NERC CIP Compliance: Ensuring Security with LastPass

Hacktivists. Extreme weather. Rogue actors. The three biggest threats to our power grid know one thing: Our aging infrastructure is a weak link that can be exploited to cause massive disruptions. With 70% of transmission lines and 60% of circuit breakers at least 30 years old, widespread “cascading failures” are an unpleasant possibility. In fact, Reuters says that physical attacks on our energy infrastructure have remained high since 2022. This is where NERC-CIP comes in. 

Understanding NERC CIP

Overview of NERC CIP standards

NERC-CIP stands for The North American Electric Reliability Corporation Critical Infrastructure Protection. 

That’s certainly a mouthful, but this important set of standards serves as a cybersecurity framework for protecting the Bulk Electric System (BES) in North America. 

NERC-CIP applies to the United States, eight provinces in Canada, and Baja California in Mexico.  

In 2006, the Federal Energy Regulatory Commission (FERC) designated NERC as an Electric Reliability Organization (ERO).  

As an ERO, NERC would create and enforce Reliability Standards for the secure operation of North America’s Bulk Power System (BPS).  

So, what’s the difference between BES and BPS? 

The BPS refers to the facilities, resources, and elements that support the operation of an interconnected electric transmission network.  

Meanwhile, the BES refers to equipment operating at 100 kV or higher. This includes transmission lines, power plants, transformers, and generators. Essentially, BES elements that impact BPS reliability are subject to NERC’s Reliability Standards. 

So, who falls under NERC-CIP or who must comply with the NERC-CIP? 

If your business is one of the covered entities below, you understand the importance of NERC-CIP compliance. 

• Bulk power system owners and users (such as power plant owners, investor-owned utilities, municipal utilities, and major industrial consumers)
• Independent System Operators (ISO)
• Regional Transmission Organizations (RTO)
• Operators of Physical Access Systems (PACS)
• Operators of Protected Cyber Assets (PCA)
• Distribution System Operators (DSO)
• Reliability Coordinators (RC)
• Operators of Special Protection Systems 
• Operators of Electronic Access Control or Monitoring Systems (EACMS)

Importance of NERC CIP compliance

The story of NERC-CIP began in 1968 – due to events three years prior. 

It all started on a late afternoon in November 1965, when streetlights in Buffalo, New York, began to falter a little after 5PM.  

No one suspected a thing – not even when blaring radios stopped playing and TVs started flickering. It wasn’t until traffic crawled to a snail’s pace and subway trains screeched to a halt that everyone realized the gravity of the situation. 

In all, 800,000 commuters (about half the population of Nebraska) were trapped in NYC’s jet-black subway tunnels. Ever resilient and unflappable, New Yorkers didn’t let their city descend into panic and chaos. Everyone remained calm, shared candles & flashlights, and helped direct traffic at busy interactions.  

SO, what exactly happened? 

In a nutshell, a safety relay near Niagara Falls, Ontario had been set too low.  

Thus, heating systems and other appliances powering up on a cool evening led to a minor power fluctuation, causing the relay to trip. This led to power surges on other lines, which triggered safety relays on those lines to trip.  

As more and more relays tripped, a domino effect of “cascading failures” shrouded the entire Northeastern United States in darkness. 

It was this catastrophic event that led to the 1968 creation of the North American Electric Reliability Corporation (NERC), the originator of NERC-CIP. 

Meanwhile, another crippling power outage affecting the Northeast, Midwest, and Canada in 2003 served as the catalyst for real change. 

The blackout hit 50 million households (more than the 30 million affected in 1965), leading to the passage of the Energy Policy Act of 2005. This gave FERC the authority to oversee NERC’s creation of mandatory reliability standards for the BPS in 2006. 

If your organization is a covered entity, you know NERC-CIP standards are invaluable in safeguarding millions of households and businesses from significant power outages and economic disruption. 

Below, we discuss the newest updates to supercharge your current incident response plans, security controls, and critical cyber asset protections. 

Requirements under NERC CIP

First, what is NERC compliance? 

Under NERC-CIP, covered entities must identify critical assets, protect the logical & physical security of those assets, and maintain plans for recovering BES Cyber Systems following a breach.  

Ultimately, NERC-CIP compliance is all about grid resilience and our collective security. 

Next, we answer two popular questions we’re often asked, “How many NERC CIP standards are there?” and “What do the NERC CIP standards mean?” 

NERC-CIP compliance involves adherence to 14 critical infrastructure security control requirements: 

• Sabotage Reporting (CIP-001): This standard requires the reporting of incidents or suspicions of sabotage to relevant agencies and regulatory bodies.
• Critical Cyber Asset Identification (CIP-002): This standard emphasizes the documentation of critical cyber assets and the implementation of risk management measures to secure those assets.
• Security Management Controls (CIP-003): This standard requires the implementation of minimum-security management controls to protect critical cyber assets.
• Personnel and Training (CIP-004): This standard requires security designations for all personnel and visitors within the physical security perimeter.
• Electronic Security Perimeters (CIP-005): This standard requires the implementation of firewalls and controlled electronic access to BES cyber systems. Annual cyber vulnerability assessments are mandated by this standard.
• Physical Security of Critical Cyber Assets (CIP-006): This standard requires a physical security plan that addresses access and the proper use of controls within the physical security perimeter.
• Systems Security Management (CIP-007): This requires the testing, review, and maintenance of security management systems.
• Incident Reporting & Response Planning (CIP-008): This standard requires the development and maintenance of a cybersecurity incident response plan.
• Recovery Plans for Critical Cyber Assets (CIP-009): This requires the annual review of disaster recovery plans for mitigating disruptions to BES Cyber Systems.
• Configuration Change Management (CIP-010): This standard aims to limit unauthorized access to BES systems.
• Information Protection (CIP-011): This standard requires covered entities to implement protection controls for safeguarding BES Cyber System information.
• Real-Time Data Integrity Protection (CIP-012): This ensures the protection of real-time data transmitted between bulk electric system Control Centers.
• Supply Chain Security (CIP-013): This mandates formal supply chain cybersecurity risk management practices to secure BES Cyber Systems.
• Physical Security (CIP-014): This focuses on protecting critical assets from physical attacks or acts of sabotage.

Implementing NERC CIP

Best practices for NERC CIP compliance

So, how do you achieve NERC CIP compliance? 

These two best practices for NERC-CIP compliance will prove critical in 2024 and beyond: 

(1) Establishing a strong security culture through regular security awareness training: Your employees are the first line of defense against attacks on our critical infrastructure. Training empowers them with the confidence to recognize and mitigate potential security risks.  

When your employees realize they are part of a human firewall that protects not just your organization but also the country, this fosters a greater sense of collective responsibility and morale. 

Both internal and external training programs can prove invaluable for this purpose.  

For example, the Utility Cyber Security Forum is an annual training event focused on real-world preparation for utilities and energy providers to protect their Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) infrastructures. 

The training is for:  

• Electric, water, and gas utility executives
• Planning and risk management analysts
• SCADA and industrial control system professionals
• Executives at energy management service providers
• Cybersecurity professionals

(2) Maintaining accurate documentation of all compliance activities: This can help identify gaps in compliance, so you can address issues before they morph into a crisis. 

Current NERC-CIP standards require accurate logs of the following: 

• CIP-002: list of identified BES Cyber Systems and the process for categorizing assets
• CIP-003: documentation of internal cybersecurity policies
• CIP-004: documentation of personnel training programs and internal processes for access management & revocation 
• CIP-005: documentation for access control of Electronic Security Perimeters (ESP)
• CIP-006: documentation of physical security plans
• CIP-007: documented processes for patch management, malicious code prevention, and security event monitoring
• CIP-008: incident response plan documentation
• CIP-009: documentation of recovery plans, backup, and restoration procedures
• CIP-010: list of vulnerability assessment procedures  
• CIP-011: list of procedures for handling BES Cyber System information
• CIP-013: documentation of supply chain cybersecurity risk management plans
• CIP-014: risk assessment and security plan documentation

For updated revisions to the above, please refer to Certrec’s summary  or the Reliability Standards Development Plan 2024-2026. 

NERC CIP compliance software

Simplifying NERC-CIP compliance is key to peace of mind and operational integrity.  

Key features to look for in compliance software include real-time compliance status dashboards, automated evidence collection & reporting, task workflow management, and up-to-date NERC standards libraries. 

Current industry top choices with these features include: 

• Certrec NERCSuite: Certrec’s Core Support Hours service also provides on-demand support with NERC audits and Nuclear Regulatory Commission (NRC) post-inspection follow-ups. 
• AssurX ECOS: AssurX is easily scalable for both on-prem and cloud environments.
• Darktrace/OT: This OT (operational technology) security solution also evaluates your defenses in ICS and SCADA environments against Advanced Persistent Threat (APT) Groups.

Safeguarding critical infrastructure

Often, discussions on protecting critical infrastructure focus on mitigating supply chain issues, fostering a culture of compliance, and staying informed about new NERC-CIP updates. 

BUT ensuring the security of physical & electronic perimeters is equally critical. 

In 2022, Russia’s cyberwarfare unit Sandworm perpetrated a sophisticated attack on Ukraine’s power systems, taking out power in several regions. And in 2024, Russia’s attacks on Ukraine’s critical infrastructure have continued with missile & drone strikes, leading to nationwide blackouts. 

This illustrates the ongoing risks to physical and electronic perimeters and the importance of maintaining strong defenses as part of NERC-CIP compliance. 

Maintaining NERC CIP Compliance

Regular audits and assessments

Audits help organizations identify potential vulnerabilities early so corrective actions can be taken. They demonstrate to regulators and stakeholders that your organization is committed to continuous improvement and defense. 

In 2013, Iranian hackers broke into the command and control (C&C) center of the Bowman Avenue Dam in New York. They gained remote access of the dam’s SCADA systems via a cellular modem connecting the dam to the Internet. A disaster was only averted because the system happened to be offline at the time. 

Since then, hacktivists from Russia, China, and Iran have been relentlessly targeting our critical infrastructure. Audits are key to a culture of continuous improvement and preparedness, considering these threats to our collective security. 

Training and awareness programs

Regular training sessions should cover topics such as access controls, incident response, and security protocols. 

If you’re looking for NERC-CIP training resources, these options offer engaging scenario-based learning that increases retention and productivity:  

• Curricula NERC-CIP's gamified platform for NERC-CIP training: This popular training program (developed by former NERC-CIP staff) notifies you if any employees fall behind in their training obligations.
• SANS Institute NERC-CIP awareness training: Each short or minutes-long module reflects real-world scenarios, minimizing learner fatigue and increasing retention.

Addressing common compliance challenges

Compliance can be challenging for SMBs with limited resources. In response, NERC and its six regional entities published a Critical Infrastructure Protection Themes and Lessons Learned report to share solutions for four of the top challenges SMBs face: 

• Latent Vulnerabilities: This explores the importance of internal detective controls in preventing higher-risk programmatic failures.
• Insufficient Commitment to Low-Impact CIP Programs: This revisits CIP-003 R2 to address how your organization can prevent the compromise of low-impact assets, which often serve as a channel for attacking higher-impact assets.
• Shortages of Labor and Skillsets: This discusses solutions such as proper succession planning to ensure roles and responsibilities are properly defined to address organizational changes (onboarding & offboarding) and access privileges.
• Performance Drift: This highlights solutions to address apathy, negligence, circumvention, complacency, and other types of “performance drift” in physical security programs.

Benefits of NERC CIP Compliance

Enhancing grid reliability and resilience

By protecting critical infrastructure from cyber and physical threats, your organization helps ensure the stability and resilience of our power grid. 

In turn, this supports the broader goal of a reliable energy supply across North America.  

Take for example, the proposed 285-mile transmission line to deliver wind power from Idaho to California. 

According to the Bipartisan Infrastructure Law, the DOE (Department of Energy) has tentatively agreed to pay $331 million to Great Basin Transmission (a subsidiary of LS Power) to build the power line.  

NERC-CIP compliance will promote strict physical and electronic access controls to enhance the security of the new transmission line, which will in turn promote grid reliability and resilience. 

Mitigating cyber threats and vulnerabilities

Your greatest weapon in mitigating cyber threats are your employees.  

But what should you do if you face a staffing shortage and skills gap? 

A feedback sharing platform can be beneficial in four ways: 

• Promotes coordinated, more effective responses during security incidents
• Provides a platform for asking questions and applying NERC-CIP training in real-world scenarios
• Promotes rapid intelligence sharing in the face of new threats
• Facilitates discussion, analysis, and refinement of security controls  

Building trust with stakeholders and regulators

NERC-CIP standards require regular security audits, documented incident response plans, and timely reporting of security breaches. 

BUT what happens if you can’t comply with all the requirements? 

This prompts many people to ask, “What are the consequences of non-compliance with NERC-CIP regulations?” 

Plenty, if you ask us. 

If you have a major infraction of a moderate severity level, you could be liable for fines between $8,000 to $300,000 a day. The largest fine to date? $10 million, paid by Duke Energy to the NERC. 

Non-monetary penalties can include placing the offending entity on a “reliability watch list” or being subjected to an embarrassing “public letter of reprimand.” 

Ultimately, NERC-CIP compliance builds trust with regulators and consumers by demonstrating your organization’s reliability in protecting our critical infrastructure. 

NERC CIP Compliance Solutions with LastPass

Role of password management in NERC CIP compliance

Effective password management is a cornerstone of NERC-CIP compliance.  

As a covered entity, you must comply with password change obligations and ensure those changes meet the required parameters. 

For example, CIP-007-6 requires that: 

• Default passwords must be changed.
• Passwords must be at least eight (8) characters long for medium and high-impact BES systems.
• Minimum password complexity must have three or more different types of characters (uppercase alphabetic, lowercase alphabetic, numeric, non-alphanumeric) or the maximum complexity supported by the Cyber Asset.
• A limit must be specified for the number of unsuccessful authentication attempts or alerts must be generated after a threshold of unsuccessful authentication attempts.

At LastPass, we support your NERC-CIP compliance journey with: 

• Secure storage of credentials in a vault with AES-256 encryption and 600,000 rounds of PBKDF2-SHA-256 hashing plus salting
• A powerful Digital Security Dashboard + password generator to easily update weak or reused credentials
• Role-based access controls, so you know who has access to your organization’s most sensitive credentials

Implementing secure access controls

Secure access controls are key to protecting our nation’s critical infrastructure assets. 

NERC-CIP mandates secure access controls through the implementation of least privilege access, secure provisioning, audit logs, and MFA (Multi Factor Authentication). 

According to CIP-004-7 R6, your organization must “implement one or more documented access management program(s) to authorize, verify, and revoke provisioned access to BCSI (bulk electric system cyber system information).” 

For medium and high-impact BES cyber systems, electronic access and unescorted physical access must be revoked within 24 hours of termination. 

At LastPass, we have you covered with all the above. Along with role-based access controls, the two most powerful features to meet NERC-CIP cyber access requirements are: 

• Phishing-resistant MFA: With LastPass, you can combine our MFA with federated SSO to automate onboarding and offboarding. Our centralized management platform gives you the ability to immediately revoke access rights after job terminations or transfers.
• Passwordless authentication: At LastPass, we’re FIDO2 server certified and a FIDO2 Alliance board-level member responsible for developing specifications for FIDO2 authentication. Passwordless authentication substantially reduces the chances of a brute-force or credential attack succeeding.

You can enjoy seamless access management with a free, no-obligation LastPass Business trial today. 

Leveraging automation for streamlined compliance

In 2024 and beyond, automation is poised to revolutionize NERC-CIP compliance, especially when integrated with robust access controls and cybersecurity protections. 

According to ISC2’s 2023 Workforce survey of 14,865 security professionals across the world, a majority (40%) believe automation will have the greatest impact on mitigating an increasingly treacherous threat landscape. 

To simplify the most difficult parts of NERC-CIP compliance, consider integrating tools like Tripwire and SigmaFlow, especially for one-click RSAW (Reliability Standard Audit Worksheets) generation. RSAWs are the #1 way to prove 100% compliance when audited by your NERC Compliance Enforcement Authority (CEA). 

Staying Up to Date with NERC CIP

Latest updates and changes in NERC CIP standards

In 2024, NERC-CIP updates are focused on: 

(1) Mitigations for inverter-based resource (IBR) reliability risks. As you know, IBRs are BPS-connected facilities that can convert direct current (DC) electricity to alternating current (AC) electricity for grid use.  

IBR assets like solar photovoltaic systems, wind turbines, static synchronous compensators, and battery energy storage systems (BESS) play a critical role in grid resilience and reliability.  

In fact, the rapid interconnection of IBRs to the grid is now the key driver of renewable energy deployment and grid transformation.  

With rogue actors focused on attacking critical infrastructure, the NERC has developed resources to address IBR performance issues and emerging threats.  

First, significant numbers of IBR operators and owners have yet to acquire NERC registration or show compliance with its Reliability Standards. Thus, the NERC will be executing a FERC-approved work plan to achieve the identification and registration of these IBRs by 2026. 

To learn more, please refer to the IBR Registration Initiative Quick Reference Guide. You can also learn more about NERC’s risk management framework for mitigating high-impact and high likelihood events from this Inverter-Based Resource Strategy guide. 

NERC published its work plan for identification & registration on August 9, 2024. 

(2) The finalization of the PRC-028-1 standard for capturing and analyzing disturbance data.

This new standard is focused on evaluating IBR ride-through performance during BES disturbances and to ensure adequate data is available for event analysis, performance monitoring, and model valuation. 

The latest draft of the standard was released in July 2024. 

The NERC board expects to adopt this new standard in October 2024. 

(3) A new standard for internal network security monitoring (INSM)

As utilities begin to integrate cloud technologies into their operations, CIP-015 will help enhance the grid’s defense mechanisms with proactive cybersecurity measures. 

To learn more about INSM, please read the NERC’s Internal Network Security Monitoring Feasibility Study, which was published in January 2024. 

Resources for staying informed

Here’s our updated list of resources for new NERC developments: 

1. NERC’s Standards, Compliance, and Enforcement Bulletin Archive. The newest bulletin addresses transmission planning performance requirements for extreme weather.
2. The NERC Alert System. The newest alert addresses Inverter-Based Resource Model Quality Deficiencies.
3. Industry organizations like the EEI, NRECA, ESIG, EPRI, NATF, and APPA, which support your goal of protecting critical infrastructure
4. GridSecCon events. GridSecCon 2024 will be co-hosted by NERC, the E-ISAC, and the Midwest Reliability Organization (MRO) in Minneapolis.
5. Specialized NERC webinars, which provide info on internal network security monitoring and extreme cold weather grid preparedness
6. Compliance management software with built-in updates like Certrec’s SaaS-based RegSource® Solutions.

Collaborating with industry experts

Collaboration is crucial for maintaining effective NERC-CIP compliance. This includes: 

• Participating in NERC’s technical committees and working groups
• Engaging with firms that provide comprehensive support across all 14 NERC-CIP requirements, such as Verve Industrial and Fortinet
• Joining utility-focused information sharing organizations like E-ISAC, which offers physical security workshops for covered entities
• Engaging with organizations like the North American Generator Forum (NAGF) and participating in events by regional entities that advocate for and promote BPS resilience. This includes NPCC, MRO, FRCC, Texas RE, SPP RE, WECC & SERC.

Start your free LastPass trial today.