NERC CIPC Electricity Sector Security Guidelines report

This report displays NERC CIPC Violations issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.

Why it matters

Presidential Decision Directive 63 (PDD-63), "Protecting America's Critical Infrastructures," officially identifies electricity as a critical infrastructure. PDD-63 calls for a framework for cooperation within individual infrastructure sectors and with government for the vital mission of protecting critical infrastructures. The U.S. Department of Energy is the lead agency for the energy sectors, and has designated the North America Electric Reliability Council (NERC) as the Sector Coordinator for the Electricity Sector. NERC has issued security guidelines to help industry companies evaluate their own risks and exposures to vulnerabilities and perceived threats. Perpetrators include insiders and outsiders whose actions might be cyber or physical in nature.

Cyber - Access Control

Effective access controls are critical for protecting electronic information systems and services that support and maintain the electric infrastructure. Anyone who owns or manages information systems or services that support the Electric Infrastructure should have documented policies and procedures in place to manage authorization, authentication, and monitoring of logical and physical access to such information systems and services. This documentation should clearly define roles and responsibilities, procedures for establishing authorization, and the methods you select for authentication and monitoring.

This guideline is applicable to anyone who owns or manages information systems or services that support the electric infrastructure.

Cyber -- Intrusion Detection

To implement and maintain a successful cyber intrusion detection program requires a proactive, ongoing effort. As technology changes, so do the tools used for network attacks. It is imperative that IT organizations remain current with changes in technology to understand new attack methods and tools, and to those attacks when they occur. Early detection is essential and staffing at the 24x7 level should be considered. Automated monitoring alarms that initiate alerts tied to pager, email, or voice messaging systems also should be considered.

This guideline is applicable to anyone who owns or manages information systems or services that support the electric infrastructure.

Cyber -- Securing Remote Access

Electronic Control and Protection Systems (ECPS) control the systems that generate, transmit, and distribute electricity. For business reasons, it is necessary to provide a means for users to remotely access ECPS. Remote Access to these systems might require special considerations for security. Unauthorized Remote Access to an ECPS might result in interruption of electric service, damage to the elements of the electric grid, or a danger to life and property. ECPS vendors and other support personnel increasingly use Remote Access tools such as pcAnywhere, telnet, and FTP for support purposes directly over the Internet to the internal controls networks. As a result, it is critical to preserve the security of the Remote Access to the ECPS. Authentication of the user is a critical element of the security policy.

This guideline is applicable to anyone who owns, manages, or maintains ECPS or services that support the Critical Electric Infrastructure.