What Is NERC CIP?

Hackers regularly target critical infrastructures such as electric utilities and power control systems in the United States. The Colonial Pipeline ransomware attack in 2021 and the SolarWinds cyberattack in 2020 highlighted the importance of protecting critical infrastructures.

The NERC (North American Electric Reliability Corporation) developed a Critical Infrastructure Protection (CIP) program to help mitigate risks to critical cyber assets within Bulk Electric Systems. The CIP program is mandatory for any organization or “responsible entity” that comes under the electricity segment of the energy sector.

In 1965, a large swath of the northeast U.S. and some of Canada experienced one of the most significant blackouts in history. A cascade of transmission line trippings caused the blackout. As a result of this disaster, the National Electric Reliability Council was created in 1968 and eventually became known as the North American Electric Reliability Corporation (NERC). NERC’s remit increased coordination and cooperation, becoming synonymous with the electric industry.

NERC is a not-for-profit international regulatory authority created to ensure the effective and efficient reduction of risks to the reliability and security of the U.S. grid. NERC develops and enforces Reliability Standards, including the Critical Infrastructure Protection program, NERC CIP, to achieve this.

An even bigger U.S. blackout in 2003 saw the development of the first version of the CIP standards. The standards were eventually approved for adoption on May 2, 2006, and ratified by the Federal Energy Regulatory Commission in 2008. The NERC CIP originated in North America, but the standard is also used in other countries, including Mexico, Colombia, and Brazil.

NERC CIP has undergone several version iterations since, and additions and addendums continue to update the controls to factor in technological changes and the evolving threat landscape.

NERC CIP requires that critical infrastructure entities comply with stringent security controls. This includes securing their environment and systems against ransomware, phishing, and unauthorized access. Akamai security solutions provide intelligence and end-to-end protection to protect critical infrastructure operational technology (OT) and IT systems and data from breaches, security incidents, malware infection, and accidental data exposure. Akamai’s security platform provides the dynamic security and granular access control needed to apply Zero Trust principles (link to https://www.akamai.com/glossary/what-is-zero-trust) to data protection across a critical infrastructure’s distributed OT/IT environment. Akamai helps your security teams to maximize the effectiveness and ROI of your security investments by moving beyond traditional endpoint detection to provide a powerful Zero Trust solution to the security and privacy of data. 

Akamai provides:

• A global security platform that enforces Zero Trust security with comprehensive coverage of your IT environment
• Deep visibility into assets, access, and network flows
• Granular enforcement of security policy

The CIP provides security controls for power generation, transmission, and distribution enterprises. The NERC CIP standard details the requirements and risk management needed to protect Bulk Electric System (BES) Cyber System Information (BCSI) “critical assets” that could be used to gain unauthorized access or pose a security risk to a BES.

“Critical Assets” are defined by NERC as “facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.”

The NERC CIP is a series of mandatory security controls covering 10 cybersecurity standards covering all aspects of critical infrastructure security, including people, processes, and technology.

The NERC Compliance Monitoring and Enforcement Program (CMEP) tracks, assesses, and enforces CIP program compliance. The CMEP has a statutory responsibility outlined in section 215(e) of the Federal Power Act and 18 C.F.R. §39.7. Responsible entities are all bulk power system owners, operators, and users. Responsible entities must register with NERC through the appropriate Regional Entity.

Gartner predicts 30% of critical infrastructure organizations will experience a severe cyberattack by 2025. This trend is borne out by organizations such as the FBI IC3. (Internet Crime Complaint Center), which records critical infrastructure attacks; in 2022, of the 16 NIST classified critical infrastructures, IC3 found that 14 sectors had at least one member that experienced a ransomware attack. Two sector examples of critical infrastructures that exemplify the need for NERC CIP controls include:

Energy

According to IBM’s 2023 Threat Intelligence Index, in 2022, almost 11% of reported cyberattacks targeted the energy industry. Energy is a critical service in any country, and the loss of the grid can have a long-reaching impact on society. Utilities such as energy are disrupted and threatened by geopolitical instability, state-sponsored attacks, and financial gain. Energy suppliers must follow the tenets of the CIP to build a robust IT/OT infrastructure. A Zero Trust platform can help meet the CIP controls and ensure that threats like ransomware are detected and stopped before an incident occurs.

Manufacturing

Critical manufacturers include those making primary metals and transportation equipment. In 2017, a Petya ransomware attack on shipping and logistics giant Maersk cost US$200—US$300 million and resulted in major disruptions across the supply chain. Manufacturers must comply with CIP controls to prevent malware, such as ransomware attacks. Ransomware is often initiated by unauthorized access or insecure IT/OT systems. A Zero Trust security approach provides the depth of protection needed across expanded and complex OT/IT infrastructures.

NERC CIP mandates that cybersecurity hygiene practices are enforced. Measures to uphold the CIP controls include patch management, enforcement of authentication of interactive user access, robust authentication, and measures to deter, detect, or prevent malicious code, such as ransomware. 

Akamai’s suite of solutions is designed to deliver Zero Trust security to help your organization meet NERC CIP compliance, and stop the spread of ransomware and other advanced attacks. Akamai helps to protect critical infrastructure from vulnerabilities introduced by the cloud and a distributed workforce, to meet compliance requirements from NERC CIP, GDPR, HIPAA, etc.

• Akamai Guardicore Segmentation: eliminate risk in your network with industry-leading microsegmentation
• Application and API protection: prevent DDoS and safeguard assets
• Akamai Account Protector: advanced machine learning, behavioral analytics, and reputation heuristics to proactively identify and block fraudulent human activity and account takeover
• Access and authorization: Zero Trust architecture provides simplification of compliance

NIST and the North American Electric Reliability Corporation (NERC), in a joint effort, mapped the elements between the Cybersecurity Framework Core (CSF) v1.1 and The Critical Infrastructure Protection (CIP) Cyber Security Reliability Standards to provide a better understanding of the measures to enhance the security of the national grid.