NERC CIP Compliance
Updates, Enforcement and Practical Implementation
The North American Electric Reliability Corporation (NERC) is a non-profit organization tasked by the Federal Energy Regulatory Commission (part of the US Department of Energy) with ensuring the reliability of the North American electric power grid. Among its tasks are drafting and auditing standards for cyber security of the systems that monitor and control the grid. This set of standards is known as NERC CIP (Critical Infrastructure Protection). Compliance with the NERC CIP Reliability Standards requires NERC entities to adopt precise procedures and to verify their implementation. This white paper describes recent CIP requirements updates and illustrates how a NERC entity can utilize technological solutions to save time and resources assessing and managing its compliance with the primary parts of CIP.
What is NERC CIP Compliance Enforcement?
The process by which NERC issues sanctions and ensures mitigation of confirmed violations of mandatory NERC Reliability Standards.
Enforcement utilizes the following methods:
- Directives: NERC can also issue directives to immediately address and deter new or further violations, irrespective of their presence or status (i.e., confirmed or alleged).
- Sanctions: Sanctioning of confirmed violations is determined pursuant to the NERC Sanction Guidelines and is based heavily upon the Violation Risk Factors and Violation Severity Levels of the standards requirements violated and the violations’ duration. NOTE: Entities found in violation of any standard must submit a mitigation plan for approval by NERC and, once approved, must execute this plan as
- Fines: NERC has authority to assess fines against non-compliant utilities in amounts up to $1,000,000 per violation and per day.