By Jay Palter | July 6, 2023
Electricity has been essential for over a century in major North American cities. It has been used in even the most remote rural regions for over fifty years. It only took a few decades for governments and those electrical utilities to realize just how essential this one-time novel service had become to businesses and citizens everywhere.
Today, the mission of the North American Electric Reliability Corporation (NERC) is to ensure the safety and security of the power grid across North America. While only in its current form since 2006, predecessor organizations to NERC have been around since the mid-twentieth century.
NERC has established comprehensive physical and cybersecurity standards for the North American power grid. And while many utilities and other organizations involved in the power industry have done an excellent job protecting their portions of the grid, sometimes basic physical security practices have slipped through the cracks. Among the most common we’ve seen are physical key and equipment management.
This article explores what is in the NERC Critical Infrastructure Protection (CIP) plan, what smart key and asset management systems are, and how those systems can help organizations better meet the standards established in the NERC CIP.
What is NERC?
The North American Electric Reliability Corporation Critical Infrastructure Protection plan (NERC CIP) is a set of standards for regulating, enforcing, monitoring, and managing the security of North America’s Bulk Electric System (BES)—the power grid. CIP standards specifically address the cybersecurity and physical security needs of properly maintaining the power grid. They establish a framework for identifying and safeguarding critical electrical grid assets whose compromise would impact the electricity supply across North America.
Under NERC CIP standards, any organization or other entity significantly influencing the power grid’s reliability is subject to governance. These standards carry the “force of regulation,” meaning they are legally mandated within their jurisdictions, which include the United States, several Canadian provinces, including British Columbia, and one Mexican state. NERC compliance is mandatory for all entities falling within the scope of NERC CIP.
What is NERC compliance?
NERC compliance helps guarantee the reliable and uninterrupted delivery of electricity. NERC has established the Compliance Monitoring and Enforcement Program to help enforce compliance. This program diligently monitors, evaluates, and enforces the standards compliance of covered entities, primarily through NERC compliance audits and random inspections.
All covered entities in North America are obligated to adhere to NERC compliance standards. Non-compliance can lead to financial penalties, sanctions, or other disciplinary measures. It is important to note that the specific penalties may vary across different countries, considering NERC's status as a transnational organization.
What does the NERC CIP require?
The NERC CIP standards mandate a set of essential cybersecurity and physical security measures for utility companies in North America. The primary objective in enforcing these standards is to safeguard the North American power grid, its customers, and provider organizations against threats that impede its efficient and timely operation. These threats include targeted attacks, vandalism, and domestic and international terrorism.
NERC CIP-covered entities are required to identify critical assets and conduct regular risk analyses for these assets. They must also establish policies for monitoring and modifying the configuration of those critical assets securely and deploy robust access controls for them. Entities are also expected to deploy systems for monitoring security events and develop comprehensive contingency plans to respond to attacks, natural disasters, and other unforeseen incidents.
What is physical key management?
Key management is the organized process of securing, monitoring, and distributing physical keys. Better key management for NERC not only protects the keys themselves but it also protects the sensitive areas and valuable assets that those keys unlock.
Key management systems also play a vital role in controlling costs associated with physical key-based security and business processes. Through automation, these systems effectively reduce overhead expenses. They also reduce the chances your electrical utility must perform extensive re-keying efforts due to key loss or other security breaches.
While smaller companies often use a traditional pen-and-paper key management protocol, electrical utilities, and government agencies need enhanced visibility and control over their keys and often opt for electronic key management systems for NERC compliance.
What is physical asset management?
Much like keys benefit from enhanced security, monitoring, and distribution, so does your utility’s equipment. Asset management systems for NERC compliance provide real-time tracking and insights into how your workers use stored equipment. They ensure only authorized personnel can access the equipment you’ve granted them access to, and they identify meaningful usage trends to help inform decision-making.
Both key and asset management systems are forms of smart technology that leverage integrated computer systems.
Why use smart management systems?
The main advantage key and asset management systems hold over manual, pen-and-paper processes are that they securely and efficiently automate distribution. No human labor is necessary. This also means transactions can happen securely at any time of day.
These smart management systems offer a range of other benefits, which include:
How can smart management systems help with NERC compliance?
NERC CIP includes nine overarching standards for power grief security. Many of the standards deal purely with cybersecurity. But a few include strong physical security mandates. Smart key and asset management systems are well suited for helping utilities meet those standards.
We may live in a digital world now, but every app, website, and internet service must still run on physical infrastructure somewhere in the real world. The CIP includes many NERC regulations for managing the power grid’s physical IT infrastructure, including maintaining a physical security plan, visitor control program, and maintenance and testing programs.
A physical security plan documents operational controls to limit physical access to power grid IT infrastructure. A visitor control program sets out guidelines for effectively managing visitors, which may involve assigning escorts and maintaining a comprehensive visitor log. The maintenance and testing program establishes standards for conducting regular assessments of all physical access control systems (PACS) at least once every two years.
Smart key management systems provide tight control over key access. There is no chance for human error to result in someone inadvertently gaining access to keys they shouldn’t have or for keys to go missing any longer than the curfews you want to set. They can help enhance control over your and your customers’ facilities.
This standard aims to equip utilities to effectively handle cyber incidents by requiring them to create a cybersecurity incident response plan. Such a plan assists in identifying, classifying, responding to, reporting, and documenting security incidents. Incidents can involve network-based attacks but also physical attacks on infrastructure.
Smart systems generate a detailed audit log of who signed out and which keys and electronic devices might be connected to security incidents. These digital ‘paper trails’ greatly improve your incident response efforts.
This standard requires organizations to create and implement well-documented physical security plans for their transmission stations, substations, and primary control centers. The physical security plan must include the following:
- Security measures—The plan should encompass a comprehensive set of measures designed to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities.
- Law enforcement coordination information.
- Provisions for ongoing evaluation—The plan should incorporate provisions to evaluate evolving physical threats and update security measures in place.
Smart management systems can be a cornerstone of these physical security efforts. They protect keys and valuable assets, assist in deterring access to critical facilities, and provide detailed logging of potential issues.
Learn how Real Time Networks can help your organization comply with NERC.
Vice President of Marketing