The NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) plan is a set of requirements designed to secure the assets required for operating North America's bulk electric system.
The NERC CIP plan consists of 9 standards and 45 requirements covering the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management and disaster recovery planning.
- CIP-002-1: Critical Cyber Asset Identification
- CIP-003-1: Security Management Controls
- CIP-004-1: Personnel and Training
- CIP-005-1: Electronic Security Perimeters
- CIP-006-1: Physical Security of Critical Cyber Assets
- CIP-007-1: Systems Security Management
- CIP-008-1: Incident Reporting and Response Planning
- CIP-009-1: Recovery Plans for Critical Cyber Assets
The CIP program coordinates all of NERC's efforts to improve the North American power system's security. These efforts include standards development, compliance enforcement, assessments of risk and preparedness, the dissemination of critical information and raised awareness regarding key security issues. NERC's standards for governing critical infrastructure apply to entities that "materially impact" the reliability of the bulk power system. These entities include owners, operators and users of any portion of the system.
Under NERC CIP, covered entities are required to identify critical assets and to regularly perform a risk analysis of those assets. Policies for monitoring and changing the configuration of critical assets need to be defined, as do policies governing access to those assets. In addition, NERC CIP requires the use of firewalls to block vulnerable ports and the implementation of cyber attack monitoring tools. Organizations are also required to enforce IT controls protecting access to critical cyber assets. Systems for monitoring security events must be deployed, and organizations must have comprehensive contingency plans for cyber attacks, natural disasters and other unplanned events.
Penalties for non-compliance with NERC CIP can include fines, sanctions or other actions against covered entities. Because NERC is a trans-national organization, the exact penalties vary from country to country.