My company is relatively new to the critical infrastructure vertical and as we are not working on more government regulated facilities with power, I was wondering if NERC has any cyber or security requirements that we should be aware of prior to bidding/installing. Digging through their site is terrible but I continue to plan to do so to try an uncover any mention of CCTV and how that relates to Cyber Security or requirements. We'd like to make sure we design a system that is compliant.
There are all kinds of regulations with NERC. Too many to list here. Yes their site is overwhelming. Depending on the area you are in there are typically NERC groups that will often have end users, consultants and integrators. They often times meet monthly to discuss issues. One of the biggest concerns are cyber threats. There is a lot to NERC requirements as well as FERC. These two often go hand in hand. Good luck with this. There are lots of good opportunities for good work and ever changing regulations but be prepared it can be daunting as well.
Hi Shannon,
Thanks for your reply. Currently we're dealing with the physical security aspect, mainly cameras and guard/intrusion. We're used to securing systems with cyber security requirements, either it being simple with just HTTPS and MAC Filtering or stepping it up with protected enclave solutions. I didn't know if anyone had any experience, mainly with Video and any recommendations. My company is a "national-regional". We have a few offices but still small in comparison to the 800 lb. gorillas out there. I'll look into the local groups and see when the next one is by us.
There are several considerations for NERC, outlined in various CIP standards.
CIP-002, CIP-003 and CIP-007 are going to cover most of what you need to be aware of, but there are a lot of nuances that can vary based on location, what kind of equipment or operations are at the site, size of site in terms of MW capacity, etc.
I would suggest working very closely with your customer on the designs in terms of architecture and things that relate to cyber security, or really just datacomm in general. Ideally you'll get them to sign off on the design docs so if there are any post-install issues you have something that shows as-designed (and afterwards, as-built) layouts with their signoff.
Also, if they have other sites or installations that they consider to be proper and compliant, ask if you can get data on how those are laid out to try and model from. It may not be the ideal approach, but this also isn't a great area for learning on the fly.
A few years ago we had a client that fell under the NERC/FERC requirements. They managed the cyber security side internally and with our vendors however I do know that the video surveillance system had different rules than access control.
I hope this helps some.
Good Luck.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
