On June 7, 2021, the North American Electric Reliability Corporation (NERC) announced the issuance of its “ERO Enterprise CMEP Practice Guide: Network Monitoring Sensors, Collectors and Information Sharing” document to clarify for industry how NERC and the Regional Entities (RE) will treat network monitoring technology in CIP standard audits. NERC practice guides are tools for NERC and RE audit staff to use in an effort to provide for consistent audits across all applicable registered entities.
NERC stated that issuance of this practice guide is in response to the Department of Energy’s (DOE) April 20, 2021 announcement of its “100 Day Plan to Address Cybersecurity Risks to the U.S. Electric System.” The DOE plan is an initiative to enhance the cybersecurity of electric utilities’ industrial control systems (ICS) and secure the energy sector supply chain. Additionally, it is a coordinated effort between DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA) focusing on the development of actions to confront cyber threats from adversaries who seek to compromise the electric system.
The primary focus of NERC’s practice guide is as follows:
Protection of a device/sensor
Protection of data