nCipher Security Blog

Understanding the new NERC CIP standards and how they can improve security

John Grimm | Vice President of Strategy and Business Development More About This Author >

There is no doubt that increasing the security of our power infrastructure has been a priority over the past several years. The North American Electric Reliability Corporation (NERC), whose mission is to ensure the reliability of the Bulk Power System in North America, continues to advance cybersecurity standards with the introduction of Version 5 of its Critical Infrastructure Protection (CIP) standards.

By most accounts Version 5, currently pending approval by the Federal Energy Regulatory Commission (FERC), is a significant enhancement over the current Version 3. In fact the changes are significant and impactful enough that many believe the in-between, not-yet-in-effect Version 4 standards will never see the light of day. FERC has noted that NERC’s proposed Version 5 CIP standards represent an improvement over the current CIP Reliability standards, and extend the scope of systems protected by the CIP Reliability standards.

From a security perspective, Version 5 “ups the ante” on data protection, creating hard requirements for items that were previously only mentioned in guidelines. In order to better safeguard assets in certain situations, Version 5 of NERC CIP 005 (Cyber Security – Electronic Security Perimeter(s)) mandates the use of security techniques including encryption and strong authentication based on technologies such as Public Key Infrastructure. Encryption, which transforms data into an unusable form, has evolved over the years from niche usage to common practice and is a core component in data protection and IT security strategies. PKI too has become pervasive for many use cases, including authentication of users and systems as part of an access control strategy. In both cases, care must be taken to safeguard and manage associated private key material against compromise.

And although Version 5 primarily consists of updates to previous standards, it also includes a brand new standard, NERC CIP 011 (Cyber Security – Information Protection), focused on data security. The requirements in this standard specify the need to identify information in accordance with its sensitivity; to have procedures to protect and securely handle such information in storage, transit, and use; and tracking of encryption, deletion, or other means of preventing unauthorized retrieval of data.

As they are across many industries, our high assurance data protection solutions can be deployed to protect against threats to utility IT infrastructures and as part of a NERC CIP compliance strategy. Products such as Hardware Security Modules provide certified, tamper-resistant protection for critical keys and associated cryptographic processes – the high-value attack targets – associated with encryption and PKI. The increasing focus of the Version 5 standards on data protection mirrors today’s ever-escalating threat environment and focus on privacy, as well as the higher bar that is being set for critical national infrastructure protection.