NERC sets standards for how electricity operators can best keep their systems safe and reliable. These are the electrical utility industry’s guidelines for reliability and safety in the operation of generating plants, power plants, transmission, bulk power distribution systems, and certain types of industrial equipment.
NERC standards cover everything from emergency preparedness to cybersecurity and physical security.
What Is NERC?
NERC stands for North American Electric Reliability Corporation. It is a not-for-profit organization that was created by the electric utility industry representatives to promote the reliability of North American bulk power system operations.
NERC has been in operation since its inception in 1968, and it has been responsible for ensuring that all aspects of the power grid are functioning at optimal levels. This includes transmission lines, generating stations, and distribution lines. The organization also monitors activities related to cyber security and operates a 24-hour watch center for any potential threats to the grid’s integrity.
The NERC CIP Standards
The NERC standards are the set of regulations that NERC enforces to ensure that all US power grid operators are protecting their systems from risks related to cyber security and physical security.
The rules include everything from how companies must protect their IT networks, how they should respond when an attack occurs, and what legal regulations they need to follow when reporting cyber attacks.
NERC’s goal is to ensure that all companies operating under these standards have a common understanding of best practices and procedures so they can effectively manage their operations and prevent outages.
Here is a breakdown of the current enforceable NERC CIP Standards and their purpose:
CIP-2: BES Cyber System Categorization
To categorize the different kinds of cyber systems used by the BES and to identify the cyber assets associated with each system. This includes determining which systems are most critical for maintaining the reliable operation of the BES.
CIP-3: Security Management Controls
To specify consistently, sustainable security management controls that will protect BES Cyber Systems from compromise.
CIP-4: Personal Training
To minimize the risk of compromise in the Bulk Electric System (BES) Cyber Systems by requiring personnel to assess and improve their security awareness, training, and education.
CIP-5: Electronic Security Perimeter
To protect BES Cyber Systems from potential attacks by specifying a controlled Electronic Security Perimeter
CIP-6: Physical Security of BES Cyber Systems
To define the requirements for protecting Bulk Electric System (BES) Cyber Systems by specifying a physical security plan.
CIP-7: System Security Management
To protect the Bulk Electric System (BES) against cyber attacks by specifying requirements for technical, operational, and procedural safeguards.
CIP-8: Incident Reporting and Response Planning
To ensure the reliable operation of the BES by specifying requirements for responding to cyber security incidents.
CIP-9: Recovery Plans for BES Cyber Systems
To plan for the continued stability, operability, and reliability of BES cyber systems by specifying recovery planning requirements.
CIP-10: Configuration Change Management and Vulnerability Assessments
To protect BES Cyber Systems from unauthorized changes that could cause them to misfunction or fail, through managing configurations and vulnerability assessments.
CIP-11: Information Protection
To protect BES Cyber Systems by specifying information protection requirements that will prevent unauthorized access.
CIP-13: Supply Chain Risk Management
To prevent cyber security risks to the reliable operation of the Bulk Electric System by implementing security controls in the supply chain.
CIP-14: Physical Security
To identify and protect Transmission stations, substations, and their associated primary control centers. These facilities must be kept in good condition so that if they are damaged or shut down for any reason, the Interconnection will not become unstable.
Are NERC standards mandatory?
Compliance with approved NERC Reliability Standards became mandatory and enforceable in the United States on June 18, 2007.
Who should comply with NERC?
NERC’s Reliability Standards apply to all bulk power system owners, operators, and users. Register with NERC through the appropriate Regional Entity if you are among these parties.
How are NERC Reliability Standards enforced?
NERC relies on its monitoring and enforcement capabilities to ensure compliance with Reliability Standards. These include:
- Ongoing monitoring of compliance through the Regional Entities and other entities that have been authorized by NERC to perform this function;
- Compliance audits performed by qualified third parties to assess performance against Reliability Standards;
- Imposing fines.