NERC Standards

NERC Standard CIP-001 defines requirements for Sabotage Reporting, which is beyond the scope of this Guidebook. The NERC Standards CIP-002 through CIP-009, covered in this guide, provide a cybersecurity framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System.

These standards recognize the differing roles of each entity in the operation of the Bulk Electric System, the criticality and vulnerability of the assets needed to manage Bulk Electric System reliability, and the risks to which they are exposed.

Business and operational demands for managing and maintaining a reliable Bulk Electric System increasingly rely on Cyber Assets supporting critical reliability functions and processes to communicate with each other, across functions and organizations, for services and data. This results in increased risks to these Cyber Assets.

Specifically, these standards include:

  • CIP-002 - Cyber Security - Critical Cyber Asset Identification: Requires a responsible entity to identify its critical assets and critical cyber assets using a risk-based assessment methodology.
  • CIP-003 - Cyber Security - Security Management Controls: Requires a responsible entity to develop and implement security management controls to protect critical cyber assets identified pursuant to CIP-002.
  • CIP-004 - Cyber Security - Personnel & Training: Requires personnel with access to critical cyber assets for identity verification and criminal checks. It also requires employee training.
  • CIP-005 - Cyber Security - Electronic Security Perimeters: Requires the identification and protection of an electronic security perimeter and access points. The electronic security perimeter is to encompass the critical cyber assets identified pursuant to the methodology required by CIP-002.
  • CIP-006 - Cyber Security - Physical Security of Critical Cyber Assets: Requires a responsible entity to create and maintain a physical security plan that ensures that all cyber assets within an electronic security perimeter are kept in an identified physical security perimeter.
  • CIP-007 - Cyber Security - Systems Security Management: Requires a responsible entity to define methods, processes, and procedures for securing the systems identified as critical cyber assets, as well as the noncritical cyber assets within an electronic security perimeter.
  • CIP-008 - Cyber Security - Incident Reporting and Response Planning: Requires a responsible entity to identify, classify, respond to, and report cyber security incidents related to critical cyber assets.
  • CIP-009 - Cyber Security - Recovery Plans for Critical Cyber Assets: Requires you to have in place business continuity and disaster recovery plans for critical cyber assets.

NERC states that the CIP reliability standards provide a comprehensive set of requirements to protect the Bulk-Power System from malicious cyber attacks. They require Bulk-Power System users, owners, and operators to establish a risk-based vulnerability assessment methodology to identify and prioritize critical assets and critical cyber assets.

After the critical cyber assets are identified, the CIP reliability standards require, among other things, that the responsible entities establish plans, protocols, and controls to safeguard physical and electronic access; to train personnel on security matters; to report security incidents; and to be prepared for recovery actions.Standards is provided by TIBCO LogLogic.

Note: The CIP requirements, sub-requirements, and measures outlined in this guidebook are summarized from FERC 18 CFR Part 40, Order No. 706, Mandatory Reliability Standards for Critical Infrastructure Protection and NERC Critical Infrastructure Protection Reliability Standards. The illustrative approaches described under each CIP Standard were obtained from FERC Order No. 706, NERC Security Guidelines for the Electricity Sector, and other resources of common IT risk management best practices. The TIBCO LogLogic solution information described in this guidebook that aligns with the CIP Standards is provided by TIBCO LogLogic.