NERC CIP Standards 002-009
The North American Electric Reliability Corporation (NERC) is a non-profit corporation chartered to ensure that the bulk electric system in North America is reliable, adequate and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, commonly referred to as the NERC CIP Standards 002-009, which are designed to ensure the protection of the Critical Cyber Assets which control or affect the reliability of North America’s bulk electricity systems.
NERC CIP standards and guidelines apply to all Responsible Entities (REs) within the bulk-power system, which are required to retain 12 months of auditable data, documents and records on their information security controls and specific logs for 90 days in order to be compliant with the new CIP standards. There are nine NERC CIP requirements:
- CIP-002-1: Critical Cyber Asset Identification - Requires the identification and documentation of a risk-based assessment methodology which applied annually will identify Critical Assets.
- CIP-003-1: Security Management Controls - Specifies that security management controls be implemented - information associated with Critical Cyber Assets must be classified and protected, access control to this information must be maintained and change control must be documented.
- CIP-004-1: Personnel and Training - Requires that REs must include a security awareness and training program for personnel having authorized cyber or authorized unescorted physical access.
- CIP-005-1: Electronic Security Perimeters - Dictates that Electronic Security Perimeter(s) (ESP) and all access points to the perimeter(s) must be identified and all Critical Cyber Assets must reside within the ESP(s). REs must implement electronic access controls, continuously monitor access and conduct annual vulnerability assessments at access points.
- CIP-006-1: Physical Security of Critical Cyber Assets - Specifies that an RE create and maintain an approved physical security plan and implement access controls as well as monitoring of the access points to Physical Security Perimeter(s).
- CIP-007-1: Systems Security Management - Specifies a broad range of methods, processes and procedures for securing Critical and non-critical Cyber Assets within the ESP(s), such as patch management, malicious software prevention, annual vulnerability assessment and port and service lockdown should be implemented and documented for Cyber Assets within the ESP(s).
- CIP-008-1: Incident Reporting and Response Planning - Dictates maintaining a Cyber Security Incident response plan and retaining Incident documentation for a period of 3 years.
- CIP-009-1: Recovery Plans for Critical Cyber Assets - Specifies the creation and annual review Critical Cyber Assets recovery plan(s) which include backup and storage of information to successfully restore Critical Cyber Assets.