NERC CIP two acronyms when placed together that strike fear into the heart of any that have been given the responsibility to abide by its requirements. NERC, North American Energy Reliability Corporation, is the entity that is in charge of developing and enforcing the standards used to ensure reliability of the North American bulk power systems.
There are many standards that are under NERC's umbrella but if you are here reading this it is because you desire to know more about CIP. CIP, Critical Infrastructure Protection, is the standards that relate specifically to the protection of the electrical control systems. CIP is the combination of standards that are also a bit of a touchy topic for many due to the feel by some that NERC is not doing enough to protect the electrical grid. To any who have had to abide by the full set of NERC CIP standards this is hard to believe since it requires a lot of work. I will not be debating the standards, although I feel that they are forcing many entities to make steps towards security, which is a good thing.
NERC CIP has been my life for the last year. As with the rest of my blog the intent of this new period will be to share things I have learned to hopefully help all everyone else trying to accomplish their work. Before we get started there are two tips I want to share.
1st - Compliance is not security and some things it requires will not make sense, but if it is required you must do it.
2nd - If you don't have evidence of something you did, you didn't do it. This is important to remember. A small portion of what you will do will be work, the other large portion of it will be collecting evidence and documenting your work.
This is the first post of many. One area I will be focusing on is the infamous CIP-007. I will still be doing my posts of troubleshooting and such, but NERC CIP is a big part of my life now. So on to it.
For some good reading:http://www.nerc.com/pa/CI/Comp/Pages/default.aspx