Genetec Inc. has published a guide for utility companies on how to select a security system that supports compliance with the Critical Infrastructure Protection plan (CIP) of the North American Electric Reliability Corporation (NERC).
The 12 published NERC standards are aimed at regulating, enforcing, monitoring and managing the security of the Bulk Electric System (BES) in North America. A subset of the full guidance follows:
CIP-002-5.1a: Cybersecurity – management controls. The goal is to categorize different BES Cyber Systems based on potential impact levels to better understand how to manage vulnerabilities and protect assets while regularly maintaining and reviewing them. Genetec advises users to look for a security system that can provide an up-to-date breakdown of all connected devices and their statuses.
CIP-005-6: Cybersecurity – electronic security perimeter(s). This standard aims to secure access to BES Cyber Systems by keeping critical assets within a designated electronic security perimeter and closely monitoring them in case of suspicious activity. Organizations should ensure all security systems connected to the network infrastructure require secure authentication, encrypted communications, and users that have role-based permissions to access critical assets.
CIP-008-6: Cybersecurity – incident reporting and response planning. For compliance purposes, the guide advises organizations to put in place procedures to identify, classify, and respond to cybersecurity incidents and keep complete records of the incident and management process to report to the Electricity Information Sharing and Analysis Center (E-ISAC) for forensic analysis.
CIP-013-1: Cybersecurity – supply chain risk management. Genetec’s guide says utilities should aim to develop a plan to identify and assess risk to BES posed by vendor products or services. It’s important to ensure all critical vendors that are supporting the smooth functioning of the BES have clear cybersecurity guidelines in place that will not put the BES at risk. They should also ensure system providers do not have access to your system by default without consent, particularly in system-to-system remote access.
Print this page
