Lessons from NERC CIP
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are a set of mandatory cybersecurity standards that apply to the bulk power system in North America. There are currently 13 CIP standards that cover a range of cybersecurity requirements. Here is a brief overview of each standard:
CIP-001 – Sabotage Reporting: Requires the development of a procedure to report any suspicious activities that could lead to physical damage to the Bulk Electric System (BES).
CIP-002 – Critical Cyber Asset Identification: Defines the criteria for identifying and categorizing assets that are essential to the reliable operation of the BES.
CIP-003 – Security Management Controls: Requires the development of security management controls that establish a framework for managing the security of critical cyber assets.
CIP-004 – Personnel and Training: Requires the development of a training program for personnel with access to critical cyber assets.
CIP-005 – Electronic Security Perimeter(s): Requires the development of policies and procedures to protect the electronic security perimeter of critical cyber assets.
CIP-006 – Physical Security of Critical Cyber Assets: Requires the development of physical security measures to protect critical cyber assets from unauthorized access.
CIP-007 – System Security Management: Requires the development of a system security management plan that outlines the processes and procedures used to identify, assess, and correct security issues.
CIP-008 – Incident Reporting and Response Planning: Requires the development of a plan for reporting and responding to cybersecurity incidents.
CIP-009 – Recovery Plans for Critical Cyber Assets: Requires the development of a recovery plan for critical cyber assets in the event of a cybersecurity incident.
CIP-010 – Configuration Change Management and Vulnerability Assessments: Requires the development of a configuration change management and vulnerability assessment program for critical cyber assets.
CIP-011 – Information Protection: Requires the development of policies and procedures to protect sensitive information related to critical cyber assets.
CIP-012 – Cyber Security Information Protection: Requires the development of a plan to protect sensitive cybersecurity information.
CIP-013 – Supply Chain Risk Management: Requires the development of a supply chain risk management program to ensure the security of equipment, software, and services that are part of the BES.