NERC CIP (critical infrastructure protection)

The NERC CIP (critical infrastructure protection) plan is a set of requirements designed to secure assets vital to reliably operating North America's bulk electric system.

The NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) plan is a set of requirements designed to secure the assets required for operating North America's bulk electric system

The NERC CIP plan consists of 9 standards and 45 requirements covering the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management and disaster recovery planning

  • CIP-002-1: Critical Cyber Asset Identification
  • CIP-003-1: Security Management Controls
  • CIP-004-1: Personnel and Training
  • CIP-005-1: Electronic Security Perimeters
  • CIP-006-1: Physical Security of Critical Cyber Assets
  • CIP-007-1: Systems Security Management
  • CIP-008-1: Incident Reporting and Response Planning
  • CIP-009-1: Recovery Plans for Critical Cyber Assets

The CIP program coordinates all of NERC's efforts to improve the North American power system's security. These efforts include standards development, compliance enforcement, assessments of risk and preparedness, the dissemination of critical information and raised awareness regarding key security issues. NERC's standards for governing critical infrastructure apply to entities that "materially impact" the reliability of the bulk power system. These entities include owners, operators and users of any portion of the system.

Under NERC CIP, covered entities are required to identify critical assets and to regularly perform a risk analysis of those assets. Policies for monitoring and changing the configuration of critical assets need to be defined, as do policies governing access to those assets. In addition, NERC CIP requires the use of firewalls to block vulnerable ports and the implementation of cyber attack monitoring tools. Organizations are also required to enforce IT controls protecting access to critical cyber assets. Systems for monitoring security events must be deployed, and organizations must have comprehensive contingency plans for cyber attacks, natural disasters and other unplanned events.

Penalties for non-compliance with NERC CIP can include fines, sanctions or other actions against covered entities. Because NERC is a trans-national organization, the exact penalties vary from country to country.

 

 

This was first published in July 2012

Continue Reading About NERC CIP (critical infrastructure protection)

Glossary

'NERC CIP (critical infrastructure protection)' is part of the:

View All Definitions

Dig deeper on Risk management and compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

File Extensions and File Formats

Powered by:

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close