurity incident through specific incident response requirements.
|CIP-009-5||Cyber Security – Recovery Plans for BES Cyber Systems|
Specifies recovery plan requirements for BES Cyber Systems in support of continued stability, operability, and reliability of the BES.
|CIP-010-5||Cyber Security – Configuration Change Management and Vulnerability Assessments|
Prevention and detection of unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise.
Prevention of unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise.
What is in the standard
The electric power sector leads both North American industry and the world in strong cyber-security standards. Both the NEI and NRC standards in nuclear generation and the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards in the Bulk Electric System1 (BES) are seen as among the most demanding cyber-security regimes enforced anywhere in the world. The NERC CIP standards in particular are seen as a model of cyber security for other industries and critical infrastructures. The NERC CIP V5 standards are designed specifically to enhance the reliability of the Bulk Electric System through strong security.
Relationship to Unidirectional Gateways
The CIP V5 standards recognize that Unidirectional Security Gateways provide security which is stronger than firewalls, and position the gateways as an alternative to firewalls and costly Network Intrusion Detection Systems (NIDS). The V5 CIP standards have 103 requirements overall, and provide exemptions from 37 Medium-Impact requirements, and 5 High-Impact requirements, when Waterfall’s Unidirectional Security Gateways are used to protect an Electronic Security Perimeter (ESP) rather than using firewalls and NIDS. Unidirectional Security Gateways increase the security of critical control systems, simplify and reduce the ongoing cost of CIP V5 compliance programs, and eliminate the need to use high-maintenance firewalls and NIDS.
Waterfall’s Unidirectional Security Gateways are deployed widely in Bulk Electric Systems, especially in power generation applications. The strong security provided by these gateways is recognized by steadily increasing numbers of industry analysts and security experts. In short, the Bulk Electric System is becoming measurably safer, more secure and more reliable as a result of the widespread deployment of Unidirectional Security Gateways.