CIP Compliance: Reducing Your Risk


How utilities can navigate critical infrastructure protection requirements.

How utilities can navigate critical infrastructure protection requirements.

Fortnightly Magazine - May 2007

Operations personnel at many energy companies feel the pressure of achieving compliance with the North American Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) standards. Some worry that they are not aware of the problems and security incidents that have occurred within their critical infrastructures. Some know that they do not have the procedures in place to maintain CIP compliance. In many cases, significant system and procedural changes to their operational environment may be required—changes that may be extremely time- and resource-intensive to establish.

What most organizations may not realize is that their IT departments already have a head start on the process through a widely accepted approach to IT service management called the Information Technology Infrastructure Library (ITIL). By using the ITIL framework, companies may be able to achieve and maintain CIP compliance in a much simpler manner than if they did not use any established framework.

With regulatory deadlines looming, the challenge is to recognize synergies between ITIL and CIP and to begin the implementation process.

Mandatory Standards

The NERC CIP standard comprises eight specific standards. These standards are listed, along with a brief description of their purpose, in Table 1. Each standard has a mandatory set of requirements that must be implemented, tracked, and capable of being audited.

The challenge that utilities face in complying with the CIP standards has been documented. The standards define what the requirements are, but not specifically how compliance should be achieved. This leaves utilities to deal with the ambiguity of determining how they can best comply.

To compound the problem, utilities often struggle with organizational difficulties that arise from issues between the operations and IT departments. These challenges can be best addressed with a comprehensive approach to critical assets that is compatible with the systems and processes used throughout the organization for maintaining other IT assets. Additionally, the approach should combine the efforts of the operations and the IT organizations, both of which have a vested interest in protecting the entity’s cyber assets.

Risk-Management Focus

The CIP standards require a utility to manage the risks of attacks against its infrastructure and provide continuing service in the face of a successful attack or natural incident. The standards require the establishment and maintenance of a cyber-security posture that reduces the risk of successful attacks within the utility and externally. The standards also require the utility to reduce the adverse effects of a successful attack or natural incident against the utility’s critical assets through business continuity and disaster recovery plans.

Security Posture. The foundation of the cyber-security posture is the security policies and programs established at the corporate level. The foundation sets the security direction of the company and manifests the buy-in, commitment, and intent of senior management to establish and maintain cyber security. The cyber-security posture is established through the implementation and continual monitoring of the