NERC-CIP Compliance

NERC Compliance

Ensuring cyber security in control systems may initially seem daunting as it requires a commitment from the entire organization. Upper management needs to recognize the numerous benefits of a secure SCADA system. These advantages include ensuring system uptime, reliability and availability. Implementing good cyber security is smart business because a secure system is a trusted system, and customer retention and loyalty is built around trust. Vendors, system integrators, IT, and control engineers all share this responsibility.

There are many resources available now to help critical infrastructure SCADA systems enhance their security. For example, the standard ISA99 – Industrial Automation and Control Systems Security, establishes best practices, technical reports, and related information to define procedures for implementing and assessing electronically secure systems. Compliance with this standard can improve manufacturing and control system electronic security, help identify and address vulnerabilities, and reduce the risk of compromised confidential information and system degradation.

Government regulations also exist and continue to evolve to secure critical infrastructure industries. The most ambitious one for influencing government policy is the non-profit North American Electric Reliability Corporation (NERC) – Critical Infrastructure Protection (CIP) standard. Known as NERC-CIP, this standard has its roots in the Electricity Modernization Act – which is part of the US Energy Policy Act of 2005. Within the Energy Policy Act of 2005, there is a section which dictates that the NERC-CIP standard requires all power plants and electric utility facilities to develop new cyber security systems and procedures in accordance with a 3-year implementation plan. There are eight different CIP standards covering everything from Security Management Control and Critical Cyber Assets, to Incident Reporting and Recovery Plans.  Each one of the eight standards defines a series of specific requirements. The standards are:

• CIP-002-1: Critical Cyber Asset Identification

• CIP-003-1: Security Management Controls

• CIP-004-1: Personnel and Training

• CIP-005-1: Electronic Security Perimeter

• CIP-006-1: Physical Security of Critical Cyber Assets

• CIP-007-1: Systems Security Management

• CIP-008-1: Incident Reporting and Response Planning

• CIP-009-1: Recovery Plans for Critical Cyber Assets

Actions/Configurations for NERC Compliance

Several features can be enabled or configured on the software platform to help achieve better system security. The basic procedures are:

• Enable software platform Domain user control with Windows Active Directory;

• FrameworX is CFR 21 Part11 compliant. All features described in this rule must be enabled/configured. See the article below.

• Enable (Native TCP/IP protocol) communication compression;

• Enable Project Cryptography (password protection);

• Enable Tracing options;

• Working alongside software platform, data can be stored using compression and cryptography techniques inside Microsoft SQL, avoiding data replacement.

• Integration with other tools to provide auto backup and disaster recovery tools can also be used;

• Choose a tested/certified Anti-Virus and system environment application control.

In this section: