What Is NERC CIP Compliance?

NERC CIP featured

The continual news of state-sponsored hackers attacking U.S. infrastructure has led the general public to better understand that digital security is a critical part of our overall national security. Digital systems aren’t isolated to high-tech companies–instead, cybersecurity touches on almost every aspect of our lives, particularly energy and utility management.

The U.S. government was already ahead of this curve and, starting in the 1990s, began implementing government regulations (in partnership with private companies) to protect the country’s electrical infrastructure. This led to the North America Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) requirements. 


What Is NERC?

The North American Electric Reliability Corporation (NERC) is a non-profit organization founded in response to a series of blackouts in the northeast in the 1960s. While created and funded by private energy companies, it falls under the Federal Energy Regulatory Committee to create standards around power grid infrastructure. 

The original conception of NERC was around physical infrastructure, including physical security and technical maintenance. Moving into the 1990s, however, President Clinton issued a Presidential Decision Directive to shift the focus of NERC to infrastructure cybersecurity. The idea was that, as the electric grid became increasingly dependent on digital technology, particularly networked technology, security would be of utmost importance for national security. 

This move proved to be prescient. In modern times, state-sponsored attacks and advanced persistent threats (APTs) are targeting not only government systems but the digital infrastructure supporting private and public industry. 

After September 11, the pressure was on to nail down cybersecurity for the electric grid more concretely. NERC issued an Urgent Action Standard in 2003 that served as the foundation for critical infrastructure protection (CIP) standards. 

Before digging into CIP standards, it’s essential to understand some of the terminologies, specifically:

  • Bulk Electric Systems: Bulk electric systems, or BES, are electrical generation systems, power lines, network connections, etc. That is, BES typically refers exclusively to the physical infrastructure that generates and carries electricity across spatial distances for delivery to different premises. 
  • Bulk Power Systems: Bulk power systems will typically refer to the control systems and operational facilities that are used to manage the supply networks

It’s important to note that these definitions, while not entirely relevant for cybersecurity specialists, are incredibly important for regulators and regulation. The difference between a BES and a BPS can limit the scope of application of NERC CIP requirements and cause jurisdictional issues. 


What Are the NERC CIP Requirements?



NERC CIP standards are mostly similar to other cybersecurity requirements–emphasizing data protection, system management, and supply chain security. 

These requirements include, in part:


BES Cyber System Categorization

These requirements help regulators and businesses identify regulated cyber systems and BES assets. The technical details here are beyond the scope of these requirements. Still, it suffices to say that they cover the definition of operators, facilities, ownership, programs and technologies governed by the law. 

In this section, assets are categorized as:

  • Electronic Access Systems
  • Physical Access Control Systems
  • Protected Cyber Assets


Security Management Controls

This section defines accountability, management, and authority within organizations around the implementation of security, protection of infrastructure, and future administration of compliance programs. Specifically, organizations must demonstrate the implementation of sustainable security management.


Personnel and Training

As the name suggests, the organization must have training programs relevant to the personnel needing training within the scope of required regulatory controls. More specifically, employees requiring training must undergo that training at least every 15 calendar months.

Furthermore, the organization must take into account the risk profile associated with personnel, including having plans to control user access management and revoke credentials when an employee is terminated or otherwise leaves the organization. 


Electronic Security Perimeters

This section dictates the creation of a virtual barrier between BES systems and the outside world and having plans in place to control that perimeter. This can include outlying security measures, hardware and software firewalls, and the designation of specific access points that are secured and monitored. 


Physical Security of BES Cyber Systems

Simply put, restriction of physical access to BES or BPS systems. Organizations must have visitor control plans (logs, ID badges, monitors, required escorts, etc.). Offices must be locked against unauthorized access and monitored with surveillance technology. Visitor logs should be maintained for 90 days, and physical security plans must be regularly maintained. 


System Security Management

The meat and potatoes of system security, this section defines the procedures and operations an organization must implement to secure its systems. These include managing services and service security, patching and updates, preventing unauthorized system access through hacks to the system, malicious code injection, system monitoring and access controls. 


Incident Reporting and Response Planning

Organizations must have response and mitigation plans in place in the event of a breach. These plans include:

  • Incident Response Plans
  • Regular Incident Response Plan Testing at least every 15 calendar months
  • Planned Response Review and Updates that must be communicated to stakeholders within 90 days of a related security event. 


    Recover Plans for BES Cyber Systems

    An organization must have, alongside its reporting and response plan, an established recovery plan that will operate in the event of a security breach. These plans must also be tested at least once every 15 months and changes to the plan must be communicated to stakeholders within 90 days of a breach. 


    Configuration Change Management and Vulnerability Management

    Any implementation, upgrade or change to underlying systems like operating systems or connection systems. Furthermore, configuration settings must be monitored for effectiveness and additional monitoring of baseline configurations must occur every 35 days to detect unauthorized changes. Finally, an organization must conduct vulnerability assessments every 15 calendar months. 


    Information Protection

    Like many cybersecurity approaches, information must be protected from unauthorized disclosure. This includes obfuscation through encryption, proper disposal of media via electromagnetic erasure or physical destruction, and data access protection from unauthorized users. 


    Supply Chain Risk Management

    Organizations must conduct regular risk assessments and understand the security risks associated with their supply chain–in this case, any service, software, or cloud providers associated with sensitive data or operational systems. 


    Stay on Top of NERC CIP Compliance with Continuum GRC

    Continuum GRC is a complete security and risk platform. This data visualization tool provides a clear and high-level view of the controls, practices, and assets that your organization must have in place to meet the requirements of NERC CIP regulations. 

    Suppose you are a company under the jurisdiction of NERC CIP. In that case, Continuum GRC will provide the expertise and technology to help you monitor compliance and integrate that with any other security frameworks you might be leveraging.

    Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

    • FedRAMP
    • StateRAMP
    • NIST 800-53
    • FARS NIST 800-171
    • CMMC
    • SOC 1, SOC 2, SOC 3
    • HIPAA
    • PCI DSS
    • IRS 1075
    • COSO SOX
    • ISO 27000 Series

    And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.

    Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

    Continuum GRC