There’s No Such Thing as “NERC-CIP Compliant” Products

NERC CIP Compliance (Whitepaper)

For many organizations that fall under North American Electric Reliability Corporation (Critical Infrastructure Protection) guidelines, compliance has largely been an afterthought. Here at Endian, we rarely encounter SCADA projects that aim first to, “Meet all NERC-CIP cyber security standards for the protection of critical assets” and secondarily to “Provide easy access to remote equipment”. Typically, meeting compliance is more of a bonus. Why has that been the case? We’ve identified several reasons:

Check out the free checklist for meeting NERC-CIP standards for the protection of Critical Assets at the end of this post

Enforcement: NERC-CIP policy violation enforcements have been exceedingly ineffectual as the number of organizations that fall under its umbrella sizably outnumber its resources for inspection.
Ignorance: SCADA has only recently begun adopting TCP/IP and experiencing the complexity & significant implications of connecting critical equipment to the Internet. In the past, SCADA threats were more strategic & targeted (see Stuxnet), written for a specific network intrusion event. Connecting equipment to the Internet exposes those networks to a vast world of malicious threats that can compromise them in seconds!
Cost: It’s generally easier to find products that will establish simple connectivity over an Internet uplink than one that will ensure secure communications and protection of networks. As a result, basic Data Comm devices have been commoditized and made attractive from a pricing standpoint.
Management Conflicts: Process and Business Network Administrators don’t always agree on products/solutions/strategy for adding equipment to the network, so a “compromise” is often the result as opposed to the “ideal” solution.

Despite growing public concern and increased machinations urging critical infrastructure to implement better security strategies, adoption of even the most basic security solutions has been outpaced by deployments of simple connectivity devices. Consequently, process networks are scrambling to “bolt-on” additional products when doing it right the first time would have been significantly more cost efficient and easier to manage.

Resulting from this has been a number of vendors that stamp their products “NERC-CIP Certified” or “NERC-CIP Compliant”, selling the dream that “By deploying this device, you magically put your network into compliance”. It’s an idealization that is simply incorrect and misleading. Meeting NERC-CIP standards for the cybersecurity of critical assets is a comprehensive process that involves an understanding of network architecture and the proper deployment of security protocols. NO PRODUCT PUTS A NETWORK INTO COMPLIANCE, they simply provide the tools to do so!

So how do these vendors get away with doing this? There is no active “FDA-like” organization that regulates the verbiage for technical products, so we rely on vendors to be honest with their marketing. In many cases, marketing teams abide by the maxim, “It’s better to ask for forgiveness than permission”.

In general, an overwhelming number of connectivity products fall short of addressing ALL of the feature-requirements for NERC-CIP compliance as it relates to DataComm. To learn more about how Endian’s solutions provide the easiest and most complete set of security and connectivity tools, email us at