North American Electric Reliability Corporation (NERC)
1 Answer

NERC applies to companies that generate, provide, or transmit energy.

  • NERC is subject to Federal Energy Regulatory Commission (FERC) mandates and control. NRC (Nuclear Regulatory Commission), is a related commission for nuclear power.
  • The primary focus of NERC is on SCADA, which stands for supervisory control and data acquisition devices and networks.
  • The majority of IT related policies will be found in the Critical Infrastructure Protection Standards (CIP) standards.
  • Standard CIP-002-3 requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets and outlines the key controls relative to IT.
  • A key unique issue addressed in NERC is the requirement to monitor log devices with no gap exceeding 7 days. This can be a critical audit finding with serious repercussions.
  • Annual reviews of assets, policies, and procedures are mandated.
Please log in to add an answer.