FERC/NERC Compliance

FERC/NERC Compliance Services will primarily include shaping and guiding the covered organization’s Information Security Policy and ensuring that the covered organization meets all requirements in the FERC/NERC Cyber Security Standards

What is it?

A series of cyber security standards to address system downtime, data loss, and facility control breakdowns for owners and operators of Bulk Power Systems in North America and Canada.

Who oversees it?

The North American Electric Reliability Corporation (NERC) oversees compliance and vulnerability issues for North America and Canada. NERC is provided oversight by the U.S. Federal Energy Regulatory Commission (FERC) and Canada’s National Energy Board (NEB).

Who does it apply to?

Bulk Power Systems owners and operators in North America and Canadian power generators wishing to export power to the U.S.

How does it impact IT professionals?

Energy companies may require IT assistance in preparing their systems and networks to adhere to the security standards identified in NERC’s Critical Infrastructure Protection Cyber Security Standards (CIP 002-009).

What do your clients need to be NERC compliant?

There are eight NERC Cyber Security Standards that energy companies must adhere to in order to pass a CIP audit. The security standards are as follows:

CIP 002 – Critical Cyber Asset Identification

Requires that critical assets of the Bulk Electric System be identified and documented.

CIP 003 – Security Management Controls

Requires that entities have security management controls in place to protect assets.

CIP 004 – Personnel and Training

Requires that all personnel have an appropriate level of risk awareness and security training.

CIP 005 – Electronic Security Perimeter

Requires identification and protection of the electronic perimeter in which assets reside.

CIP 006 – Physical Security of Assets

Requires physical security for the protection of assets.

CIP 007 – Systems Security Management

Requires access methods and controls to be utilized to secure critical assets.

CIP 008 – Incident Reporting and Response Planning

Requires identification, classification, and reporting of security incidents related to assets.

CIP 009 – Recovery Plans for Critical Assets

Requires disaster recovery and continuity plans to be put in place for all critical assets.

What are the dangers of not being FERC/NERC compliant?

  • Sanctions
  • Mandatory Remedial Action Directives
  • Fines up to $1,000,000 per day, per violation