Any country’s electricity sector is uniquely critical because it is a pervasive enabling function not only for all critical infrastructure sectors, but for all organizations large and small as well as the continued daily survival of its entire population.
Thus, the North American Electric Reliability Corporation (NERC) has continued to update its Critical Infrastructure Protection (CIP) regulatory standards in support of strengthening the reliability bulk electrical system. Even for non-regulated electric utility facilities, the NERC CIP standards provide a very workable approach to security-effective and cost-effective critical asset protection.
NERC CIP regulations require security risk assessments as part of a people, process and technology approach to designing and implementing security measures. That is why NERC CIP’s approach can be used to establish a sound security program. The NERC CIP requirements for role and responsibility assignments, for risk, threat and vulnerability assessments, and for the documentation of those steps as well as the documentation of the security planning and implementation that follow, are critically important for establishing manageable and sustainable strong asset protection – which is the ultimate objective.
Understanding the rationale behind NERC CIP and the individual requirements is key to achieving strong compliance assurance. Having clarity on the assets and how each of the infrastructure components affects the organization helps assure that the combination of people, process and technology measures will be the right fit for the organization as well as for the risks faced by each facility.
Two insightful, highly-readable and easy-to-apply books on NERC CIP compliance are:
Protecting Critical Infrastructure: A Guide to Critical Infrastructure Protection Based on the North American Electric Reliability Corporation Critical Infrastructure Protection Standards by Karl Perman and Terry Schurter (2016). This book explains the rationale behind the NERC CIP approach and its requirements, and describes the effort, preparation and the sustainment that is required to ensure compliance and reliability. Available in paperback and Kindle formats.
Protecting Critical Infrastructure contains several critical lists and two-dozen matrices that identify and cross-reference the NERC CIP standards, requirements and impact ratings with the evidentiary documentation, enabling technologies, and activity that invokes required action.
CIP LOW: Building a Successful Compliance Program for Low Impact BES assets by Terry Schurter, Karl Perman and Marc Grayson (2017). Available in paperback and Kindle formats.
CIP LOW identifies dozens of key tasks to perform relating to the requirements and types of controls specified. Consider this a “cheat sheet” to CIP Low compliance.
NERC CIP Compliance Services
RBCS provides support services for NERC CIP compliance, including the third-party evaluations required by CIP-14-2.
Quality assurance for RBCS projects is provided by highly-experienced consultants who have in-depth experience helping dozens of utility companies in the development of their NERC CIP compliance programs, including the required documentation, and implementation of their security plans and security control measures.
To discuss NERC CIP compliance support services, please contact Ray Bernard at (949) 831-6788 or RayBernard@go-rbcs.com.