Skip to main content
> NERC CIP

North American Electric Reliability Corporation Critical Infrastructure Protection

Mandatory cybersecurity standards protecting the North American power grid

Governing Body: North American Electric Reliability Corporation (NERC) / FERC
Established: 2008 (mandatory); current version CIP-014-3 Last Updated: Ongoing (multiple standards updated regularly) Scope: North American Bulk Electric System
$1M+
Daily Penalty

// What is NERC CIP?

NERC CIP standards are mandatory cybersecurity requirements for entities operating the North American bulk electric system. Unlike voluntary frameworks, CIP compliance is legally required—enforced by NERC under authority delegated by the Federal Energy Regulatory Commission (FERC) in the US and equivalent authorities in Canada.

The standards apply to Bulk Electric System (BES) Cyber Systems based on impact ratings (High, Medium, Low) that determine the rigor of required controls. High and Medium impact systems face the most stringent requirements, including personnel training, physical security, and comprehensive access controls.

CIP standards have evolved substantially since introduction, with new requirements addressing supply chain security, incident response, and evolving threats to industrial control systems. Violations result in significant penalties, with some exceeding $10 million.

// Inside the Regulation

NERC CIP comprises multiple standards (CIP-002 through CIP-014), each addressing specific security domains. Entities must comply with requirements based on their BES Cyber System impact categorization.

1

BES Cyber System Categorization

CIP-002-5.1a

The foundation of CIP compliance—categorizing systems based on their impact on reliable grid operation.

High Impact Rating

Control centers controlling 3,000 MW+ generation or operating the integrity of interconnections. Most stringent requirements apply.

Medium Impact Rating

Transmission stations 500kV+, generation resources 1,500 MW+, and control centers not meeting High criteria.

Low Impact Rating

BES Cyber Systems not meeting High or Medium criteria. Reduced but still mandatory requirements.

BES Cyber Asset Identification

Identify all Cyber Assets essential to reliable operation of categorized BES Cyber Systems.

2

Security Management Controls

CIP-003-8 through CIP-006-6

Foundational security management, personnel, and physical security requirements.

Security Management Controls (CIP-003)

Documented cybersecurity policies, assign security responsibility, and establish security awareness programs.

Personnel and Training (CIP-004)

Personnel risk assessment, cybersecurity training, and access management. Background checks for personnel with cyber or physical access.

Electronic Security Perimeter (CIP-005)

Define Electronic Security Perimeters, control access points, monitor unauthorized access, and manage remote access securely.

Physical Security (CIP-006)

Physical Security Plans for locations housing High/Medium impact BES Cyber Systems including access controls and monitoring.

3

Systems Security Management

CIP-007-6 through CIP-010-4

Technical controls for system hardening, incident response, recovery, and configuration management.

System Security Management (CIP-007)

Ports and services management, security patch management, malicious code prevention, security event monitoring.

Incident Reporting and Response (CIP-008)

Cyber Security Incident response plan, testing, and reporting requirements. Incidents reported to E-ISAC within timeframes.

Recovery Plans (CIP-009)

Recovery plans for BES Cyber Systems, backup/recovery procedures, and annual testing of recovery plans.

Configuration and Vulnerability (CIP-010)

Baseline configurations, configuration change management, vulnerability assessments at least every 35 months.

4

Supply Chain and Physical Security

CIP-013-2, CIP-014-3

Newer standards addressing supply chain risk and physical security of transmission substations.

Supply Chain Risk Management (CIP-013)

Develop plans addressing supply chain risks for High/Medium impact BES Cyber Systems. Includes vendor risk management processes.

Physical Security (CIP-014)

Risk assessment and security plans for transmission stations and control centers critical to grid reliability.

Note: CIP compliance is verified through NERC Regional Entity audits. Self-reports and periodic data submittals are required. The CIP enforcement process includes compliance monitoring, violation investigation, and penalty determination with FERC oversight.

// Who Must Comply

  • 1 Balancing Authorities managing electric grid balance
  • 2 Generation Owners and Operators above thresholds
  • 3 Transmission Owners and Operators
  • 4 Reliability Coordinators
  • 5 Distribution Providers with certain facilities
  • 6 Regional Transmission Organizations and Independent System Operators

// Key Requirements

Asset Categorization

Identify and categorize all BES Cyber Systems by impact rating (High, Medium, Low)

Electronic Security Perimeter

Define and protect electronic access points to BES Cyber Systems

Personnel Training

Conduct cybersecurity training and background checks for personnel with access

Configuration Management

Maintain baseline configurations and manage changes through documented processes

Incident Response

Maintain and test incident response plans with required reporting to E-ISAC

Recovery Planning

Develop, maintain, and annually test recovery plans for BES Cyber Systems

// Enforcement & Penalties

NERC CIP violations can result in substantial daily penalties, with FERC having authority to impose penalties up to $1 million per day per violation. Penalty amounts depend on violation severity, risk to grid reliability, and compliance history.

Maximum Penalty

$1 million per violation per day

Examples:

  • Duke Energy - $10 million penalty for 127 violations across CIP standards (2019)
  • Unidentified entity - $2.7 million for electronic access control violations (2018)
  • Pacific Gas & Electric - $2.7 million for physical and electronic security violations (2017)
  • Multiple entities - Penalties for supply chain security and access management failures

// Cyber Insurance Impact

Cyber insurers for critical infrastructure operators require evidence of CIP compliance. Given the mandatory nature and significant penalties, coverage often depends on demonstrated compliance status. Policies may include specific exclusions for penalties arising from willful CIP violations.

// How Breach Craft Helps

We help organizations achieve NERC CIP compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of NERC CIP.

Gap Assessment

Measure your security against industry standards.

Learn more

Penetration Testing

Find the gaps before attackers do.

Learn more

Virtual CISO

Executive security leadership on demand.

Learn more

Tabletop Exercises

Practice your incident response.

Learn more

// Related Frameworks

NIST CSF ISO 27001

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873