What is the North American Electric Reliability Corporation (NERC)?
The North American Electric Reliability Corporation (NERC; www.nerc.com) is a not-for-profit organization with a mission to “ensure the reliability of the North American bulk power system.” It encompasses the interconnected SCADA power grids of the United States, Canada, and a portion of Baja California, Mexico.
Following the passage of the Energy Policy Act of 2005, funding for an “Electric Reliability Organization” was approved by the U.S. government (and later Canada) to develop and enforce cybersecurity compliance standards for organizations contributing to the U.S. power grid. In 2006, NERC applied for and was granted this designation. NERC then introduced its Critical Infrastructure Protection (CIP) Reliability Standards, labeled CIP-002 through CIP-009. In 2009, it approved version 2 of these standards and began auditing Registered Entities for compliance.
As of June 30, 2010, all Registered Entities must prove “auditable compliance” with all eight categories of CIP controls on a semi-annual basis. Failure to meet anyone standard may result in financial penalties of up to $1 million per day, depending on risk and severity. Of the eight categories of CIP controls, six have components related to continuous network monitoring:
- CIP-002: Critical Cyber-Asset Identification
- CIP-003: Security Management Controls
- CIP-005: Electronic Security Perimeter(s)
- CIP-007: Systems Security Management
- CIP-008: Incident Reporting & Response Planning
- CIP-009: Recovery Plans for Critical Cyber-Assets