On June 7, 2021, the North American Electric Reliability Corporation (NERC) announced the issuance of its “ERO Enterprise CMEP Practice Guide: Network Monitoring Sensors, Collectors and Information Sharing” document to clarify for industry how NERC and the Regional Entities (RE) will treat network monitoring technology in CIP standard audits.  NERC practice guides are tools for NERC and RE audit staff to use in an effort to provide for consistent audits across all applicable registered entities. 

NERC stated that issuance of this practice guide is in response to the Department of Energy’s (DOE) April 20, 2021 announcement of its “100 Day Plan to Address Cybersecurity Risks to the U.S. Electric System.”  The DOE plan is an initiative to enhance the cybersecurity of electric utilities’ industrial control systems (ICS) and secure the energy sector supply chain. Additionally, it is a coordinated effort between DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA) focusing on the development of actions to confront cyber threats from adversaries who seek to compromise the electric system.

The primary focus of NERC’s practice guide is as follows:

Protection of a device/sensor

  • Determination of whether the device/sensor is subject to certain CIP standards.
  • Categorization of the device/sensor to determine which CIP standard requirements apply.

Protection of data

  • Determination of whether data is stored on registered entity-owned/controlled or third-party facilities and which CIP standard requirements apply.
  • If a third-party is involved, determine how the data is protected during transit, stored, and used by that entity.

For more information, please contact Kristen Connolly McCullough, Barry Lawson, or Ellen Hill.

June 10, 2021