Back to basics

Critical Infrastructure Protection (CIP): Security problems exist despite compliance

North America's bulk power system is required to adhere to CIP standards, but compliance doesn't mean critical assets are completely safe.

In 2013, the Federal Energy Regulatory Commission (FERC) approved changes and additions to Critical Infrastructure Protection (CIP) Reliability Standards, also known as CIP v5, which are a set of requirements for securing the assets responsible for operating the bulk power system.

CIP is just one of 14 mandatory North American Electric Reliability Corporation (NERC) standards that are subject to enforcement in the U.S. However, it gets a good deal of attention because this regulation is centered on the physical security and cybersecurity of assets deemed to be critical to the electricity infrastructure. Within CIP, there are eleven reliability standards currently subject to enforcement under CIP v5, but there are plans to introduce more in the future.

Obtaining compliance under CIP is more about policy and procedure than technology. The firms that help the responsible entities achieve CIP compliance aren't widely known to the public. Because cybersecurity requirements for the energy sector are so new, there isn't a lot of competition.

Most of the consultancies in this space have rarely strayed outside of critical infrastructure. They're specialized, and have a lot of institutional knowledge and previous experience with these types of systems. Some well-known commercial vendors are working in the space too, but most only sell products that address certain needs under CIP.

After talking with several experts and those familiar with CIP, as well as reading all of the NERC documentation, one thing became clear: CIP isn't about technical controls. If technical controls are considered, such as an IP camera or a firewall, the effectiveness of said control doesn't really come up.

To continue reading this article register now

Microsoft's very bad year for security: A timeline