What is NERC CIP?

NERC CIP (Critical Infrastructure Protection) is a cyber security framework that outlines a set of controls, with the goal of securing the assets required for operating the bulk electric system of North America. NERC CIP compliance standards were set by the North American Electric Reliability Corporation (NERC) who decides on mandatory regulations for the critical infrastructure of North America. 

Who Must Comply With NERC CIP?

Bulk power system owners, operators, and users within North America must comply with NERC approved reliability standards. These organizations are required to register with NERC through the appropriate regional entity in their area. 

Energy Compliance and NERC CIP Compliance Meeting

What Are The 12 Standards Required By NERC CIP?

NERC CIP consists of 12 required control families, with another 4 that are subject to enforcement in the future.

  1. BES Cyber System Categorization – Identify and categorize the BES Cyber Assets  (the Bulk Electric Systems (BES) Cyber Systems which are defined as a grouped set of critical cyber assets). Each BES Cyber System should be graded and categorized based on the impact of any interruption of the reliable supply of electricity.
  2. Cyber Security Management Controls – Delegate authority and responsibility for the protection of the BES Cyber Systems to a senior manager responsible for the policy development of consistent and sustainable security controls. 
  3. Cyber Security Personnel and Training – Perform background checks and train personnel and contractors on cyber security best practices to reduce the risk of internal vulnerabilities and threats.
  4. Cyber Security Electronic Security Perimeters – Electronic security perimeters should be established around on premise cyber assets to protect against misoperation or instability. External assets should be protected with electronic access points. 
  5. Physical Security of BES Cyber Systems – Access to physical BES Cyber Systems are managed with a Physical security plan, Visitor control program, and Maintenance and testing program. 
  6. Cyber Security System Security Management – Measures should be in place to control access to systems, ports & services, appropriately utilize patch management, deter and detect malicious code, and log cyber security events.
  7. Cyber Security Incident Reporting and Response Planning – Once a cybersecurity incident occurs, there must be a clear and planned response, or set of responses, designed to help mitigate the risk to the efficient and reliable functioning of the BES. 
  8. Cyber Security Recovery Plans for BES Cyber Systems – A plan for recovery after a cyber security incident must be outlined including recovery specifications, periodic implementation and testing, and review, update and communication after execution.
  9. Cyber Security Configuration Change Management and Vulnerability Assessments – Configuration change management processes and timelines for configuration review and vulnerability assessments should be outlined. 
  10. Cyber Security Information Protection – Identify and prevent unauthorized access of specific types of information that could, if misused, affect the reliable functioning of the BES.
  11. Cyber Security Supply Chain Risk Management – Create a supply chain cyber security risk management plan that outlines processes surrounding the management and access of vendors, handling of incidents, vulnerability notification, and coordination of controls.
  12. Physical Security – Third party risk assessments should be performed for each transmission station and substation and a timeline for updated security assessments should be established. 

Let Red Lion Assist in your NERC CIP Compliance

Do you still have questions regarding NERC CIP? Our compliance professionals can help you to understand and comply with NERC CIP, regardless of complexity.

Contact Us Today

Other Regulations & Services That You May Be Interested In:

NIST 800-171

National Institute for Standards and Technology, Series 800-171

PCI DSS

Payment Card Industry Data Security Standard
Translate »