The American electrical grid is one of the most important things our government needs to protect from mishaps and intentional sabotage. Because of that, they’ve helped set up the North American Electrical Reliability Corporation (NERC), which is a not-for-profit organization focused on keeping our power grid up and running at all times.
If you work in a company that needs to be NERC compliant, you likely already know how difficult it can be to deal with. However, if you’re new to this industry, you’ll need to ask, “What is NERC compliance, and why is it so important?” This guide will cover these topics and go into greater depth on the various levels of NERC’s Critical Infrastructure Plan (CIP).
The Levels of NERC
NERC CIP has nine standards that companies must follow within their own infrastructure. To better understand how to comply, you first need to know what these standards are.
Sabotage Reporting
Since the potential for sabotage is inevitable, the first layer of defense needs to be a reporting system for when it occurs, whether on purpose or accidental. This process starts when you first suspect sabotage, not when you confirm it. Once it begins, various NERC divisions send out people to find and verify the possible sabotage. NERC also performs numerous checks and audits to try to catch cases before they happen.
Cyber Asset Identification
Next, a company needs to correctly identify and label critical cyber assets essential to security and general operations. This can include both hardware and software. When marking these systems, it’s wise to split them up into groups for easier recognition in later steps.
Managing and Controlling Security
After completing the reporting system and asset labels, you can start setting up security management controls. These will help protect against future attacks and unintentional compromises in your organization. You must review these security policies regularly to ensure that they’re up-to-date.
Personnel and Training
All staff within a company that needs to remain NERC compliant must know of all security protocols and risk assessments before working. Whether they’re new or have been there for years, you must ensure that their training sessions thoroughly cover these topics to ensure that they follow NERC guidelines at all times.
The Electronic Security
In the same way that you need strong walls to protect your office from outside forces, you must have an Electronic Security Perimeter to shield your critical assets from unwanted outsiders. This perimeter will monitor who has access to the data and scan for potential threats and vulnerabilities.
The Physical Security
It never hurts to be too protective, which is why NERC requires a physical level of security in your office as well. You’ll need a way to personally track who has access and keep a tangible log of that info from the past 90 days. Your physical system needs to have an annual review to keep things updated and relevant.
Management of Security Systems
On top of that, you need to have a transparent management system to protect both critical and non-critical cyber assets. It’s a good idea to make sure that employees open only essential ports and services. Using items that they don’t need to use at the moment can lead to further complications and breaches, so having a team dedicated to ensuring those types of things don’t happen is the key to effectively managing your security.
Incident Reporting and Response Planning
In the same way that you need a system to report potential sabotages, you need one that people can use to report security violations. Regardless of the level of breach, you need to have a plan for what to do to remedy the issue in place. You must clearly define and communicate your plan with any staff involved in the security problem. The quicker you do this, the less likely you are to lose any vital data.
Recovery Plans for Cyber Attacks
Unfortunately, data breaches are still possible, no matter how strong your security or response systems are. That means you need to prepare for the worst-case scenario. Having backups of all your critical and non-critical data is a must. If someone steals it from you and you have no way to recover it, you’ll be dead in the water. While nobody wants to assume that someone will hack them, you still need to get ready for the possibility and have a recovery plan in place in case it happens.
Why You Need To Be Compliant
This is a lot of information to take in, but it might help make it clearer as to why it’s so important. In today’s day and age, electricity is vital for everyday life. If a large section of the American power grid goes down for any amount of time, it will have significant, lasting effects on those who no longer have access to it. While most problems resolve themselves quickly, not all do. When that happens, it can cause lasting damage that could even become permanent.
That’s why being NERC compliant is so crucial. This organization took the time to set up standards that keep our electrical systems as safe as humanly possible. If you don’t follow them, you put everyone you service at risk. This isn’t something that our government deems acceptable, which is why you must comply at all costs.
How To Stay Compliant
Now that you know what NERC compliance is and why it’s so important, trying to remain compliant may feel a bit overwhelming. Fortunately, you don’t have to do it alone. You can hire team members and start new divisions that will specifically focus on keeping the entire company compliant.
The biggest problem with this is ensuring that your new employees have properly equipped themselves for this task. You’ll need to check them out thoroughly, which isn’t easy to do on your own. Lucky for you, PSI Background Screening specializes in NERC background checks. We have the tools and know-how to ensure that your future staff is well-equipped to handle anything NERC-related. We can even help you receive a NERC CIP certification if that’s something you’re interested in having.