NERC Critical Infrastructure Protection
POWER UP YOUR RELIABILITY
If your industry needs to comply with NERC Critical Infrastructure Protection requirements, BAW possesses the expertise and experience to help you design a new or remodeled control center while protecting your operation assets and control center infrastructure with the proper standards and regulation.
The North American Electric Reliability Corporation (NERC) is a regulatory authority whose mission is to assure the reduction of risks for reliability and security of the grid. It serves more than 334 million people. Its critical infrastructure protection (CIP) plan is a set of requirements designed to secure the assets required for operating North America’s bulk electric system. Threats to this system include natural events such as hurricanes or downed trees, and cyber threats including terrorist acts or exploitation of software vulnerabilities. Contact us to learn more.
A Brief History of NERC
NERC’s requirements became mandatory and punishable by fine through the Energy Policy Act of 2005. Forcing mandatory compliance was Congress’s response to the great Northeast Blackout of 2003, which was caused by a software bug in an alarm system in a control room in Akron, Ohio (among other contributing causes). What should have been a manageable local blackout cascaded into the collapse of the entire electric grid throughout the Northeast region. It caused a power outage that lasted more than two days, affected 55 million, including the death of nearly 100 people, and it was estimated to have cost a total of $7 to $10 billion dollars in lost economic output.
The mandatory standards put in place are intended to protect the bulk power system against compromises or situations that could lead to mis-operation or instability. Fines for non-compliance can be up to $1M per day per violation, a significant and costly requirement and one that is necessary to get right. NERC recently levied a $10M fine on a utility for CIP compliance lapses between 2015 and 2018.
One of the broad areas required to address and improve grid resilience is the physical security design necessary for operations of the utility. A control center is one of the assets that the NERC CIP regulations are designed to address. A new or redesigned control center or data center for an electric utility must address specific regulations in each of these areas; Physical Security Design, Cabling Design, Network Infrastructure Design and Visitor Control.
Physical Security Design
CIP-006-6 R1.1: Restrict physical access (e.g. room protected by badge) to the Physical Access Control System (e.g. badging servers, panel, & workstations)
CIP-006-6 R1.2: One physical access control for access into physical security perimeters surrounding Medium Impact BES Cyber Systems with External Routable Connectivity (including Medium Impact Control Centers)
CIP-006-6 R1.3: Two factor authentication into physical security perimeters for High Impact BES Cyber Systems
CIP-006-6 R1.4: Monitor for unauthorized access (forced door alarms, broken glass, etc.)
CIP-006-6 R1.5: Alert to named physical security personnel within 15 minutes (usually this is immediately performed)
CIP-006-6 R1.6: Monitor the Physical Access Control System for unauthorized access
CIP-006-6 R1.7: Alert to named physical security personnel within 15 minutes (usually this is immediately performed)
CIP-006-6 R1.8: Log individual entry with date & time
CIP-006-6 R1.9: Log retention for 90 days
CIP-006-6 R1.10: Protect cabling between physical security perimeters (local area
network cabling is usually protected via conduit or armored cabling. Wide area
network cabling is usually protected via encryption)
Network Infrastructure Design
TOP-001-4 R20: Redundant and diversely routed data communication infrastructure within the primary control center (best practice: mirror the diversely routed infrastructure design at the backup control center)
CIP-006-6 R2.1: Provide continuous visitor escort within the Physical Security Perimeter (consider designs and floor plans to allow for clear line of sight)
CIP-006-6 R2.2: Visitor logging (usually visitor logs are posted at each entry point of the
physical security perimeter)
CIP-006-6 R2.3: Retain visitor logs for at least 90 days
BAW Architecture is proud to partner with expert consultants in the energy and utilities industries to ensure that we can provide our clients with the expertise they need as it relates to addressing the specific NERC CIP regulations. Contact us today to learn more.