2012 Software


Top CMMS Software

NERC CIP Compliance

The North American Electric Reliability Corporation's (NERC) mission is to ensure the reliability of the North American bulk power system against cyber-security attacks. NERC is the electric reliability organization (ERO) certified by the Federal Energy Regulatory Commission to establish and enforce reliability standards for the bulk-power system.

All owners and operators of the North American bulk power system must the mandatory nine NERC CIP (Critical Infrastructure Protection) standards in order to protect North America's bulk power system and helping them avoid huge fines for non-compliance. The new Energy Bill mandates Reliability Standards Compliance and Enforcement. Fines can reach $1 million per day per violation.

All bulk power system owners, operators, and users are required to register with NERC. The NERC Compliance Registry is a listing of all organizations that are subject to compliance with the approved reliability standards. NERC works with eight regional entities. These entities account for virtually all the electricity supplied in the United States, Canada, and a portion of Baja California.

The NERC System Operator Certification Program awards certification credentials for operators that demonstrate sufficient knowledge relating to NERC reliability standards and the basic principles of bulk power system operations by passing one of four specialty examinations. A NERC certificate is valid for three years. The NERC certificate is maintained through the use of approved continuing education credits.

NERC CIP Reliability Standards

NERC has passed the following nine Critical Infrastructure Protection (CIP) cyber-security reliability standards that NERC registered entities must be in compliance with.

CIP-001 Sabotage Reporting

CIP-002 Critical Cyber Assets
All network assets must be audited to identify Critical Cyber Assets. A risk-based assessment methodology should be utilized with annual reviews.

 CIP-003 Security Management Controls
Documentation on access control levels for critical assets such as Internet-facing systems and critical backend systems. Solutions should be in place to mitigate risks.

CIP-004 Personnel & Training
Employees should be trained on policies, access controls and general awareness issues.

CIP-005 Electronic Security
An Electronic Security Perimeter should be established that provides the following:
Disabling of non-essential computer ports & services
Computer Monitor and Log Access 24/7, 365 days
Annual Vulnerability Assessments
Documentation of Network Changes

CIP-006 Physical Security
Physical Security access controls should be documented and implemented that provide perimeter monitoring and logging.

CIP-007 Systems Security Management
All procedures for securing Critical Assets should include automated controls. System and network events should be monitored automatically with alerts sent to key personnel.

CIP-008 Incident Reporting & Response
All cyber security incidents should be addressed by an internal computer incident response team (CIRT) and reported to the Electricity Sector Information Sharing and Analysis Center (ES ISAC).

CIP-009 Disaster Recovery
A disaster recovery plan should be created and tested with annual drills.


Compliance Registry & Registration

All bulk power system owners, operators, and users are required to register with NERC. The NERC Compliance Registry is a listing of all organizations that are subject to compliance with the approved reliability standards. NERC provides notice of registration to all organizations included on the NERC Compliance Registry. The process for registration is included in the NERC Rules of Procedure, Section 500.

NERC has developed a Statement of Compliance Registry Criteria that delineates the selection criteria employed by NERC to determine which organizations should be registered as owners, operators, or users of the bulk power system. In particular, the statement proposes criteria for smaller or relatively isolated organizations as load-serving entities, distribution providers, generation owners, generation operators, or transmission owners and transmission operators.

The Multi-Regional Registered Entity (MRRE) process is a voluntary process for those registered entities that are registered in more than one NERC region. This coordinated process allows the entity to work with a single Regional Entity as the compliance enforcement authority as it relates to all Compliance Monitoring and Enforcement Program (CMEP) activities. This process would then provide for increased efficiencies in compliance resource allocation for NERC, the Regional Entities, and the Registered Entities while maintaining the reliability of the bulk power system.

NERC Violations & Security Levels

The new Energy Bill mandates NERC Reliability Standards Compliance and Enforcement. Fines can reach $1 million per day per violation.

NERC compliance Violation Severity Levels (VSLs) define the degree to which compliance with a requirement was not achieved. Each requirement must have at least one VSL. While it is preferable to have four VSLs for each requirement, some requirements do not have multiple degrees of noncompliant performance and may have only one, two, or three VSLs.

Lower VSL - The performance or product measured almost meets the full intent of the requirement.

Moderate VSL - The performance or product meets the majority of the intent of the requirement.

High VSL - The performance or product does not meet the majority of the intent of the requirement, but does meet some of the intent.

Severe VSL - The performance or product does not meet the intent of the requirement.

FERC indicated it would use the following four guidelines for determining whether to approve VSLs:

Guideline 1: Violation Severity Level Assignments Should Not Have the Unintended Consequence of Lowering the Current Level of Compliance Compare the VSLs to any prior Levels of Non-compliance and avoid significant changes that may encourage a lower level of compliance than was required when Levels of Non- compliance were used.

Guideline 2: Violation Severity Level Assignments Should Ensure Uniformity and Consistency in the Determination of Penalties A violation of a "binary" type requirement must be a Severe VSL. Do not use ambiguous terms such as minor and significant to describe noncompliant performance.

Guideline 3: Violation Severity Level Assignment Should Be Consistent with the Corresponding Requirement VSLs should not expand on what is required in the requirement.

Guideline 4: Violation Severity Level Assignment Should Be Based on A Single Violation, Not on A Cumulative Number of Violations, unless otherwise stated in the requirement, each instance of non-compliance with a requirement is a separate violation. Section 4 of the Sanction Guidelines states that assessing penalties on a per violation per day basis is the “default” for penalty calculations.

NERC Regions & Regional Entities

NERC works with eight regional entities. The members of the regional entities come from all segments of the electric industry. These entities account for virtually all the electricity supplied in the United States, Canada, and a portion of Baja California.

Florida Reliability Coordinating Council (FRCC)
Midwest Reliability Organization (MRO)
Northeast Power Coordinating Council (NPCC)
ReliabilityFirst Corporation (RFC)
SERC Reliability Corporation (SERC)
Southwest Power Pool, RE (SPP)
Texas Reliability Entity (TRE)
Western Electricity Coordinating Council (WECC)

NERC System Operator Certification

The NERC System Operator Certification Program awards certification credentials for operators that demonstrate sufficient knowledge relating to NERC reliability standards and the basic principles of bulk power system operations by passing one of four specialty examinations. A NERC certificate is valid for three years. The NERC certificate is maintained through the use of approved continuing education credits.

There are four specialty examinations:

Reliability Operator Exam

Balancing and Interchange Operator Exam

Transmission Operator Exam

Balancing, Interchange & Transmission Operator Exam