NERC CIP two
acronyms when placed together that
strike fear into the heart of any that have been given the responsibility to
abide by its requirements. NERC, North American Energy Reliability Corporation,
is the entity that is in charge of developing and enforcing the standards used
to ensure reliability of the North American bulk power systems.
There are many
standards that are under NERC's umbrella but if you are here reading this it is
because you desire to know more about CIP. CIP, Critical Infrastructure
Protection, is the standards that relate
specifically to the protection of the electrical control systems. CIP is the
combination of standards that are also a bit of a touchy topic for many due to
the feel by some that NERC is not doing enough to protect the electrical grid.
To any who have had to abide by the full set of NERC CIP standards this is hard
to believe since it requires a lot of work. I will not be debating the
standards, although I feel that they are forcing many entities to make steps
towards security, which is a good thing.
NERC CIP has been my
life for the last year. As with the rest
of my blog the intent of this new period will be to share things I have learned
to hopefully help all everyone else trying to accomplish their work. Before we
get started there are two tips I want to
share.
1st - Compliance is
not security and some things it requires will not make sense, but if it is required you must do it.
2nd - If you don't
have evidence of something you did, you didn't do it. This is important to
remember. A small portion of what you will do will be work, the other large
portion of it will be collecting evidence and documenting your work.
This is the first
post of many. One area I will be focusing on is the infamous CIP-007. I will
still be doing my posts of troubleshooting and such, but NERC CIP is a big part
of my life now. So on to it.
For some good reading:
http://www.nerc.com/pa/CI/Comp/Pages/default.aspx
