Mar 30 2011

What is NERC CIP Compliance?

Published by at 2:02 pm under Security,Smart Grid,Technology

One of the biggest challenges I find talking to customers about Smart Grid/AMI deployments is answering the question “Is your solution/architecture NERC CIP compliant?”  It’s somewhat frustrating since there’s no certification (which is typically the direction the question originates from) that I can point to – you know, something like a UL or Windows Hardware Quality Lab (WHQL) testing – that says the solution or architecture is NERC CIP compliant.  In many cases I have to spend a fair amount of time resetting customer expectations in what NERC CIP (and in many cases what the NIST IR 7628) really requires.

The NERC CIP is a subset of the NERC Reliability Standards and is comprised of a group of nine standards specifying security requirements utilities must meet.  The standards include the following:

Version 3 of the NERC CIP standards is currently in effect.  The above links actually point to the version 4 documents of the standard as they have passed the ballot vote although a mandatory effective date has not been set yet.

Each standard covers a different domain but the common feature among them is that the standards are focused more on process and policy versus actual technology.  Does that mean that they don’t touch the technology?  No…by no means.  In fact some of the requirements in specific CIP standards (specifically we’re talking about CIP-002, CIP-003, CIP-005, CIP-007 and CIP-009) can be met based on the technical capabilities in the Smart Grid/AMI system being deployed.  That being said, however, the standards do not specify specific technologies that are required.  For example, the PCI-DSS standard requires that organizations use firewalls and anti-virus as part of their technical controls.  That’s a clear case where the standard specifically states what technical controls an organization must use in order to be compliant. NERC CIP does not do that directly.

NERC CIP is written more broadly than standards like PCI-DSS.  In many cases the wording leaves it up to the utility or the industry to decide how the standard is applied and interpreted.  But as far as technical controls mapping directly – while there are ways to claim that an AMI or Smart Grid system meets specific requirements within the NERC CIP standards based on those technical controls, there is no way to simply say “yes, it is NERC CIP compliant.”

2 responses so far

2 Responses to “What is NERC CIP Compliance?”

  1. Alan Levinon 09 May 2011 at 8:35 am

    Hi, this is great stuff. I like the way that you’ve applied standard ‘Cyber Security’ principles to an energy delivery application. Thanks for sharing.

  2. Nedhunurion 17 Dec 2015 at 4:29 pm

    What if a less than 1500 mw plant site is determined to be a CA beacuse your transmission planning department categorizes it as a RMR through the bright line criteria? Does that less 1500 mw plant have to be evaluated for CCAs? CIP does not provide criteria for this within the regulations.

Trackback URI | Comments RSS

Leave a Reply