The 8 Fundamental Requirements of NERC Compliance
The fundamental standards and substandards under NERC compliance specify all the requirements that organizations and utilities must abide by to identify critical assets, create control mechanisms, enforce logical and physical security of their system, and recover the affected assets due to a cybersecurity incident.
Listed below are the few fundamental requirements that you must take into consideration.
BES Cyber System Categorization
This NERC and CIP compliance standard identifies and categorizes BES cyber systems. Their goal is to ensure that the assets are protected from compromises that lead to faulty operations or BES instability.
The categorization involves grading several BES Cybersystems based on the impact of interruption on reliable electricity supply.
Security Management Controls
Security management controls aim to establish clear accountability to protect North American BES Cyber Systems. You can achieve accountability by delegating authority and identifying a senior manager to develop all the policies and rules around sustainable security management controls. It also includes provisions in terms of emergency solutions.
Personnel and Training
This standard has its focuses on the training of contractors and staff. It works to reduce the exposure of BES to cyber risks from personnel. The training includes cybersecurity awareness and training and risk and access control management. Besides this, a compliance management solution may also supplement the training of the employees.
Electronic Security Perimeters
The object of this standard is to protect BES cyber systems from instability and poor operations. It also attends to controlling network access to all the critical assets. Electronic Security Perimeters require entities to create it around Cyber Assets to make a virtual barrier via which data can be flowed and monitored.
The assets located outside such parameters must enter the network through a specified Electronic Access Point. It should be integral for the entities to monitor and maintain network segments, employ data encryption, and control remote access by the vendors and third parties.
Physical Security of BES Cyber-Systems
This standard of NERC compliance addresses physical and operation controls for a physical security plan, maintenance and testing program, and visitor control program.
The physical security plan restricts physical access via documented operational and procedural controls. The maintenance and testing program sets standards to test all the PACs, including the Physical Security Perimeter, once every two years. The Visitor Control Program lays down the guidelines to manage visitors.
System Security Management
This standard lays down the description of all the technical, operational, and procedural elements to secure systems with ESPs, including critical and non-critical Cyber Assets. The elements include security patches, ports, and services, malicious code prevention, security event monitoring, and system access controls.
Incidence Reporting and Response Planning
The standard is all about preparing entities for cyber incidents and providing guidelines on responding to them using a cybersecurity incident response plan. This standard also helps with the classification, identification, response, reporting, and documentation of incidents associated with critical cybersecurity assets.
Recovery Plans for BES Cyber-Systems
The recovery plans for BES cyber systems pay attention to how entities may recover from cybersecurity incidents that have impacted BES cybersecurity systems’ functioning. It also ensures that a recovery plan should be in place, and all the entities must follow it in case of disaster recovery and business continuity.
All the elements under this standard specify when the plan should be activated and whose responsibility. It also specifies the testing of the plan and changes that should be taken from time to time.
All the above-listed standards play a vital role in NERC compliance and ensuring that the business practices run smoothly within the organization. Not only do these standards keep a check, but they also make alterations or modifications in their functioning if required.