Menu
Registered Entities that produce electricity and serve high voltage transmission line are required to comply with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) reliability standards. NERC CIP reliability standards are a set of requirements designed to safeguard the critical cyber assets that underpin the North American Bulk Electric System (BES).
Through our Software Compliance Testing service for NERC CIP, we assess and test vendors’ software solutions to ensure they support ISO/IEC 27001 requirements. After a thorough evaluation, we feature these solutions on our website.
Compliance Testing for NERC CIP relies on credible, objective testing controls based on the intent of NER CIP requirements. This approach incorporates insights from auditors’ perspective perspective, and various specialists, including affected software vendors, developers, users, and industry groups, to align with organizational needs. The NERC CIP compliance testing controls cover the following software controls categories:
CIP-003-8: This standard emphasizes consistent and sustainable security management controls to protect BES Cyber Systems. It includes requirements for security management controls that establish responsibility and accountability for protecting BES Cyber Systems against compromise. While not directly addressing application and DevOps security, it lays the groundwork for a secure development and operational environment. The standard also highlights incident reporting and response planning, recovery plans, configuration change management, vulnerability assessments, and information protection as crucial aspects.
CIP-010-4: Focuses on configuration change management and vulnerability assessments. It mandates baseline configuration development, change management processes, and vulnerability assessments before deploying new cyber assets in a production environment. This standard directly contributes to application and DevOps security by ensuring secure configurations and identifying vulnerabilities early in the lifecycle.
CIP-013-2: Addresses supply chain risk management for BES Cyber Systems. While not directly focused on application development, it considers risks associated with third-party software and services used within the BES Cyber System environment.
CIP-002-5.1a: This standard’s primary purpose is the identification and categorization of BES Cyber Systems and associated BES Cyber Assets. It establishes a process to determine the criticality of BES Cyber Systems based on the potential impact of their compromise on the reliable operation of the BES.
CIP-007-6: Includes requirements for identifying and inventorying all known enabled default or generic account types across various systems. This process aids in asset inventory management by providing visibility into potentially vulnerable accounts.
CIP-003-8: Mandates the implementation of cyber security awareness programs. This standard emphasizes regular reinforcement of good cyber security practices for personnel, including appropriate physical security topics like tailgating awareness, and protection of physical security badges.
CIP-004-7: This standard focuses on personnel and training aspects to minimize the risk of compromise from individuals accessing BES Cyber Systems. It requires a suitable level of personnel risk assessment, security awareness training, and access management. It also outlines specific training requirements for personnel interacting with high-impact BES Cyber Systems and their associated systems like EACMS and PACS.
CIP-008-6: While primarily focused on incident reporting and response planning, it touches upon recovery by emphasizing the importance of having processes to identify, classify, and respond to Cyber Security Incidents.
CIP-009-6: Specifically addresses recovery plans for BES Cyber Systems to ensure the continuation of critical reliability functions. This standard details requirements for creating, maintaining, testing, and updating recovery plans to address potential cyber security incidents. It also recommends resources from NERC and NIST to guide the development of comprehensive recovery plans.
CIP-002-5.1a: Outlines compliance monitoring and assessment processes including Compliance Audit, Self-Certification, Spot Checking, Compliance Investigation, Self-Reporting, and Complaint mechanisms.
CIP-003-8: Defines the compliance monitoring process and the roles of the Compliance Enforcement Authority (CEA). It details various compliance monitoring methods such as spot-checking, compliance investigations, self-reporting, and handling complaints. The standard also specifies violation severity levels for different non-compliance scenarios, which helps in audit and compliance management.
CIP-004-7: Requires documented access management programs to authorize, verify, and revoke provisioned access to BCSI (BES Cyber System Information) for high-impact BES Cyber Systems and associated systems. It emphasizes controlling access to sensitive information to maintain data security.
CIP-011-3: Focuses on information protection to prevent unauthorized access to BES Cyber System Information. This standard requires implementing information protection programs, defining processes for BES Cyber Asset reuse and disposal, and outlines procedures for handling BCSI throughout its lifecycle.
CIP-007-6: Emphasizes managing system security through technical, operational, and procedural requirements. This standard includes provisions for managing ports and services, security event monitoring, and system access control, all of which contribute to endpoint and device protection.
CIP-003-8: Requires documentation and implementation of methods to control physical access to assets or locations housing low-impact BES Cyber Systems and Cyber Assets responsible for electronic access control. While not directly related to identity management, it emphasizes physical security as a foundational layer in access control.
CIP-004-7: Focuses on personnel and training aspects, including the implementation of access management programs to control access to BCSI. It requires defining processes for access authorization, verification, and revocation for high-impact BES Cyber Systems and their associated systems.
CIP-005-7: Addresses managing electronic access to BES Cyber Systems through controlled Electronic Security Perimeters (ESPs). It specifies requirements for defining ESPs, managing remote access, including vendor remote access, and mandates multi-factor authentication for interactive remote access sessions to high-impact BES Cyber Systems.
CIP-006-6: Focuses on the physical security of BES Cyber Systems and specifies requirements for physical security plans. It includes provisions for controlling physical access to high-impact BES Cyber Systems and associated systems.
CIP-003-8: Includes incident reporting and response planning as a crucial aspect of cyber security management.
CIP-008-6: Specifically deals with incident reporting and response planning. This standard outlines requirements for developing, implementing, and testing cyber security incident response plans. It emphasizes the need for clearly defined processes for identifying, classifying, and responding to cyber security incidents. It also dictates notifying relevant entities like E-ISAC and NCCIC about reportable Cyber Security Incidents.
CIP-007-6: Requires implementing processes for security event monitoring. Though the provided excerpts don’t elaborate on the specifics, this requirement implies logging security-relevant events and implementing mechanisms for their analysis and threat detection.
CIP-003-8: Requires documenting and implementing methods to control electronic access to assets or locations containing low-impact BES Cyber Systems. It also emphasizes restricting routable communication between low-impact BES Cyber Systems and external Cyber Assets.
CIP-005-7: Focuses on establishing and managing Electronic Security Perimeters (ESPs) to secure BES Cyber Systems.
CIP-006-6: Requires restricting physical access to cabling and other non-programmable communication components used for connecting Cyber Assets within the same ESP when located outside a Physical Security Perimeter. This requirement safeguards network communications by securing the physical infrastructure.
CIP-007-6: Requires minimizing the attack surface of BES Cyber Systems by disabling or limiting access to unnecessary network-accessible logical ports and services, and physical I/O ports.
CIP-012-1: Addresses the security of communications between Control Centers. Although the provided excerpt is limited, it highlights the importance of secure communication channels between critical infrastructure control centers.
CIP-003-8: Requires developing and implementing cyber security plans that address security objectives.
CIP-007-6: Includes requirements for a patch management program. This program involves tracking, evaluating, and installing security patches for identified vulnerabilities. The standard also emphasizes a risk-based approach to patching, considering the source and criticality of the patch.
CIP-010-4: Focuses on configuration change management and vulnerability assessments. This standard mandates processes for maintaining secure configurations and conducting regular vulnerability assessments to maintain a secure posture.
CIP-002-5.1a: Lays the foundation for risk management by requiring the identification and categorization of BES Cyber Systems based on their potential impact on the reliable operation of the BES. This categorization helps prioritize resources and apply appropriate security measures based on risk levels.
CIP-014-3: Specifically addresses physical security and requires a risk-based assessment to identify critical facilities. The standard mandates developing and implementing security plans based on identified threats and vulnerabilities. It also recommends resources like NERC security guidelines and ASIS International guidelines to support the risk assessment process.
None of the mandatory (subject to enforcement) NERC CIP requirements explicitly excerpts directly address the concept of a Software Bill of Materials (SBOM).
None of the mandatory (subject to enforcement) requirements explicitly mention Zero Trust Network Access. However, some requirements, like the emphasis on Electronic Security Perimeters (ESPs) in CIP-005-7, align with the principles of Zero Trust by assuming that no user or device inside or outside the network should be inherently trusted. For definitive information regarding Zero Trust implementation within the NERC CIP framework, you may want to consult NERC White Paper on the subject.
Compliance Labs has developed the compliance continuous testing process as a fundamental aspect of the NERC CIP compliance testing controls. The continuous evaluation process will monitor new cybersecurity regulations and standards compliance requirements or frameworks best practices and update testing criteria to drive software compliance effectiveness and quality over the long term.
