MiCOM P40 Agile P441, P442, P444
3.1 NERC Compliance
The North American Electric Reliability Corporation (NERC) created a set of standards for
the protection of critical infrastructure. These are known as the CIP standards (Critical
Infrastructure Protection). These were introduced to ensure the protection of Critical Cyber
Assets, which control or have an influence on the reliability of North America’s bulk electric
systems.
These standards have been compulsory in the USA for several years now. Compliance
auditing started in June 2007, and utilities face extremely heavy fines for non-compliance.
The group of CIP standards is listed in Table 2.
CIP standard Description
CIP-002-1 Critical Cyber Assets
Define and docume
nt the Critical Assets and the Critical
Cyber Assets
CIP-003-1 Security Management Controls
Define and document the Security Management
Controls required to protect the Critical Cyber Assets
CIP-004-1 Personnel and Training
Define and Document Personnel handling and training
required protecting Critical Cyber Assets
CIP-005-1 Electronic Security
Define and document logical security perimeter where
Critical Cyber Assets reside and measures to control
access points and monitor electronic access
CIP-006-1 Physical Security
Define and document Physical Security Perimeters
within which Critical Cyber Assets reside
CIP-007-1 Systems Security Management
Define and document system test procedures, account
and password management, security patch
management, system vulnerability, system logging,
change control and configuration required for all Critical
Cyber Assets
CIP-008-1 Incident Reporting and
Response Planning
Define and document procedures necessary when
Cyber Security Incidents relating to Critical Cyber
Assets are identified
CIP-009-1 Recovery Plans
Define and document Recovery plans for Critical Cyber
Assets
Table 2: NERC CIP standards
The following sections provide further details about each of these standards, describing the
associated responsibilities of the utility company and where the IED manufacturer can help
the utilities with the necessary compliance to these standards.
3.1.1 CIP 002
CIP 002 concerns itself with the identification of:
• Critical assets, such as overhead lines and transformers
• Critical cyber assets, such as IEDs that use routable protocols to communicate
outside or inside the Electronic Security Perimeter; or are accessible by dial-up.
Power utility responsibilities:
Create the list of the assets
We can help the power utilities to create this asset
register automatically.
We can provide audits to list the Cyber assets
3.1.2 CIP 003
CIP 003 requires the implementation of a cyber security policy, with associated
documentation, which demonstrates the management’s commitment and ability to secure its
Critical Cyber Assets.
The standard also requires change control practices whereby all entity or vendor-related
changes to hardware and software components are documented and maintained
To Next Page
Loading...
Need help?
General
