NIST CSF as a Lens for NERC CIP

Published by Eric Cardwell

On July 27, 2020, the North American Electric Reliability Council (NERC) released an updated mapping of the Critical Infrastructure Protection (CIP) Reliability Standards to the National Institute of Standards Framework for Improving Critical Infrastructure Cybersecurity, commonly known as the NIST Cybersecurity Framework (NIST CSF). The newly released mapping will be a useful tool for those organizations within the electric power and utility industry that must adhere to NERC CIP compliance.

Previous mappings of NIST CSF to NERC CIP had become obsolete with an updated version of the CSF released in April of 2018. This coupled with new standards as part of NERC CIP over the years rendered previous mappings to be no longer useful.

As background, the NERC CIP Reliability Standards derive from the Federal Energy Regulatory Commission (FERC) Order No. 706, which was issued in January of 2008. The CIP Standards have been updated over the past twelve years to address the constantly evolving types of cybersecurity threats to the bulk electric system (BES).

At present, the CIP Reliability Standards consist of 13 standards that specify a set of requirements that registered entities must follow to ensure the cyber and physical security of the bulk power system. Currently, there are 10 active cybersecurity standards and 2 (CIP-012-1 and CIP-013-1) that will be effective in the near future.

The 13 CIP reliability standards for cyber and physical security of bulk power

  • CIP-002-5.1a: Bulk Electric System Cyber System Categorization: Requires entities to identify and categorize BES cyber elements and their associated cyber assets for the application of cybersecurity requirements using a tiered approach commensurate with the adverse impact of their loss, compromise, or misuse.
  • CIP-003-7: Security Management Controls: Requires entities to specify consistent and sustainable security management controls to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
  • CIP-004-6: Personnel and Training: Requires the minimizing of risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness.
  • CIP-005-5: Electronic Security Perimeter(s): Requires entities to manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
  • CIP-006-6: Physical Security of Bulk Electric System Cyber Systems: Requires entities to manage physical access to BES Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
  • CIP-007-6: System Security Management: Requires entities to manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
  • CIP-008-5: Incident Reporting and Response Planning: Requires entities to mitigate the risk to the reliable operation of the BES as the result of a cybersecurity incident by specifying incident response requirements.
  • CIP-009-6: Recovery Plans for Bulk Electric System Cyber Systems: Requires entities to recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.
  • CIP-010-2: Configuration Change Management and Vulnerability Assessments: Requires entities to prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the BES.
  • CIP-011-2: Information Protection: Requires entities to prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
  • CIP-012-1: Communications between Control Centers: Requires entities to protect the confidentiality and integrity of real-time assessment and real-time monitoring data transmitted between Control Centers.
  • CIP-013-1: Supply Chain Risk Management: Requires entities to mitigate cybersecurity risks by implementing security controls for supply chain risk management of BES Cyber Systems.

The Importance of Mapping NIST CSF to NERC CIP

Numerous organizations in the North American critical infrastructure energy sector must be compliant with the NERC CIP Standards. Many of these organizations have implemented the higher-level CSF separately from the more specific NERC CIP compliance requirements. By mapping the two together, an organization can be more secure and effective in assessing and implementing strong security controls. Although not as prescriptive, the controls outlined in the CSF exceed those of the CIP requirements that are more compliance based.

The recently released mapping from NIST CSF to NERC CIP will be of great benefit to the organizations in the electricity industry. The tool lists the CSF Categories and Subcategories and maps them to the specific CIP requirements. It also includes the mapping logic, as well as specific guidance for the use of the combined framework and standards. The mapping also provides a reverse approach that maps the CIP requirements to the CSF Subcategories. Examples of these two approaches to the mapping can be viewed in the following diagrams.

NIST CSF with mapping to NERC CIP

 

NERC CIP with mapping to NIST CSF

Recent FERC White Paper envisions incentives for cybersecurity investments

On June 18, 2020, FERC issued a Cybersecurity Incentives Policy White Paper. The white paper, which can be found on the FERC website, discusses a potential new framework for providing transmission incentives to utilities for cybersecurity investments. This new framework would review and provide benefits to those organizations that exceed the requirements of the NERC CIP Standards. FERC stated that “transmission incentives to counter the evolving and increasing threats to the cybersecurity of the electric grid may be warranted.” NERC CIP categorizes assets as high, medium, and low impact systems. While all the standards apply to the high and medium risk assets, only a few apply to the low impact assets.

The white paper outlines two paths for an organization to identity and implement cybersecurity investments. The first would call for the implementation of medium or high security controls for facilities identified as low or medium impact systems. The second approach would award incentives based on an organization implementing portions of the NIST CSF to its assets. Although the CIP standards would still be the basis for granting cybersecurity incentives, organizations would have the flexibility of non-prescriptive options from the NIST CSF that would exceed the CIP Standards.

NIST CSF in the Axio360 platform with mapping to NERC CIP

Axio has already implemented the mapping of the NIST CSF to the NERC CIP informative language in the Axio360 platform. This allows the utility end-user to be more effective at navigating the NIST CSF Categories and Subcategories to the CIP requirements and informative language. This will also facilitate the tracking of multiple other models and frameworks along with the NIST CSF and NERC CIP standards.

NIST CSF Assessment Interface in Axio360 with mapping to NERC CIP

If you’d like to experience the complete functionality of NIST CSF with mapping to NERC CIP and discuss your particular use case for the framework, our experts are standing by. You can book a demo here.

About the author: Eric Cardwell is a Director of Cyber Risk Engineering at Axio