Audit or spot checks for compliance can happen at any time, and an organization must demonstrate that it complies with all Reliability Standards applicable to its organization. NERC guidelines for financial and nonfinancial penalties are outlined in the NERC Sanction Guidelines. Severe violations can result in fines of $1,291,894 per violation.
Hackers regularly target critical infrastructures such as electric utilities and power control systems in the United States. The Colonial Pipeline ransomware attack in 2021 and the SolarWinds cyberattack in 2020 highlighted the importance of protecting critical infrastructures.
The NERC (North American Electric Reliability Corporation) developed a Critical Infrastructure Protection (CIP) program to help mitigate risks to critical cyber assets within Bulk Electric Systems. The CIP program is mandatory for any organization or “responsible entity” that comes under the electricity segment of the energy sector.
NERC Critical Infrastructure Protection (CIP)
In 1965, a large swath of the northeast U.S. and some of Canada experienced one of the most significant blackouts in history. A cascade of transmission line trippings caused the blackout. As a result of this disaster, the National Electric Reliability Council was created in 1968 and eventually became known as the North American Electric Reliability Corporation (NERC). NERC’s remit increased coordination and cooperation, becoming synonymous with the electric industry.
NERC is a not-for-profit international regulatory authority created to ensure the effective and efficient reduction of risks to the reliability and security of the U.S. grid. NERC develops and enforces Reliability Standards, including the Critical Infrastructure Protection program, NERC CIP, to achieve this.
An even bigger U.S. blackout in 2003 saw the development of the first version of the CIP standards. The standards were eventually approved for adoption on May 2, 2006, and ratified by the Federal Energy Regulatory Commission in 2008. The NERC CIP originated in North America, but the standard is also used in other countries, including Mexico, Colombia, and Brazil.
NERC CIP has undergone several version iterations since, and additions and addendums continue to update the controls to factor in technological changes and the evolving threat landscape.
How Akamai helps organizations comply with NERC CIP
NERC CIP requires that critical infrastructure entities comply with stringent security controls. This includes securing their environment and systems against ransomware, phishing, and unauthorized access. Akamai security solutions provide intelligence and end-to-end protection to protect critical infrastructure operational technology (OT) and IT systems and data from breaches, security incidents, malware infection, and accidental data exposure. Akamai’s security platform provides the dynamic security and granular access control needed to apply Zero Trust principles (link to https://www.akamai.com/glossary/what-is-zero-trust) to data protection across a critical infrastructure’s distributed OT/IT environment. Akamai helps your security teams to maximize the effectiveness and ROI of your security investments by moving beyond traditional endpoint detection to provide a powerful Zero Trust solution to the security and privacy of data.
Akamai provides:
- A global security platform that enforces Zero Trust security with comprehensive coverage of your IT environment
- Deep visibility into assets, access, and network flows
- Granular enforcement of security policy
NERC CIP security controls
The CIP provides security controls for power generation, transmission, and distribution enterprises. The NERC CIP standard details the requirements and risk management needed to protect Bulk Electric System (BES) Cyber System Information (BCSI) “critical assets” that could be used to gain unauthorized access or pose a security risk to a BES.
“Critical Assets” are defined by NERC as “facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.”
The NERC CIP is a series of mandatory security controls covering 10 cybersecurity standards covering all aspects of critical infrastructure security, including people, processes, and technology.
NERC CIP compliance
The NERC Compliance Monitoring and Enforcement Program (CMEP) tracks, assesses, and enforces CIP program compliance. The CMEP has a statutory responsibility outlined in section 215(e) of the Federal Power Act and 18 C.F.R. §39.7. Responsible entities are all bulk power system owners, operators, and users. Responsible entities must register with NERC through the appropriate Regional Entity.
How does NERC CIP affect an organization?
Gartner predicts 30% of critical infrastructure organizations will experience a severe cyberattack by 2025. This trend is borne out by organizations such as the FBI IC3. (Internet Crime Complaint Center), which records critical infrastructure attacks; in 2022, of the 16 NIST classified critical infrastructures, IC3 found that 14 sectors had at least one member that experienced a ransomware attack. Two sector examples of critical infrastructures that exemplify the need for NERC CIP controls include:
Energy
According to IBM’s 2023 Threat Intelligence Index, in 2022, almost 11% of reported cyberattacks targeted the energy industry. Energy is a critical service in any country, and the loss of the grid can have a long-reaching impact on society. Utilities such as energy are disrupted and threatened by geopolitical instability, state-sponsored attacks, and financial gain. Energy suppliers must follow the tenets of the CIP to build a robust IT/OT infrastructure. A Zero Trust platform can help meet the CIP controls and ensure that threats like ransomware are detected and stopped before an incident occurs.
Manufacturing
Critical manufacturers include those making primary metals and transportation equipment. In 2017, a Petya ransomware attack on shipping and logistics giant Maersk cost US$200—US$300 million and resulted in major disruptions across the supply chain. Manufacturers must comply with CIP controls to prevent malware, such as ransomware attacks. Ransomware is often initiated by unauthorized access or insecure IT/OT systems. A Zero Trust security approach provides the depth of protection needed across expanded and complex OT/IT infrastructures.
How can Akamai help with NERC CIP compliance?
NERC CIP mandates that cybersecurity hygiene practices are enforced. Measures to uphold the CIP controls include patch management, enforcement of authentication of interactive user access, robust authentication, and measures to deter, detect, or prevent malicious code, such as ransomware.
Akamai’s suite of solutions is designed to deliver Zero Trust security to help your organization meet NERC CIP compliance, and stop the spread of ransomware and other advanced attacks. Akamai helps to protect critical infrastructure from vulnerabilities introduced by the cloud and a distributed workforce, to meet compliance requirements from NERC CIP, GDPR, HIPAA, etc.
- Akamai Guardicore Segmentation: eliminate risk in your network with industry-leading microsegmentation
- Application and API protection: prevent DDoS and safeguard assets
- Akamai Account Protector: advanced machine learning, behavioral analytics, and reputation heuristics to proactively identify and block fraudulent human activity and account takeover
- Access and authorization: Zero Trust architecture provides simplification of compliance
Mapping NERC CIP with NIST
NIST and the North American Electric Reliability Corporation (NERC), in a joint effort, mapped the elements between the Cybersecurity Framework Core (CSF) v1.1 and The Critical Infrastructure Protection (CIP) Cyber Security Reliability Standards to provide a better understanding of the measures to enhance the security of the national grid.
Frequently Asked Questions (FAQ)
NERC CIP stands for North American Electric Reliability Corporation Critical Infrastructure Protection. It is a set of standards designed to secure the assets required for operating North America’s Bulk Electric System.
NERC CIP standards apply to entities that own, operate, or use Bulk Electric System assets.
- CIP-002-5.1a (BES Cyber System Categorization)
Determines the appropriate type of security measures needed to mitigate risks to BES cyber systems. - CIP-003-6 (Security Management Controls)
Regular reviews of cybersecurity policies. - CIP-004-6 (Personnel & Training)
Includes regular security awareness training. - CIP-005-6 (Electronic Security Perimeters)
Includes access management and permissioning, as well as control of remote access and data encryption. - CIP-006-6 (Physical Security of BES Cyber Systems)
Physical access security. - CIP-007-6 (Systems Security Management)
Cybersecurity hygiene such as patch management, enforcement of authentication of interactive user access, robust authentication, and implement measures to deter, detect, or prevent malicious code. - CIP-008-6 (Incident Reporting and Response planning)
Response planning and incident reporting. - CIP-009-6 (Recovery Plans for BES Cyber Systems)
Recovery plan requirements. - CIP-0010-3 (Configuration Change Management and Vulnerability)
To prevent and detect unauthorized changes to BES Cyber Systems. - CIP-0011-2 (Information Protection)
The protection and secure handling of BES Cyber System Information, including storage, transit, and use.
Why customers choose Akamai
Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.