Be the first to like this
The North American Electric Reliability Corporation (NERC) maintains a set of Critical Infrastructure Protection (CIP) guidelines that address a broad range of critical cyber asset and cyber security issues. These guidelines describe the security-focused procedures that, in combination with compliant technology, enable secure electric grid operations. The CIP guidelines do not specify the technologies that must be deployed. Instead, they describe the technology design necessary to build an information management architecture that complies with security goals.
These goals include the minimizing of administrative authorization needed for operational functions. Rights and privileges are to be assigned to a functional role, not a named individual. Audit trails of field data device and substation activity, similar to control room auditability, must be maintained to assure comprehensive confidence in data and controls.
The six CIP guidelines summarized in the paper speak to the procedures and policies that are vital to critical cyber asset security – personnel authorizations; personnel training; security of the information management system’s electronic perimeter; security of the information management system’s physical assets; operational security; and incident reporting and response planning.
The utility builds its CIP-compliant program with defined procedures addressing these guidelines, coupled with the hardware and software that enable full implementation of these procedures. Training of all personnel is necessary for effective and efficient compliance.