Under the direction of the Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC) is charged with enforcing reliability standards for the Bulk Electric System (BES) in North America. Reliability standards for the BES are created under NERC’s supervision by an industry-driven process. Both physical security threats and cyber security threats are regarded as threats to the reliability of the BES, and as a result a set of Critical Infrastructure Protection (CIP) security standards have been adopted.
In December of 2011, NERC issued Compliance Application Notice (CAN) 0024 “CIP-002 R3 Routable Protocols and Data Diode Devices.” The purpose of a CAN is to provide guidance to auditors who evaluate industry compliance with CIP reliability standards and who make findings that can lead to enforcement actions and monetary fines. CAN-0024 provides instruction for assessing whether the communication characteristics of data diode devices can be used to exclude cyber assets from consideration as Critical Cyber Assets (CCA) when a routable protocol is used when not at a control center.
The following white paper details how to apply NERC-CIP CAN-0024.