NERC Standards

NERC Standard CIP-001 defines requirements for Sabotage Reporting, which is beyond the scope of this configuration guide. The NERC Standards CIP-002 through CIP-012-1, covered in this guide, provide a cybersecurity framework for the identification and protection of critical cyber assets to support the reliable operation of the Bulk Electric System.

These standards recognize the differing roles of each entity in the operation of the Bulk Electric System, the criticality and vulnerability of the assets needed to manage Bulk Electric System reliability, and the risks to which they are exposed.

Business and operational demands for managing and maintaining a reliable Bulk Electric System increasingly rely on cyber assets supporting critical reliability functions and processes to communicate with each other, across functions and organizations, for services and data. This results in increased risks to these cyber assets.

Specifically, these standards include:

• CIP-002: Cyber Security - Critical Cyber Asset Identification: Requires a responsible entity to identify its critical assets and critical cyber assets using a risk-based assessment methodology.
• CIP-003: Cyber Security - Security Management Controls: Requires a responsible entity to develop and implement security management controls to protect critical cyber assets identified pursuant to CIP-002.
• CIP-004: Cyber Security- Personnel and Training: Requires personnel with access to critical cyber assets for identity verification and criminal checks. It also requires employee training.
• CIP-005: Cyber Security - Electronic Security Perimeters: Requires the identification and protection of an electronic security perimeter and access points. The electronic security perimeter is to encompass the critical cyber assets identified pursuant to the methodology required by CIP-002.
• CIP-006: Cyber Security - Physical Security of Critical Cyber Assets: Requires a responsible entity to create and maintain a physical security plan that ensures that all cyber assets in an electronic security perimeter are kept in an identified physical security perimeter.
• CIP-007: Cyber Security - Systems Security Management: Requires a responsible entity to define methods, processes, and procedures for securing the systems identified as critical cyber assets, as well as the noncritical cyber assets in an electronic security perimeter.
• CIP-008: Cyber Security - Incident Reporting and Response Planning: Requires a responsible entity to identify, classify, respond to, and report cyber security incidents related to critical cyber assets.
• CIP-009: Cyber Security - Recovery Plans for Critical Cyber Assets: Requires you to have in place business continuity and disaster recovery plans for critical cyber assets.

• CIP-012-1: Cyber Security - Communications between Control Centers: Requires for protecting the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers.

NERC states that the CIP reliability standards provide a comprehensive set of requirements to protect the bulk power system from malicious cyber-attacks. They require bulk power system users, owners, and operators to establish a risk-based vulnerability assessment methodology to identify and prioritize critical assets and critical cyber assets.

After the critical cyber assets are identified, the CIP reliability standards require, among other things, that the responsible entities establish plans, protocols, and controls to safeguard physical and electronic access; to train personnel on security matters; to report security incidents; and to be prepared for recovery actions. Standards are provided by TIBCO LogLogic.