North American Electric Reliability Corporation (NERC)

What are NERC and CIP Security Compliance Standards?

NERC Reliability Standards define the reliability requirements for planning and operating the North American bulk power system and are developed using a results-based approach that focuses on performance, risk management, and entity capabilities. The United States of America, Canada, and a part of Baja California in Mexico comes under the responsibility of NERC and power system operators in that region need to meet its security standards which include network scanning for security vulnerabilities. For more info about NERC see NERC website

The NERC Vital Infrastructure Protection (NERC-CIP) exists to improve the reliability of the vital bulk power SCADA systems that create and transport electricity around the continent, and the objective of a NERC compliance program is to guarantee that the bulk electric system in North America is reliable, sufficient, and secure. It's insufficient to simply plan for natural disasters or accidents-the bulk power system should be planned, designed, constructed, and operated in a way that also takes into account modern threats to security, including attacks from cyber-criminals. NERC compliance programs are required to help prevent these attacks.

Who must be NERC-CIP compliant?

All bulk power system owners, operators, and clients must comply with NERC-approved Reliability Standards. These entities are required to register with NERC through the appropriate Regional Entity.

What are the NERC-CIP Security Standards?

It's crucial to keep the bulk power system safe from threats, which is why any bulk power system owner or operator must adhere to NERC compliance standards. Following are the three vital security standards of NERC-CIP:

  1. CIP-002 Vital Cyber Asset Identification: NERC CIP 002 "Vital Cyber Asset Identification" requires identification and documentation of all vital cyber assets in a bulk power system. This identification and documentation of vital cyber assets will help a network administrator or a responsible entity to understand the effects and harms which could occur if a vital cyber asset is compromised.
  2. CIP-003 Security Management Controls: NERC CIP 003 "Security Management Controls" requires a network administrator or a responsible entity to create or modify existing policies which have the ability to protect vital cyber assets (CIP 003 R1). CIP 003 also demands to create an exception where policies can't be implemented (CIP 003 R3). It states documentation of all changes such as creating, modifying, removal, and replacement of any vital cyber hardware or software (CIO 003 R6).
  3. CIP-007 Systems Security Management: CIP 007 "Systems Security Management" requires a network administrator or a responsible entity to ensure that any changes which may happen during software update or installation of a security patch don't affect the overall operations and performance of the vital cyber assets. CIP 007 requires a network administrator or a responsible entity to use malicious software (malware) preventions tool as it can identify and prevent malicious software from affecting critical cyber assets.

How Nemasis helps to achieve NERC-CIP?

Nemasis's vulnerability management suite identifies all the vital cyber assets automatically during a network scan. This scan can be scheduled daily, weekly, monthly, and it can also be manually scheduled by the administrator. Nemasis-VA’s policy management tool helps the administrator to create new policies or standards for vital cyber assets and it also empowers him to create exception wherever it is important. It generates a detailed report for all the discovered vital cyber assets.

Administrator or security team needs to set up a process through which only ports which are needed for normal and emergency operation remain open. Nemasis-VA uses its port scanner feature to identify all the open ports on a system and immediately report the potential risks or security-related network issues. Nemasis-VA is a vulnerability assessment and management suite, which is designed to precisely scan network of any size. With help of NVTs (Network Vulnerability Tests), CVEs (Common Vulnerability and Exposures) and the CERT, the vulnerability database, it is able to detect more than 49,000+ vulnerabilities and the new vulnerabilities that will be added on daily basis.

Copyright 2022 MicroWorld Technologies Inc. - Nemasis VMS