Citation:

Suchismita Chatterjee, 2021. "A Comparative Study Between NERC-CIP and NIST Compliance - Defining the Critical Framework for Building Cyberrisk Free Infrastructure", ESP Journal of Engineering & Technology Advancements 1(1): 273-281.

Abstract:

This paper compares the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) and the National Institute of Standards and Technology (NIST) cybersecurity frameworks, analysing their strengths, weaknesses, and implementation challenges. While NERC-CIP focuses on mandatory requirements for the bulk electric system, NIST provides a voluntary and adaptable framework for broader cybersecurity risk management. The study highlights the complementary nature of both frameworks and proposes a comprehensive approach to building cyber risk-free infrastructure, incorporating elements like risk-based prioritization, defense-in-depth strategies, continuous monitoring, and collaboration. It also emphasizes the limitations of relying solely on compliance and suggests additional measures such as advanced threat detection, zero-trust models, and security awareness training to enhance cybersecurity posture in critical infrastructure sectors.

References:

[1] Proctor, Matt, and Terry Smith. "Lessons learned from NERC CIP applied to the industrial world." 2017 70th Annual Conference for Protective Relay Engineers (CPRE). IEEE, 2017.

[2] Dolezilek, David, and Laura Hussey. "Requirements or recommendations? Sorting out NERC CIP, NIST, and DOE cybersecurity." 2011 64th Annual Conference for Protective Relay Engineers. IEEE, 2011.

[3] Christensen, Dane, et al. "Risk assessment at the edge: Applying NERC CIP to aggregated grid-edge resources." The Electricity Journal 32.2 (2019): 50-57.

[4] Zafirovic-Vukotic, Mira, et al. "Secure Scada network supporting NERC CIP." 2009 IEEE Power & Energy Society General Meeting. IEEE, 2009.

[5] Mertz, Mike. "NERC CIP compliance: We’ve identified our critical assets, now what?”." 2008 IEEE Power and Energy Society General Meeting-Conversion and Delivery of Electrical Energy in the 21st Century. IEEE, 2008.

[6] Marron, Jeffrey, Avi Gopstein, and Daniel Bogle. "Benefits of an Updated Mapping between the NIST Cybersecurity Framework and the NERC Critical Infrastructure Protection Standards." National Institute of Standards and Technology: Gaithersburg, MD, USA (2021): 9.

[7] Weiss, Joseph M., and CISM PE. "Control systems cyber security—the need for appropriate regulations to assure the cyber security of the electric grid." US Congress Testimony. 2007.

[8] Abrams, Marshall. "Applying NIST SP 800-53 to Industrial Control Systems."

[9] Zhang, Zhen. "NERC's Cyber Security Standards: Fulfilling Its Reliability Day Job and Moonlighting as a Cyber Security Model." Environmental Practice, Journal of the National Association of Environmental Professionals, DePaul University (2011).

[10] Hilt, David W. "Critical infrastructure protection required on electric grid continually changing." Natural Gas & Electricity 34.8 (2018): 9-15.

[11] Zhang, Zhen. "ENVIRONMENTAL REVIEW & CASE STUDY: NERC's cybersecurity standards for the electric grid: Fulfilling its reliability day job and moonlighting as a cybersecurity model." Environmental Practice 13.3 (2011): 250-264.

[12] Pollet, Jonathan. "The past, present, and future of securing electric power systems." 2009 42nd Hawaii International Conference on System Sciences. IEEE, 2009.

[13] Krumay, Barbara, Edward WN Bernroider, and Roman Walser. "Evaluation of cybersecurity management controls and metrics of critical infrastructures: A literature review considering the NIST cybersecurity framework." Secure IT Systems: 23rd Nordic Conference, NordSec 2018, Oslo, Norway, November 28-30, 2018, Proceedings 23. Springer International Publishing, 2018.

[14] Cybersecurity, Critical Infrastructure. "Framework for improving critical infrastructure cybersecurity." URL: https://nvlpubs. nist. gov/nistpubs/CSWP/NIST. CSWP 4162018 (2018): 7.

[15] Plan, NIST Public Access. "National Institute of Standards and Technology (NIST)."

[16] Cauffman, Stephen A., Maria K. Dillard, and Jennifer Helgeson. Implementation of the NIST community resilience planning guide for buildings and infrastructure systems. US Department of Commerce, National Institute of Standards and Technology, 2018.

[17] Scofield, Meg. "Benefiting from the NIST cybersecurity framework." Information Management 50.2 (2016): 25.

[18] Hiller, Janine S., and Roberta S. Russell. "Privacy in crises: The NIST privacy framework." Journal of Contingencies and Crisis Management 25.1 (2017): 31-38. [17] Pan, Ya, et al. "A systematic literature review of android malware detection using static analysis." IEEE Access 8 (2020): 116363-116379.

Keywords:

NERC-CIP, NIST, Cybersecurity Frameworks, Critical Infrastructure Protection, Cyber Risk Management, Compliance, Risk Assessment, Threat Detection, Security Controls, Best Practices, Case Studies, IT/OT Security, Supply Chain Risk, Resilience.