Everything You Need to Know about NERC CIP Compliance at Your Facility

Posted by Christina Cardella on 18 July 2019
Find me on:

The North American Electric Reliability Corporation (NERC) is a nonprofit corporation that formed in 2008. For over a decade, utility and energy organizations everywhere have had to incorporate and structure their procedures around meeting the tough standards set out by NERC and mandated by the Federal Regulation Commission (FERC).  


Compliance is more important than ever, especially with the increasing risk of critical infrastructure being attacked.  

There are 9 important NERC CIP standards that cover the security of all electric perimeters, as well as the protection of critical cyber security processes. These requirements also encompass matters that include access control and security management, personnel and training, and disaster response planning/ training. Some of these regulations you might not be aware of and might need to be incorporated in your own facility. 

We are going to aim to simplify these complicated and complex compliance standards, so you are easily able to understand and adjust procedures in your facility accordingly.  



Sabotage Reporting (CIP-00)

This standard states that you must report and address any and all disturbances or unusual occurrences with your security systems involved in your facility. This not only relates to instances that have been proved to have caused by sabotage or malicious intent but also for any suspicion you might have about disturbances or abnormalities. Once there is the slightest suspicion, you must recognize and report this issue to operating personnel.  


Critical Cyber-Asset Identification (CIP-002)

This standard makes it required for the identification and proper documentation of any vital cyber assets associated with supporting your BES operation. This is completed through a risk-based assessment by a reputable auditing firm.  


Security Management Controls (CIP-003)

With this standard, the facility is responsible for creating a strong cyber-security policy that accurately reflects ability and overall commitment to security of critical cyber assets. This must also include a plan for emergency situations. Additionally, the facility must ensure that the policy is readily available to all employees, contractors or anyone who has access to critical cyber assets. This policy must also be reviewed and amended (if necessary) annually. 


Personnel and Training (CIP-004)

This means that every team member who has access to any of your cyber-critical assets have the proper amount of training, security and risk awareness to be accessing assets without any personnel escort. This is also true for any contactors or outside vendors you might hire.


Electronic Security Perimeter (CIP-005)

This requires the protection and identification of the Electronic Security Perimeter(s) (ESP). Such as any area that houses any or all Critical Cyber-Assets and all access points along or outside the perimeter. You are also required to maintain the security of the area surrounding all cyber-security assets.


Physical Security of Critical Cyber-Assets (CIP-006)

This ensures that facilities have an adequate physical security program in place that protects their critical cyber assets and data.  

The physical security plan should address the following: 

  • Designating, identifying and documenting the Electronic Security Perimeter(s) 
  • Identifying all access points through each Physical Security Perimeter and measures to control entry via those access points 
  • Developing processes, tools and procedures necessary to monitor physical access to all relevant perimeters 
  • Designing a loss or breach response to manage any infiltrations to these areas 
  • The Physical Security Plan must undergo review annually. 


Systems Security and Management (CIP-007)

This standard highlights the requirement put on facilities to define the methods, processes and procedures that they use to secure all of their cyber assets, both critical and non-critical that lie within ESP(s).  


Incident Reporting and Response Planning (CIP-008)

Standard CIP-008 ensures that the facility must develop and maintain a cyber security incident response plan. He or she must also implement the resulting plan that includes proper reporting procedures to all relevant authorities. 

Additionally, the facility must keep all relevant documentation related to any incidents or suspicious activity. 


Recovery Plans for Critical Cyber-Assets (CIP-009)

This standard ensures that the facility must have an adequate recovery plan in place for their critical cyber security assets. Standard CIP-009 also ensures that these plans follow established business continuity and any disaster recovery plans, techniques or practices. 

At the very minimum, the recovery plan must address required actions to respond to an event or condition of varying duration and severity that might necessitate the activation of the required recovery plan. It is also necessary to define the roles and responsibilities of each responder in the facility.  

Not Entirely Confident That Your Critical Cyber-Asset Infrastructure Is Fully NERC CIP Compliant?


If you are feeling overwhelmed at all by this extensive list of standards and procedures that you must have in place, cyber security experts at BioConnect can help provide your facility with top-line biometric access control to protect your Electronic Security Perimeters, as well as provide dual-factor biometrics right on server cabinets that protect your critical cyber assets. 


Contact a BioConnect Security Expert

Topics: Data Centers, Cybersecurity, compliance, NERC