Free Cyber Risk Analysis: Your Top Cyber Risks in 3 Clicks

Get Started
Request Demo

Energy & Utilities

How to Scope Your Organization for NERC CIP


Knowing how to scope your organization for NERC CIP security assessments can be daunting. For many information security leaders at power and utility organizations, knowing which IT and OT assets fall within the purview of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance requirements is often the greatest challenge to knowing if they are compliant. As the oldest regulatory standard for operating, securing, and protecting our Bulk Electric System, the consequences of misuse are catastrophic and have far-reaching impacts on the electric grid as a whole, the organizations operating with the BES, and the consumers who rely on it for everyday use. As of now, there are only 11 controls being actively enforced; five are subject to future enforcement, and one is being transitioned to an inactive state.

With the rampant rise of cyberinfrastructure attacks, these compliance standards serve to mitigate the risks associated with operating in the BES and protect consumers and entities alike from the consequences of misuse and inoperation within bulk power systems.  Read our blog to learn more about the NERC CIP standards. 

CIP-002-5.1a: Cyber Security — BES Cyber System Categorization

Identify and categorize all your critical BES cyber systems and critical assets. This helps illustrate the risk associated with the misuse of systems within your cyber network and what could be affected by the operation of the BES.

According to NERC, this guideline serves to: provide “bright-line” criteria for applicable Responsible Entities to categorize their BES Cyber Systems based on the impact of their associated Facilities, systems, and equipment, which, if destroyed, degraded, misused, or otherwise rendered unavailable, would affect the reliable operation of the Bulk Electric System.

In this standard, the initial scope should be relevant only to systems that directly influence the BES if compromised. As such, each system should be categorized into impact categories, and your organization’s critical and non-critical cyber assets must be identified. Systems in this guideline need to stay consistent with risk management approaches for the purpose of application for cyber security requirements. Additionally, each system has associated cyber assets that must be accounted for. These include Access Control and Monitoring Systems and Protected Cyber Assets. Responsible entities will need to supply information on control centers and backup control centers, transmission stations and substations, generation resources, systems and facilities critical to system restorations, special protection systems and categorize the risk of each based on reliability.

CIP-003-7: Cyber Security — Security Management Control

In this standard, your organization must itemize and specify who has access to security management controls and what their role is. By doing so, all parties involved with operating the BES in your organization can be held accountable for their responsibilities in the event of misoperation.

CIP-003-7 is an extension of CIP-002-5.1a and operates in tandem with the rest of the controls in NERC CIP. In this regulation, your entity must provide policy documents from a document management system that indicates a review of each cyber security policy at least once every 15 months by their respective functional entities.

CIP-004-6: Cyber Security - Personnel & Training

For this requirement, functional entities must provide evidence of background checks for their employees and logs proving review of cybersecurity policies, incident response plans, physical and electronic access controls, and the handling of cyber system information. This mandate uses a risk-based approach to evaluate the training of your organization’s employees and who has authorized access to critical cybersecurity assets.

CIP-005-5: Cyber Security - Electronic Security Perimeter(s)

CIP-005-5 focuses on the scope and efforts of your electronic security perimeter. Your electronic security perimeter should be secure from cyber threats and external transmissions and should serve to store your organization's private data. All external communications and dial-up connections must additionally be filtered through a single protected access point. Remote access encryption, multi-factor authentication and anti-malware updates must be in place to satisfy this guideline.

CIP-006-6: Cyber Security - Physical Security of BES Cyber Systems

This regulation outlines the physical security perimeter of your cyber assets. To prove compliance in this guideline, you will need to show evidence of policies that restrict access to physical assets, monitor unauthorized access, implement physical access controls, keep logs of physical access, monitor physical access controls, retention logs, implement an alert system, and sustain physical access control systems over time.

CIP-007-6: Cyber Security - System Security Management

This guideline focuses on best practices for managing your security system. To satisfy CIP-007-6, technical operations, and procedural requirements are needed for all entities operating under NERC. You will need to provide evidence of a software patch system to keep your system up to date, malware protection software, and multiple password requirements covering both critical and non-critical cyber assets.

CIP-008-5: Cyber Security - Incident Reporting and Response Planning

For this regulation, your company needs to have policies and procedures in place to log and report incidents within your company or the BES. This entails a system response plan and logging the roles and responsibilities of those involved. This mandate requires response tests to be administered every 15 months and to report all cybersecurity incident events to the Electricity Sector Information Sharing and Analysis Center.

CIP-009-6: Recovery Plans for BES Cyber Systems

CIP-009-6 also focuses on industry best practices for recovering cyber assets and the operation of backup media in the event of an incident that causes data loss or corruption within BES systems. These safeguards must be put in place before an incident to preserve and restore data quickly. Your data recovery plans should include a recovery plan, change control, backup and restoration process, and tested backup media that comply with disaster recovery best practices and encompass all your critical cyber assets.

CIP-010-2: Cyber Security - Configuration Change Management and Vulnerability Assessments

CIP-010-2 focuses on monitoring procedures for cyber assets. For this, your organization must supply a default configuration for all BES systems in operation. From there, you will need to run vulnerability assessments to monitor if there is any deviation from your default configuration. Over time, changes to the baseline configuration must be documented and approved, with security audits done in intervals to monitor your baseline configuration.

CIP-011-2: Cyber Security - Information Protection

CIP-011-2 focuses on protecting and securing BES cyber assets. In this regulation, you must prove that your organization can identify and protect sensitive BES System Information. This information must be protected, stored, transmitted, and disposed of according to NERC requirements.

CIP-014-2: Physical Security

This requirement identifies and protects transmission stations, substations, and their primary control centers. If these are compromised, it can result in instability, uncontrolled separation, and cascading within an interconnection in the BES.

NERC CIP-014 focuses on the physical security plan for your organization and its connection within the BES. For this, your organization must meet risk requirements from an external organization, an incident response plan, and proper training. Some of the assets focused on in this control are transmission stations, substations, and their primary control centers.

Knowing Your Assets and Assessing for NERC CIP

As cybersecurity practices change we can expect the scope of these mandates to continuously expand to meet the needs of organizations and consumers alike. These standards are necessary to protect our national electrical grid from bad actors and internal misuse. By utilizing a risk-based approach to satisfy NERC CIP compliance, keeping accurate logs of your BES systems, and paying attention to new NERC CIP version releases, your organization can adjust to new regulations efficiently and effectively.

CyberStrong takes a unique approach to compliance management with continuous control monitoring to deliver real-time updates on control changes and why they occurred. Map controls between industry frameworks using synced automated crosswalking in seconds. Learn more about this cyber risk management software in a demo. 

You may also like

Tools for Empowering Continuous ...
on June 25, 2024

Continuous control monitoring relies heavily on various processes to ensure that cybersecurity platforms are effective and up-to-date. Regular audits and cybersecurity risk ...

June Product Update
on June 20, 2024

The team at CyberSaint is thrilled to announce the latest additions and updates made to the CyberStrong solution. These latest updates will empower you to benchmark your ...

How to Create a Cyber Risk ...
on June 10, 2024

In today's fast-paced digital landscape, conducting a cyber risk assessment is crucial for organizations to safeguard their assets and maintain a robust security posture. A cyber ...

Critical Capabilities of ...
on June 4, 2024

Continuous Control Monitoring (CCM) is a critical component in today's cybersecurity landscape, providing organizations with the means to enhance their security posture and ...

on May 29, 2024

Artificial intelligence (AI) is revolutionizing numerous sectors, but its integration into cybersecurity is particularly transformative. AI enhances threat detection, automates ...

Critical Capabilities of Cyber ...
on May 20, 2024

In today's digital landscape, robust cybersecurity risk assessment tools are crucial for effectively identifying and mitigating cyber threats. These tools serve as the first line ...