NERC CIP Reliability Standards – Protecting the Critical Energy Infrastructure With Identity Governance

Jackie Gilbert, SailPoint Technologies

There’s been a lot of speculation among regulators, security professionals and industry consultants whether the nation’s energy providers have the right safeguards over critical infrastructure. This summer, those questions will be answered one audit at a time. That’s when the deadline for becoming “auditably compliant” with the North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) reliability standards takes effect. Yes, the auditors are coming, and that means not just compliance, but proof of compliance.

The NERC developed the CIP reliability standards to protect against utility cyberattacks. The standards provide a framework for protecting the reliability of the North American utility industry’s bulk electric system by identifying and protecting critical cyberassets that could affect utility operations. The NERC CIP standards were approved by the Federal Energy Regulatory Commission in early 2008, making compliance with the standards mandatory and enforceable by law. NERC has issued an implementation schedule that requires companies to be auditably compliant with the standards by July 1.

Asked to explain the difference between “compliant” and “auditably compliant,” Michael Assante, NERC vice president and chief security officer, said, “Compliant means that the entities are required to comply with the standards and self-certify their compliance. Auditably compliant means that regular, scheduled audits of compliance with the standards will be conducted.”

NERC has the authority in the U.S. to fine entities found in violation of CIP standards up to $1 million per day, per violation.


NERC CIP Standards


Eight NERC CIP reliability standards cover more than 160 various aspects of cybersecurity in the critical energy infrastructure and must be complied with, reviewed every year, and audited by NERC. Identity and access management is a critical component of these standards because it allows organizations to monitor and control access to assets that might be vulnerable to cyberattacks. These regulations require energy providers to document all critical cyberassets essential to operations, review employees’ access privileges to protected information to confirm that access privileges are correct and appropriate, and to implement an access control model that denies access by default, such that explicit access permissions must be specified. For organizations with thousands of employees and hundreds of assets, maintaining this level of visibility and control is not easy.

A new category of solution (identity governance) provides an automated approach to strengthening access controls and documents evidence of strong controls for audit purposes. With identity governance, organizations can address many of the NERC CIP requirements in one solution, rather than having to pull together manual processes, homegrown solutions based on spreadsheets and e-mail and other ad hoc approaches. More important, identity governance provides a complete, auditable record of who has access to which systems, who requested access, and who approved or denied the request. With extensive documentation and reporting capabilities, identity governance provides on-demand proof of compliance to auditors without the need for tedious manual data compilation.


Collaboration, Automation and Risk Management—Keys to Auditable Compliance


Taking the necessary strategic-level approach to CIP compliance management starts with three elements: collaboration, automation and risk management.

  • Collaboration: Compliance traditionally has been foisted onto information technology alone, but doing it right means the business side must be involved, too. Similarly, human resources and legal personnel need to be involved because they know employees’ status. Without cooperation and collaboration, they will inevitably duplicate effort and contradict each other.
  • Automation: Manual processes are fraught with potential for error and inaccuracy that stymie efforts to comply and demonstrate compliance. They’re also expensive and time-consuming. Automation reduces the risk of human error and the time and costs required to be compliant and auditably compliant.
  • Risk assessment and management: Risk assessment plays a critical role in becoming auditably compliant with the NERC CIP standards. The starting point for CIP compliance is a risk-based assessment methodology to identify critical assets and associated critical cyberassets. Based on this risk assessment, the organization can focus security and access controls on the entity’s most critical resources.



Identity Governance


A variety of industries, from financial services to healthcare to telecommunications to manufacturing, use identity governance software to comply with an even wider variety of domestic and international regulations. Identity governance specifically offers:

  • A centralized, integrated view of the data required to manage identity and access risk across applications and infrastructure,
  • Collaborative analytics and tools to foster cooperation among business, information technology and audit and compliance teams,
  • Automated work flow and policy enforcement to improve efficiency, accuracy and consistency, and
  • A risk-based approach that focuses compliance efforts on the cyberassets that represent the greatest value (and potential liability) to the business.


Collecting those functional areas in one solution facilitates tasks that affect compliance, such as employee role creation, assignment and life cycle management across enterprise applications. Identity governance also provides automated access certifications, policy enforcement, and activity monitoring that supports the auditability factor that makes NERC CIP compliance a chore.

With the penalties for noncompliance so high, utility company management will take NERC CIP compliance seriously. What approach will an organization take? Picking a sustainable, affordable approach is key to achieving critical infrastructure protection with long-term business success. Identity governance provides a structured approach for dealing with the identity and access management requirements imposed by the NERC CIP standards and other regulations. By offering a framework for automating compliance, facilitating business and information technology collaboration, and a taking a risk-based approach, identity governance helps organizations achieve sustainable, affordable compliance while mitigating identity and access risk.

Jackie Gilbert is vice president of marketing at Austin, Texas,-based SailPoint Technologies.




Wireless Networks and the Smart Grid


Marc Reed, Sensus

The smart grid promises a host of new devices and services for power distribution monitoring, from utility substations to end user businesses and private residences. Grid re-closers, capacitor bank monitors, smart meters, thermostats and in-home displays will be more prevalent as the smart grid evolves. These devices’ enhanced capabilities are enabled by the utility’s ability to communicate with them remotely. Standards are in development by the National Institute of Standards and Technology (NIST) and the Institute of Electrical and Electronics Engineers (IEEE) to create easier interoperability and promote universal availability of these devices.

Of the variety of communications technologies available, wireless networks are often the communications technology of choice. A good differentiator of wireless technology is whether the radio spectrum used is in an Federal Communications Commission (FCC)-licensed or unlicensed band.


Unlicensed Wireless Devices


Unlicensed wireless devices operate in an Industrial Scientific or Medical (ISM) band set aside by the FCC, usually 902-928 MHz or 2,400-2,483 MHz. Devices operate for free, provided that rules for the ISM bands are followed. Unlicensed devices transmit 1 watt or less of power, and they “may not cause harmful interference and must accept any interference received, including interference that might cause undesired operation.”

To avoid interference, spread spectrum techniques are used, which disallows transmitting in a single channel, but instead spreads the energy using direct sequence (a high-speed sequence is used to spread the radio energy over a large band), or the more common frequency-hopping method (the radio hops to a different radio channel once every message or several times during a single transmission). If the receiver knows the code used to spread the radio energy, it can use the same code to un-spread or tune to the correct frequency channel.


Unlicensed Pros and Cons


The main benefit to an unlicensed radio network is its free availability. That same benefit, however, can turn into a liability as more devices compete for the same limited resource. All radios rely on a minimum of signal-to-noise ratio to operate, meaning that to correctly receive a message, the level of the signal must be a specified amount higher than the noise background. In unlicensed radios, the level of the signal is fixed to a maximum of 1 watt, and the level of noise continues to rise as more ISM band devices are added to the environment. The primary consequence to the higher noise floor is that the range of the links is limited and can be unpredictable.


Licensed Spectrum


Licensed spectrum devices on the smart grid operate in a variety of channels and frequency bands originally used for supervisory control and data acquisition (SCADA), paging and other services. Communications in these bands tend to be narrow band in nature, use a single frequency carrier, and do not have the power limitations of ISM band devices. Legal and enforcement forms of protection are provided by the FCC against interferers in these bands.


Licensed Spectrum Pros and Cons


Licensed spectrum is a scarce resource that is difficult and expensive to acquire. Available bandwidth can be an issue unless sufficient spectrum for the needed data is acquired. If licensed spectrum is available, however, it has significant advantages over unlicensed spectrum.

The first is related to the signal-to-noise ratio. Because licensed devices can transmit more power, they have a significant advantage on the signal part of this equation, sometimes up to hundreds of times in the case of a central collector.

Second, because the spectrum is protected by the FCC, the noise in licensed bands is usually nearly nonexistent. This makes the reliable range of licensed band smart grid devices significantly better.

Increasing numbers of utilities are realizing the benefits of a licensed spectrum. The Utilities Telecom Council, for example, is calling for the federal government to make 30 MHz of contiguous bandwidth available directly to utilities as it did for the public safety community.

Look for evolving standards to be the next measure that influences the evolution of the smart grid. NIST is compiling a list of standards to be adopted to help drive better interoperability of equipment.

Also, the IEEE working group (P802.15) for wireless personal area networks is drafting an amendment for wireless smart metering utility networks, which promises to create interoperability standards for the next generation of smart grid equipment. The new standard will be known as 802.15.4G and will have provisions to support licensed and unlicensed radio equipment.

Utilities Telecom Council site:

Marc Reed is director of communications engineering at Sensus. For more on communications technology, see the special section starting on page 18 of this issue.




Zpryme Reveals Smart Grid Numbers Through 2014


The major opportunities presented by smart grid development are not just for utilities, power marketers, energy producers, investors and venture capitalists. In 2014, 89 percent, or $152.3 billion, of the global smart grid market is projected to be comprised of devices, hardware, software and communications equipment. These products will form the infrastructure and critical communication systems that will build, link, monitor, manage and secure the smart grid. Not every hardware or software company will have the resources, technology or engineering expertise to compete in this market, but those with the resources and a flexible knowledge base should at least explore new product opportunities within the emerging smart grid market. See figures for more detailed numbers on the market and growth.





The Importance of Energy Management in the Evolving Smart Grid


Joel Gilbert, APOGEE Interactive Inc., and Paul Nagel, Control4 Energy Systems

Huge investments are being made throughout the energy industry to facilitate the smart grid rollout, including $3.4 billion in stimulus grants and $4.7 billion more in private funds. But for consumers, the arrival of the smart grid has brought with it a quagmire of acronyms, confusing bill changes and behavior shifts that have left many less than thrilled about modernizing the electrical grid. If consumers don’t embrace the technology, the return on the huge smart grid investments will never be realized.


Enter Home Area Network


The home area network (HAN) is the new buzzword in the energy industry and, in combination with the smart grid rollout, the HAN has the power to turn disenfranchised consumers into smart grid enthusiasts. As the name implies, the HAN is a residential local area network that is used for communication among smart devices in the home. But where are the users, the homeowners? They still are befuddled by their remotes and the tangle of wires to get their DVRs, TiVos, DVDs, VCRs, video game consoles and sound systems to work together. Will they embrace one more device in the home, or is this going to be another Pet Rock in the game of customer adoption?

To date, there have been several attempts to leverage the HAN to encourage consumers to take advantage of the smart grid: from refrigerator magnets that flash color-coded warnings to indicate shifts in energy costs to kilowatt counters that total energy consumption. These efforts either failed or have stalled relatively quickly as consumers lose interest and eventually forget about the devices.


Engage Consumers in What’s Relevant to Them


The key to smart grid investment’s long-term success is to build a product that engages consumers every day while enabling them to take advantage of the programs the smart grid enables. One of the simplest ways is to ensure that the product isn’t a one-trick pony like the aforementioned counters or color warning systems. Leveraging the HAN technology allows energy management capabilities to be combined with other consumer interests in the home. A device that integrates energy management, entertainment, lifestyle and automatic device control is the kind of convergence necessary for a successful device. What if the same device that helps people in a medical emergency could also help manage their home’s energy consumption?

For example, the World Health Organization (WHO) estimates there will be 1.2 billion people older than 50 by 2025, and more than 59 million of them will use wearable home health devices that take advantage of the HAN to aid users in medical emergencies. Combining energy management capabilities with products and technology that consumers are already accessing daily ensures ongoing consumer engagement. Possibilities are endless.

Examples of this type of convergence already are happening across the technology universe. First, the iPod changed the portable music game, and now the iPhone has revolutionized consumer expectations for cell phone capabilities by integrating phone, data, GPS and entertainment on one device. Similarly, the Wii redefined the video game experience and opened a new range of interactive experiences. Now is the time to redefine the energy consumer interaction experience.


There is an App for That!


Just like an iPhone, the model for the future of energy management is a family of applications that addresses multiple customer pain points through one easy-to-use interface. The industry can address basic consumer questions about energy use: Where is the energy in my home going? How can I save money on my energy bill? How can I reduce energy use? How much can I save?

While the simple questions are being addressed with current technology, the foundation is being laid for a robust, thriving marketplace that allows consumers to customize their energy management experiences by layering in applications that solve other needs, as well. Delivering on this concept is what makes energy management fun, interactive and easy, thus ensuring ongoing consumer engagement and actual delivery on the smart grid promise.

Joel Gilbert is founder and chief software architect of APOGEE Interactive Inc.

Paul Nagel is vice president of business development at Control4 Energy Systems.


More PowerGrid International Issue Articles


PowerGrid International Articles Archives


View Power Generation Articles on


Previous articleShow Me the Money
Next articleToward a Global Smart Grid – The U.S. vs. Europe
The Clarion Energy Content Team is made up of editors from various publications, including POWERGRID International, Power Engineering, Renewable Energy World, Hydro Review, Smart Energy International, and Power Engineering International. Contact the content lead for this publication at

No posts to display