AWA’s NERC Cyber Security Compliance Services
We provide cyber security services helping entities meet security compliance needs. We have the experience, skills and resources to help your organization identify and protect critical cyber assets by helping you meet NERC CIP compliance requirements.
What Are NERC CIP Cyber Security Standards?
North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard is a cyber security standard for the North American Electric Grid (NAEG). It defines minimum requirements and guidelines needed to adequately safeguard the nation’s critical electric infrastructure from cybersecurity threats.
To be in compliance, all electric utilities are required to develop, document, and test Cyber Incident Response Plans (CIRPs) to ensure rapid recovery from a cyberattack or security failure. The goal of complying with NERC cyber security standards is to create an environment where the disruption of any electric utility system or element affects only its intended target at most. It aims to mitigate risk to critical cyber assets that control or impact the reliability of North America’s bulk power systems.
In 2010, when the NERC CIP cyber-security standards were first passed, nine of them were mandatory to meet and four optional, which have since been implemented.
Implementing NERC Cyber Security Standards
According to NERC’s Cyber Security Framework document, there are three key strategies that must be incorporated into a utility organization’s organizational structure in order to effectively implement and maintain compliance with NERC standards:
- Investing in state-of-the-art cyber security solutions that can detect, prevent, and mitigate any potential cyberattacks.
- Training all staff regularly on various topics related to the computer systems they utilize. This would include instruction on all updates or changes to procedures as well as employee education and training on cybersecurity.
- Periodically testing the security status of the electric utility, ensuring that vulnerabilities are properly addressed before a targeted attack occurs. Testing should be conducted regularly–at least once every 12 months–and some organizations perform tests more often to further decrease the risk of a breach and protect particularly critical assets.