Understanding the NERC-CIP Regulations for Critical Infrastructure Organizations, 2018

Understanding the NERC-CIP Regulations for Critical Infrastructure Organizations, 2018

The most significant threat is no longer threats to human lives or property from physical attacks—rather the threat lies in more covert warfare tactics, including cyber-attacks and attacks that can cripple, obstruct, or destroy operations within critical infrastructure facilities, such as utility companies, communications towers, ports, manufacturing facilities, or other critical services. In order to protect critical national infrastructure (CNI) entities from these more sophisticated attacks and ensure proper security postures, the North America Electric Reliability Corporation (NERC) has updated its Critical Infrastructure Protections (CIP) regulations to encourage CNI organizations to improve their security posture; protect their information and operational technology systems, networks, and physical assets; and plan for how to keep their networks and assets secure through a continually advancing technological environment. The NERC-CIP regulations provide specific guidance, requirements, and measures for CNI organizations to follow to protect their current assets, enforce proper security protocols and standards, plan for and respond to any security incidents accordingly, and ensure their assets remain protected from malicious actors.

Research Scope
This research service includes all of the NERC-CIP regulations as written by the NERC Organization, as well as the listed measurements and evidence required for critical infrastructure. Each CIP includes the specified requirements for each compliance category as well as types of documentation, evidence, and plans to show requirements have been met. This service also includes analyst insight into the specific tasks to be performed for each requirement and a clear listing of evidence types for CNI organizations to provide in order to show compliance. This service further details some of the key vendors offering compliance technology solutions, consulting expertise in NERC-CIP regulations, or both types of services for customers. This listing, however, is not exhaustive of all vendors in the market. Key information includes:

NERC-CIP listings for requirements 002-011, and CIP-014
Listing of CIP measurements to show compliance
History of the NERC Organization and the evolution of the requirements
Key changes to the NERC-CIP regulatory enforcement and raised security profiles for CNI organizations
Summary of requirement listings and key takeaways for CNI organizations
Listing of key vendors and specialization

Key Issues Addressed
What are the full regulatory requirements for NERC-CIP compliance?
What is the history behind the evolution of the NERC-CIP requirements?
What documentation, measurements, or evidence do critical infrastructure entities need to provide to show compliance?
Who are some of the key vendors who can help critical infrastructure customers reach full compliance?
What NERC-CIP requirements do these vendors’ solutions help customers to achieve?