A new update is coming to the highly renowned NERC CIP standard. As with earlier released versions, NERC CIP-012-1 is dedicated to cyber threat assessments, threat identification, and total security of B.E.S. (Bulk Electric System).
With the NERC CIP-012-1 standard comes increased security protection on real-time information exchanged between Control Centers. The real-time information that must be protected following the NERC CIP-012-1 standard is the assessment and monitoring data.
This article explains the purpose, functionality, and requirements of the CIP-012-1. It also lists the institutions or personnel responsible for implementing NERC CIP-012-1.
NERC CIP 012-1
The NERC CIP-012-1 standard Cyber Security – Communications between Control Centers will take effect on effect on July 1st, 2022.
The purpose of NERC CIP-012-1 is to protect the confidentiality and trustworthiness of real-time assessment and monitoring data transferred from one control center to another.
To achieve this purpose, Responsible Entities are required by the North American Reliability Corporation (NERC) to implement certain security protections.
Responsible Entities in general, refer to entities that own or operate a Control Center. The following entities are required by law to implement the NERC CIP-012-1 standard:
- Balancing Authority
- Generator Operator
- Generator Owner
- Reliability Coordinator
- Transmission Operator
- Transmission Owner
Exemptions from CIP-012-1
The entities listed below are exempt from implementing the Reliability Standard CIP-012-1:
- Cyber Assets at facilities that the Canadian Nuclear Safety Commission regulates.
- The Nuclear Regulatory Commission manages the systems, structures, and components under a cyber security plan according to 10 C.F.R. Section 73.54.
- A Control Center that sends to another Control Center, Real-time Assessment or Real-time monitoring data that applies only to the generation resource or transmission station or substation co-located with the transmitting Control Center.
Creation of a Documented Plan or Plans for risk mitigation (R1): Under the NERC CIP-012-1 standards, Responsible Entities are to create one or more documented plans.
The documented plan is to contain information that will lessen risks that occur due to unauthorized disclosure and change of Real-time assessment and monitoring data exchange between applicable control centers.
This documented plan must include the following requirements:
- The identity of the security protection will be used to arrest risks that occur due to unauthorized access and change of real-time assessment and monitoring data that is shared between control centers.
- Identify security protection applications by the Responsible Entity for real-time assessment and monitoring of data between control centers.
- Information concerning the ownership and operation of the Control Centers. Where the Control Centers are owned by different RE, the responsibilities of each Responsible Entity should be clearly stated. Especially concerning who applies the security protection to the exchange of Real-time Assessment and monitoring data between the Control Centers.
For a more detailed explanation of the requirements of the NERC CIP-012-1 standard, visit here. The documented plan is to include [Violation Risk Factor: Medium] [Time Horizon: Operations Planning]. The required documented plan can also include a demonstration of how the documented plan would be implemented.
Note: The evidence of the implemented CIP-012-1 standard may include but is not limited to documented plan(s) that meet the above requirements.
The Major Difference between CIP-012-1 AND CIP-011-2
CIP-011-2 is responsible for specifying protocols for protecting high-impact information, while CIP-012 specifies protection for real-time monitoring data and assessment. High impact information refers to information that could affect B.E.S. functioning if it is stolen, used maliciously, or compromised.
The Compliance Monitoring process as it applies to CIP-012-1
Compliance Enforcement Authority (C.E.A.) refers to NERC or any other entity assigned by the appropriate government authority. The role of the C.E.A. is to track and impose obedience to compulsory reliability standards within their administration.
The evidence retention period refers to the timeframe for which an entity must retain certain evidence to show compliance. There might be instances where the evidence retention period stated below is less than the time which passed since the last audit. In such situations, the C.E.A. might ask the affected entity for evidence that shows it was compliant for the full period since the last audit.
The responsible entity could also be directed by the C.E.A. to retain certain evidence for longer than specified below.
Other than in exceptional situations as stated above, Responsible entities must keep data or evidence to show compliance as listed below.
- All Responsible entities must keep data or proof of each requirement in the NERC CIP-012-1 standard for three calendar years.
- Where a Responsible entity is deemed non-compliant, it shall keep information related to its non-compliance until mitigation is complete and approved or for three years. The Responsible entity keeps non-compliance evidence for three years or the mitigation duration for whichever period is longer.
- The C.E.A. must keep the previous audit records and all the future requested and submitted audit records.
Compliance Monitoring and Enforcement Program: According to the NERC Rules of Procedure, ‘Compliance Monitoring and Enforcement Program’ refers to how the processes used to evaluate data for the performance assessment associated with the reliability standard are identified.
The measurement used is Violation Severity Level (V.S.L.) which indicates where and how the responsible entity failed in implementing the associated reliability standard. Where the reliability standard CIP-012-1 is concerned, there are three applicable Violation Severity Levels.
- Moderate V.S.L.: This is used when the responsible entity documented its plan but neglected to include one of the specified requirements in R1.
- High V.S.L.: This V.S.L. is applied when the documented plan created by the responsible entity failed to include two of the requirements specified in R1.
- Severe V.S.L.: Severe V.S.L. can be applied in two scenarios.
- Scenario A, where the Responsible Entity did not document plans for R1.
- Scenario B, where the Responsible Entity failed to implement any part of its documented plan except for under CIP exceptional circumstances.
ITEGRITI Can Help
From dealing with cyber threats, technological advancement, and CIP compliances, organizations often have difficulty keeping up. Recruiting, training, and retaining human resources that can cope with seemingly unending tasks is difficult. Such tasks include but are not limited to the CIP program, CIP audit, cybersecurity evaluation, and compliance assessments.
ITEGRITI can handle this and more on your behalf. With our relevant background in cybersecurity compliance and audit, you will never have to worry about NERC audits and data requests, as we use an approach that mirrors those. We work hand in hand with your employees while carrying out these tasks. For more information on our operations, experience, tools, mode of operation, and capabilities, visit here.
Download our free NERC CIP Audit Field Guide for guidance and best practices for achieving positive audit results.