The North American Electric Reliability Corporation (NERC) is responsible for ensuring North America's bulk electric system is secure, adequate and reliable. To meet this challenge, NERC developed Critical Infrastructure Protection (CIP) Cyber Security Standards, which are now mandatory and enforceable. Gene Kim, CTO of Tripwire, describes seven practical steps owners and operators of the bulk power system can take to meet the mandatory IT configuration requirements set forth in the NERC-CIP standards. These steps help owners and operators avoid costly penalties for non-compliance while also protecting the Critical Cyber Assets that control or affect the reliability of North America's bulk electric power system.
Gene KimCTO, Tripwire, Inc.
Gene Kim's Practical Steps
to Achieve and Maintain
NERC Compliance
white paper
Configuration Control for Virtual and Physical InfrastructuresCONTENTS
3 NERC Background 4 What We Can Do About It: Seven Practical Steps 9 Business Value of Good Information Security Controls 9 Conclusion
2 | WHITE PAPER | Gene Kim's Practical Steps to Achieve and Maintain NERC ComplianceNERC Background Compliance milestones depend primarily on the type of The North American Electric Reliability Corporation (NERC) responsible entity; some entities were required to complete is a nonprofit corporation created to ensure that the bulk the first phase of NERC implementation by June 2008; electric system in North America is reliable, adequate and others have until June 2009 or June 2010. The rollout time-secure. As the federally designated Electric Reliability line also is specific to the CIP's themselves. Although some Organization (ERO) in North America, NERC maintains com- organizations may not yet require a NERC audit, if a breach prehensive reliability standards that define requirements for is discovered daily fines can be levied-including retro-planning and operating the collective bulk power system. actively. Also, organizations are expected to notify NERC Among these are the Critical Infrastructure Protection (CIP) if there is a compliance breach, even if they have not yet Cyber Security Standards, which ensure the protection of reached the date for regular NERC audits.the Critical Cyber Assets that control or effect the reliability of North America's bulk electric systems. Financial PenaltiesIn 2006, the Federal Energy Regulatory Commission (FERC) Due to the importance of securing the North American approved the Security and Reliability Standards proposed by power supply, financial penalties for NERC non-compliance NERC, making the CIP Cyber Security Standards mandatory are hefty: entities can be fined up to $1 million per day and enforceable across all users, owners and operators of the per infraction until they have brought themselves back bulk-power system. into a compliant state. Although NERC audits are regularly scheduled, additional NERC audits can result if there is a Compliance Timeline power outage or other incident. Therefore, many entities are NERC-CIP standards and guidelines apply to all entities taking a proactive approach to NERC compliance, ensuring within the bulk-power system. compliance not just for isolated audits, but also file integrity The timeline for the implementation of NERC critical monitoring with change detection to ensure continuous and infrastructure protection controls follows a phased approach uninterrupted NERC compliance.designed to structure the implementation and ensure compliance. The timeline is broken into four phases: Challenges of NERC Compliance
. Phase One (also called "BW" or "Begin Work"). In this The NERC CIPs are very detailed and prescriptive configura-phase, the entity must have developed and approved tions. If implemented manually, entities would have to spend plans, scoped resources and must have begun implementa- countless man-hours bringing systems-including mission-tion of plans. critical SCADA systems-into compliance. Even if compliance is achieved through manual efforts, configurations can . Phase Two (also called "SC" or "Substantially Compliant"). quickly and easily slip back into a non-compliant state, In this phase, the entity must be well along in its imple- leaving systems wide open to malicious and potentially mentation plan but not necessarily fully compliant. devastating attacks.. Phase Three (also called "C" or "Compliant"). In this phase, the entity controls must have met the full intent Gene Kim's Practical Steps To Achieve And of the requirements and is beginning to maintain required Maintain NERC Compliance For Change/audit artifacts. Configuration/Access Processes
. Phase Four (also called "AC" or "Auditably Compliant"). There is nearly universal agreement that information security In this phase, the controls in place within the entity must controls must be integrated into daily IT operations, and be meet the full intent of the requirements and can demon- 'baked in' from conception, not addressed later as an after-strate this to an external auditor, including a minimum of thought. But, if new security controls must be impl... [download for more]
