We use cookies to provide you with a better experience. By continuing to browse this site you are agreeing to our use of cookies in accordance with our Cookie Policy.
  • RTO Insider
    • CAISO
    • ERCOT
    • MISO
    • PJM
    • ISO-NE
    • NYISO
    • SPP
    • FERC & Federal
  • ERO Insider
    • NERC & Committees
    • FERC & Federal
    • Regional Entities
    • Standards/Programs
  • NetZero Insider
    • Federal Policy
    • State & Local Policy
    • Building Decarbonization
    • Transportation Decarbonization
    • Transmission & Distribution
    • Generation & Fuels
    • Equity & Economics
    • Technology
  • Calendar
    • RTO Insider Events
    • ERO Insider Events
    • NetZero Insider Events
  • July 03, 2022
  • Log In
  • Register
  • Log Out
  • My Account
  • Subscribe
  • July 03, 2022
July 03, 2022
  • Log In
  • Register
  • Log Out
  • My Account
Home » NERC Releases CIP Audit Guide for Network Monitors

NERC Releases CIP Audit Guide for Network Monitors

New Guide Inspired by DOE Initiative

Cybersecurity-(Shutterstock)-Alt-FI.jpg
Shutterstock
Jun 7, 2021
Holden Mann

Seeking to “provide additional clarity and ensure a common approach to auditing compliance with the Critical Infrastructure Protection (CIP) reliability standards,” NERC on Friday introduced a guide to help integrate network monitoring solutions into the industrial control systems (ICS) and operational technology (OT) networks of electric utilities.

NERC developed the ERO Enterprise CMEP Practice Guide: Network Monitoring Sensors, Centralized Collectors, and Information Sharing in response to the Department of Energy’s initiative, announced in April, to improve the cybersecurity of ICS at electric utilities and secure the energy sector’s supply chain within 100 days. (See Biden Reinstates Trump Supply Chain Order.)

Part of DOE’s initiative includes a “voluntary industry effort to deploy technologies to increase visibility of threats in ICS and OT systems,” along with milestones for their introduction over the specified time frame. The new practice guide — unlike implementation guidance, which provides registered entities with ERO Enterprise-endorsed examples of how to comply with reliability standards — is intended to assist compliance monitoring and enforcement program (CMEP) staff of the ERO Enterprise with executing CMEP activities related to the deployment of this new technology.

Asset Protection Assessed by Function, Environment

The guide identifies two primary issues for CMEP staff to consider when assessing entities’ technology solutions in relation to the CIP standards:

  • Protection of the cyber asset — whether the deployment of a network monitoring sensor in an entity’s environment triggers the application of certain CIP requirements and, if so, whether the entity identified which requirements apply and how its device protection plan complies with them;
  • Protection of data being transmitted to a third party — whether the type of data being transmitted triggers the need to protect that data and associate cyber assets under the CIP standards and, if so, how the entity plans to protect and securely handle the data consistent with the standards.

For the first topic, protection of the asset, the CIP standards require entities to protect bulk electric system cyber systems and “certain associated cyber assets;” CMEP staff are advised to determine first whether the sensor in question qualifies as a BES cyber asset based on CIP-002-5.1a (BES cyber system categorization). 

“Typically, based on the function it is performing, the sensor is unlikely to meet the definition of a BES cyber system,” the guide says. “However, CMEP staff should assess the registered entity’s CIP-002 categorization process to ensure that the sensor would not meet the definition of BES Cyber System.”

If the sensor does not qualify as a BES cyber system, it may still be subject to CIP requirements based on the environment in which it is deployed, the way it is used, and its functions. Devices that are used in high- or medium-impact environments may be categorized as protected cyber assets if they are connected using routable protocols within or on an electronic security perimeter, or as electronic access control or monitoring systems (EACMS) if they perform “certain electronic access and/or access monitoring activity.”

Entities may not be required to secure sensors that are deployed in an environment with only low-impact BES cyber systems even if they are “performing the functions of an EACMS or other … device subject to the CIP standards.” However, auditors must still assess whether those devices are subject to the requirements of CIP-003-8 (Cyber security — security management controls) concerning electronic access control.

Data Protection Includes Third Parties

Regarding the protection of data, the CIP standards require that entities control access to BES cyber system information (BCSI), defined as “information about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to [it].” Examples of such data include security procedures, collections of network addresses, network topology of the system, or any information that is not publicly available and could be used to allow unauthorized access or distribution of sensitive data.

CMEP staff are advised to examine how the entity determines whether the data collected by its sensors contains BCSI and whether the information is transmitted to third parties. If BCSI is included in the data, auditors must assess whether the utility has a process in place to authorize access to the designated storage locations for BCSI; this must also be assessed for any third party that might come in contact with the information. 

The guide also reminds CMEP auditors to “consider the specific facts and circumstances for each aspect” of a utility’s network monitoring technology deployment, conducting a thorough review of every system to ensure that no possible vulnerabilities are missed. 

“The NERC reliability standards covered in this practice guide establish a set of controls for protecting network monitoring deployments and BCSI information,” the guide says. “CMEP staff must understand how each of the registered entity’s various CIP programs are applied such as policies, procedures, access controls, training and periodic reviews with the ultimate goal of preventing unauthorized access to these cyber assets as well as any associated BCSI.”

FERC & Federal / NERC & Committees / CIP
KEYWORDS audit CIP-002-5.1a CIP-003-8 compliance monitoring and enforcement program (CMEP) critical infrastructure protection (CIP) cybersecurity Department of Energy (DOE) North American Electric Reliability Corporation (NERC)
  • Related Articles

    Changes to CIP-014 Receive FERC Approval

Holden mann rto website final
Holden Mann

MRO Warns Energy Emergencies Likely in Summer

More from this author
You must login or register in order to post a comment.

Report Abusive Comment

Popular Stories

  • PJM Orders Load Sheds in AEP Following Storms

    Jun 14, 2022
    NERC & Committees
    By Rich Heidorn Jr.
  • AEP Under Fire as Load Sheds Persist in Ohio

    Jun 15, 2022
    Company News
    By Rich Heidorn Jr.
  • DOE Initiative Aims to Make Interconnection ‘Simpler, Faster, Fairer’

    Jun 8, 2022
    FERC & Federal
    By K Kaufmann
  • SEEM's Sellers Pushes Reliability, Continuity to SERC Board

    Jun 23, 2022
    Regional Entities
    By Holden Mann
  • FERC Approves Extreme Weather Assessment NOPRs

    Jun 16, 2022
    FERC & Federal
    By Holden Mann

Want us to be your eyes and ears?

Let us put you "inside the room."
Sign Up Today

Upcoming Events

  • 01Jun

    NW Energy - Decarbonizing the Northwest: Webinar Series

  • 17Jul

    NARUC - 2022 Summer Policy Summit

    San Diego, CA
  • 18Jul

    Technical Talk with RF

Tweets by rtoinsider
  • Publications
    • RTO Insider
      • CAISO
      • ERCOT
      • ISO-NE
      • MISO
      • NYISO
      • PJM
      • SPP
      • FERC & Federal
    • ERO Insider
      • NERC & Committees
      • FERC & Federal
      • Regional Entities
      • Standards & Programs
    • NetZero Insider
      • Federal Policy
      • State & Local Policy
      • Building Decarbonization
      • Transportation Decarbonization
      • Transmission & Distribution
      • Generation & Fuels
      • Equity & Economics
      • Technology
  • Additional Links
    • About Us
    • Why Subscribe?
    • FAQ
    • Terms
    • Privacy Policy
    • Cookie Policy
  • Contact Us
    • Rich Heidorn Jr.
      Editor-in-Chief & Co-Publisher

      Merry Eisner
      Chief Operating Officer & Co-Publisher

      10837 Deborah Drive
      Potomac, MD 20854
      (301) 658-6885

    • Facebook Twitter Linkedin
Copyright ©2022. All Rights Reserved Privacy Policy | Terms Of Use. Design, CMS, Hosting & Web Development :: ePublishing