Abstract
The critical infrastructure protection (CIP) set of standards is developed by the North American Electric Reliability Corporation (NERC) to ensure the protection of assets used to operate North America's bulk electric systems (BES). Any entity that owns or operates any type of BES in the United States and Canada must be compliant with the requirements of the NERC CIP standards. The purpose of this chapter is to provide an ample overview of the NERC CIP standards, to describe its relevance to the protection electric utility entities, to establish its harmonizing relation with the NIST cyber security framework, to provide a glimpse of its compliance requirements, and to investigate the gaps and prospects for workforce development training in this area of critical need. This chapter lays the foundation for opportunities in the design of automated NERC CIP standards compliance processes and toolkit, the feasibility study of adopting the CIP standards in other sectors, and the development of training materials in NERC CIP standards for workforce development.
TopIntroduction
Industrial Control Systems (ICS) have been widely employed to supervise and control critical infrastructures in various sectors such energy, defense industrial base manufacturing, water treatment, transportation, nuclear, chemical, health, and maritime, just to name a few. This chapter is focused on one prominent application of ICS: the electric utility sector. ICS are originally designed to operate on air-gapped networks, but due to expanded operational requirements, the interconnectivity between Information Technology (IT) and Operational Technology (OT) became inevitable. Such interfacing augmented the attack surfaces on ICS and prompted the increased incidence of cyberattacks. These cyberattacks on ICS can have devastating effects, which may include:
The serious consequences of a cyberattack prompted the development and implementation of standards and regulations to protect our nation’s critical infrastructures. Standards provide a set of rules that can be monitored for compliance by a specialized field’s authoritative bodies and related professionals. The grouping of rules and related concepts into appropriate frameworks furnishes the basic building blocks to identify and decide upon appropriate courses of action to address complex problems. Although the enumeration of an exhaustive set of standards and frameworks appropriate for a cybersecurity audit is beyond the scope of this article, we focus our attention to the standards created by the North American Electric Reliability Corporation—the CIP Standards.
This chapter highlights the NERC CIP Standards significance for the protection electric utility entities, and its mapping to the NIST Cyber Security Framework. We illustrate the compliance requirements, including a case study, and investigate the gaps and prospects for workforce development training in this crucial area. This work lays the foundation for the development of automated NERC CIP Standards compliance processes and toolkit, the feasibility of adopting the CIP Standards in other sectors, and the development of training materials in NERC CIP Standards for workforce development.
TopBackground
The Critical Infrastructure Protection (CIP) set of standards is developed by the North American Electric Reliability Corporation (NERC) to ensure the protection of assets used to operate North America’s Bulk Electric Systems (BES). Any entity that owns or operates any type of BES in the United States and Canada must be compliant with the requirements of the NERC CIP Standards.
A closely related set of standards is the International Society of Automation/International Electrotechnical Commission (ISA/IEC) 62443 Standards (ISA/IEC, 2020), which addresses the Security of Industrial Automation and Control Systems (IACS). These standards were initially intended for the industrial sector but evolved and applied to building automation, medical device, and transportation sectors.
An early study on the viability and significance of the NERC CIP standards is made in (Zhang Z., 2011). The study focused on CIP-002 (Critical Cyber Asset Identification), which is the predecessor of the currently enforced CIP-002-5.1a (BES Cyber System Categorization) and concluded that the mandatory cybersecurity standards are beneficial and promoted an increase in technological products, better security management, personnel training, and public trust in the industry.
Design challenges on substation equipment upgrades in light of cybersecurity requirements by the NERC CIP standards are described in (Cole, 2016). The challenges are based mainly on the discovery of legacy and obsolete equipment to be replaced and exacerbated by the lack of up-to-date design and configuration documents. The contingencies that must be included in resource plans, budgets and schedules of equipment upgrades as required by the standards further the burden on the process.
Key Terms in this Chapter
Standards: A set of rules that can be monitored for compliance by a specialized field’s authoritative bodies and related professionals.
Framework: A grouping of rules and related concepts into a logical approach that can be used to identify complex problems and decide upon appropriate courses of action to address them.
Scenario-Based Learning: A type of learning based on the theory that learning takes place in which the context is applied.
Information Technology: The utilization of hardware, software, and systems to monitor, control, and implement business processes and objectives.
Critical Infrastructures: Entities whose operations and assets, physical or virtual, are vital to a nation’s interests.
Cybersecurity: A set of processes, practices, and technologies designed to protect, in the realm of cyberspace, the three tenets of information security: confidentiality, integrity, and availability.
Regulatory Compliance: The state of being in conformance to the requirements of a relevant law, policy, or regulation.
Supply Chain Risk: The risk associated with the system that supplies products and services to an organization.
Operational Technology: The utilization of hardware, software, and systems to monitor and drive industrial equipment, processes, and events.