NERC Compliance is a mandatory legal requirement for companies and individuals that use and own bulk electric systems (BES), and the reason for this is the safety of these systems in case of natural or unnatural threats. The CIP has 11 standards that BES systems operators, users, and owners have to meet, and one such standard is the CIP 003-7, which refers to cyber security management.
In this article, you will learn all you need to know about NERC Compliance for CIP 003-7 and how to ensure your company is compliant.
- Approval for cyber security policies
The first step towards passing the NERC CIP compliance test is implementing the necessary policies that make your company compliant. When it comes to forming policies for the CIP 003-7 standard, companies need to,
- Look for inspiration in their operating conditions and management structure
- Create a comprehensive set of policies that cover High and Medium Impact BES Cyber Systems (BCSs) and Low Impact BCS.
- Frame security policies according to the impact ratings of BCSs.
It is worthwhile to note that companies should use the NERC guidelines only as a starting point for their security policies. Enterprises are encouraged to extend their policies to suit their specific needs, which will not be considered a violation and instead showcase the innate compliant nature of the company.
- Implementation of a cyber security plan
The CIP 003-7 requires companies maintaining Low Impact BCSs to cover five sections in their cybersecurity policies. They are as follows.
- Awareness: Entities using or maintaining Low Impact BCSs should conduct a cybersecurity awareness program every 15 months, the records of which need to be maintained for the best results.
- Physical security controls: Entities must also control access to where Low Impact BCSs and the controls to the same are located through access cards, fences, etc.
- Electronic controls: Electronic control over the communication that reaches the Low Impact BCS is another important requirement for companies.
- Incident response: Entities must have a plan devised in case of a cybersecurity threat or incident, which must be tested every 36 months.
- Code Transference Risk mitigation: Transference of malicious, executable code is a great risk today, and entities must devise plans to mitigate these risks.
- Find a CIP senior manager
This requirement for compliance remains unchanged from the original CIP-003 despite several revisions to the guidelines. Entities can easily comply by appointing an experienced and responsible individual to oversee the cybersecurity policy and the creation and tuning of internal controls, along with managing relations with NERC and Regions. This individual will also have the additional responsibility of working with experts to form the company’s cybersecurity policy.
- Formalized delegation
The delegation of the CIP senior manager should be properly documented and formalized. It is recommended that entities create job descriptions for this role based on the responsibilities involved as opposed to forming it for an individual. This ensures companies can easily transition into a new manager if the current one has to leave the role. It is to be noted that any delegation changes must be updated within 30 days of the change to prevent any employee from assuming undocumented authority.
NERC Compliance is a mandatory process but a complicated one. A lot goes into ensuring compliance, and this is why relying on a trusted service provider is always recommended to streamline this process. A NERC CIP Compliance solutions company can help implement necessary plans to be compliant with the NERC CIP guidelines without having to deal with the burden yourself.