RESEARCH REPORT

In brief

In brief

  • Cyber defenses continue to improve—and cyber threats continue to advance.
  • NERC has issued a draft critical infrastructure protection (CIP) standard to protect control center communications.
  • Utilities can successfully achieve CIP-012-1 compliance by taking three steps.

As recent research shows, the good news is that cyber defenses continue to improve. The bad news is that cyber threats continue to advance as well. To that end, the North American Electric Reliability Corporation (NERC) has issued a critical infrastructure protection (CIP) standard in draft form that requires utilities to devise cybersecurity protections for control center communications. It is important to get ahead of all NERC CIP requirements. In particular, achieving CIP-012-1 compliance is important for utilities seeking to protect their control centers. Three specific forward-looking actions can help.

Understanding the impact

CIP-012-1 compliance requires responsible entities to meet a mix of technical and people-centered requirements. Technical stipulations include the identification of the utility’s control centers, their respective data centers, all real-time data links between control centers, all demarcation points, the security controls employed to protect data, and critical roles and responsibilities. Utilities also need to identify the personnel required for ongoing management and process governance for CIP-012-1. Key positions include the ongoing management of affected operating technology and information technology (OT/IT) support staffs, especially the network engineers and data engineers, developers, administrators, as well as communications and data link support personnel.

Addressing potential challenges

CIP-012-1, which covers communications between in-scope industry control centers, applies to all impact levels, whether high, medium or low. To help responsible entities correctly identify facilities where CIP-012-1 requirements apply, NERC is proposing a new glossary definition of the term “control centers.” While the NERC CIP glossary will define a control center, the actual perceived limiting factors regarding what it includes or omits could lead to competing definitions. Three ways to overcome these and other CIP-012-1 compliance challenges involve understanding the scope of the plan, choosing the right partners, and making several production changes.

Identifies which data connections are in-scope control center communications and which are out-of-scope control center communications for NERC CIP-012-1 compliance.

Next steps

As any track star knows, a good start can provide the momentum to win at the finish line. Utilities can successfully achieve CIP-012-1 compliance if they:

  • Develop a strategy: take a comprehensive approach to the strategy so that it considers a responsible entity’s strengths and weaknesses.
  • Mobilize the CIP-012-1 team: assemble and empower the team and work to ensure the sustainability of the program from the outset.
  • Plan for sustainability from the start: design appropriate controls, redesign circuit provisioning processes in alignment with change control processes, and standardize all evidence-gathering processes and tooling while orchestrating and converting them to appropriate formats.

About the Authors

Gilbert Sorebo

Senior Manager – Accenture Security

James Wright

Senior Manager – Accenture Security

Thomas Ryan

Principal Director – Utilities, Accenture Consulting

Jamie Bass

Managing Director – Accenture Security

MORE ON THIS TOPIC

Sustainable NERC CIP compliance

Cyber Resilience Business

Sustainable NERC CIP compliance

NERC CIP supply chain cybersecurity

Cyber Resilience Business

NERC CIP supply chain cybersecurity

Build confidence with sustainable NERC CIP program

Cyber Resilience Business

Build confidence with sustainable NERC CIP program

Subscription Center
Stay in the Know with Our Newsletter Stay in the Know with Our Newsletter
Subscribe