The NERC CIP Evolution

By Kathleen Davis, Senior Editor

The North American Reliability Corp.’s (NERC) critical infrastructure protection rules (CIP) continue to impact power utilities. That is about to change, but not lessen. It’s only bound to get more detailed and restrictive as NERC CIP grows and adapts to the industry and the smart grid.

“Security and compliance are spelled differently in the English language because they actually mean different things,” said Tim Roxey, director of risk assessment and technology division for the NERC at a session during the UTC Telecom Conference in Long Beach, Calif., May 10-13, 2011.

“We have a culture of compliance when we should really have a culture of security,” he added, noting the continuing discussion about whether adhering to the CIP rules really makes a utility more secure. But, Roxey said, the industry needs to work with what it’s got at the moment, which is compliance and that’s where NERC CIP comes into the related security equation.

They’re starting with compliance and hoping to evolve into real security protection as versions change to meet smart grid needs. That process can be painful, complex and problematic. But, there has been progress.

Vulnerabilities and Versions According to NERC

“Do I really gotta? Yeah I really gotta,” Roxey joked, rolling through a short history of the CIPs. Version No. 1 of the NERC CIP standards was approved in 2008. Version No. 2 removed “reasonable business judgment” and “acceptance of risk” in 2009. Version No. 3, the current version, brought a visitor control program and was approved in 2010. Version four is in the works.

“There are a lot of very heated conversations on these issues,” Roxey said.

Version No. 4 replaces language like “risk-based assessment methodology” with “bright-line criteria.” It still maintains the concept of critical asset and critical cyber asset. It eliminates subjectivity by entities over what is “critical.” And, it ties bright-line criteria to operational standards, Roxey said.

Once approved, utilities would have about 21 months to work toward compliance with this new version, which is expected to be land in July 2013.

The drafting team still has a number of development goals to go, most mandated by the Federal Energy Regulatory Commission (FERC). So, there is a version No. 5 on its way.

Roxey also showed the growing complexity of communications specifically. And the more stuff it gets, the more that has to be covered by CIP.

“When I started in this industry, the communications infrastructure was a guy named Joe who basically lived in the substation and had a phone,” he said. “Now it’s this incredibly complex system.

“It’s almost impossible for a company to remain compliant, let alone secure, because of the complexity,” Roxey said, noting that the complexity moves past just communications and that guy named Joe to all other areas covered by CIP.

Details and differences are the history of NERC CIP, noted the panelist that followed Roxey. And those differences and details created the complexity issue, which is connected to the compliance vs. security argument.

“NERC CIP is all about compliance and not about security,” said Jerome Farquharson, practice manager at Burns & McDonnell. “Eighty to 90 percent of what a utility is doing with NERC CIP is paperwork.

“Compliance doesn’t necessarily make you secure,” Farquharson said. “But, as we grow and change, we are trying to put more emphasis on security.”

Farquharson noted clarity about critical assets—what they are and where they start and stop in the utility structure—is a huge dream of the industry, though the standards haven’t quite gotten to that point of clarity yet. But, both Farquharson and Roxey do see that clarity coming.

Compliance vs. Security

Prudence Parks, vice president and legislative counsel for UTC discussed how the industry is dealing with the NERC CIP versions in a session that followed Roxey and Farquharson at the UTC Telecom Conference.

“We’ve been following this very closely,” she told the audience. “Cybersecurity is very sexy right now. You’re going to have a lot of masters.”

The UTC did an informal set of interviews about NERC CIP compliance, according to Parks. The interviews produced a list of challenges, including:


  • Managing the paperwork,
  • Dealing with constant changes and revisions,
  • Getting employees to accept security,
  • Consolidating threat information from government sources,
  • Dealing with vendors who claim CIP compliance but the product doesn’t produce, and
  • Understanding what the standards specifically require.

    One of the final challenges that spoke heavily to Parks was a hesitance to make certain security enhancements because it might reveal potential non-compliance, which returns to the heart of the compliance vs. security issue with NERC CIP.

    This also fits into some of the findings from those interviews, including the idea that NERC CIP doesn’t increase security and that there needs to be a way to filter information and consolidate interpretations.

    Focus areas

    NERC CIP is growing, and perhaps having a few pains with that cultural evolution. Currently, a utility needs to focus on what’s in front of them.

    “At the end of the day, it is what it is,” Farquharson said, stressing that compliance is required, despite some issues with clarity. “We may not like the system. That’s fine, but we need to do it.” Farquharson does see NERC CIP becoming the “de facto” standard in this area. So, a utility shouldn’t expect the standards to just go the way of the dodo.

    “NERC CIP is very real,” said Bud Voss, chief technology officer at Comverge during an earlier session at UTC Telecom. He added that a utility has three things to worry about right now: user authentification, electric perimeters and audit logging. So, get used to paperwork.

    “We audit trail everything—every button click, every data filed change, out to the communications network as well. Once we put data on a pipe, that’s all completely logged,” Voss noted. So, for the moment, it’s all about compliance. Security may come later in the NERC CIP process, but the issue right now is writing everything down.

    Perhaps someone should call Joe down at the substation and make sure he has a pencil.

    More PowerGrid International Issue Articles
    PowerGrid International Articles Archives
    View Power Generation Articles on

    Previous articleNERC Reliability Standards Compliance
    Next articleSuccessful IP/MPLS and Microwave Network Performance for Teleprotection

    No posts to display