AICPA SOC Service Organizations - Certrec
NERC Primers

A Primer on NERC CIP Standards

NERC CIP Standards: Why Are They Important?

The NERC CIP standards are mandatory security standards that apply to utility companies connected to the North American power grid. The CIP standards establish a baseline set of cybersecurity measures aimed at regulating, enforcing, monitoring, and managing the security of the Bulk Electric System (BES) in North America. The CIP standards were initially approved by the Federal Energy Regulatory Commission (FERC) in 2008 to ensure appropriate security controls are in place to protect BES and its users and customers from all threats that may affect its timely and effective functioning.

What are NERC CIP Standards?

According to the NERC, NERC Reliability Standards define the reliability requirements for planning and operating the North American bulk power system and are developed using a results-based approach that focuses on performance, risk management, and entity capabilities.

What are NERC 693 Standards?

NERC 693 standards govern all stages of the energy process from generation to distribution to transmission. The standards are updated all the time to ensure the North American energy supply is protected and efficient. These constant updates can jeopardize your ability to prove compliance.

What are the NERC CIP requirements?

Entities must identify critical assets and regularly perform a risk analysis of those assets. They must also define policies for monitoring and changing the configuration of critical assets and for governing access to those assets.

How many NERC CIP Reliability Standards are there?

There are about 13 NERC CIP standards that help with the reliability of your cybersecurity system though the NERC plans on introducing more in the future. Within the standards, there are references to “critical assets” and “responsible entities.”

How often are NERC CIP audits?

According to NERC, NERC CIP audits are undertaken once every five years:

“Each Regional Entity Compliance Monitoring and Enforcement Program shall be audited at least once every five years.”  Source: NERC

Who uses NERC Reliability Standards?

Cybersecurity professionals who work within the electrical grid and other critical infrastructure supply industries are mandated to comply with NERC CIP (CIP meaning critical infrastructure protection).

NERC CIP standards are enforced by audit, so energy organizations must allocate substantial time, resources and budgets to making sure that their systems stay in compliance with the standard. This can be difficult and expensive and very time consuming, as the CIP standards require they implement a complex set of cybersecurity controls around their physical and cyber assets and maintain ongoing proof of NERC compliance for auditors. The standards also change frequently, and NERC CIP experts are hard to find!

Organizations often implement cybersecurity software and hardware solutions to automate NERC CIP compliance within their systems.

The vision for the Electric Reliability Organization Enterprise, which is comprised of NERC and the six Regional Entities, is a highly reliable and secure North American bulk power system. Our mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid.— NERC

Is there training I can receive on NERC CIP?

Yes. The NATIONAL INITIATIVE FOR CYBERSECURITY CAREERS AND STUDIES introduces the Critical Infrastructure Protection (CIP) concept, Security Threats to Industrial Control Systems (ICS), and the Reliability Standards developed by the North American Electric Reliability Corporation (NERC). It’s a live, 5-day training course that empowers students with knowledge of the “what” and the “how” of the version 5/6 standards.

Who do the NERC CIP standards apply to?

The industries affected by NERC CIP standards are those that make up the bulk power system (BPS), both power and infrastructure. In real terms this includes every party involved with the electric grid and power systems across North America.

According to the US Department of Energy, the electric system and power grid break down into three main areas or industries:

  • Generation
  • Transmission
  • Distribution

Electricity is generated by converting other renewable and non-renewable primary energy sources into electrical charge. Then, it’s transmitted across the nation and distributed to its various end-users.

Ownership of these industries is spread across a wide variety of entities:

  • Investor-Owned Utilities (IOUs) are private, monopoly utilities that generate and distribute power to the electric customer, over their defined service territory. Typically, electricity from IOUs comes from a combination of producing their own power and purchasing electricity from public and private markets. About 130 IOUs own about 40 percent of generation, 80 percent of transmission, and 50 percent of the distribution.
  • Publicly-Owned Utilities and Cooperatives – There are about 2,900 such entities who own about 15 percent of generation, 12 percent of transmission, and 50 percent of the distribution. See APPA
  • Independent Power Producers – Around 2,800 of these independent entities own about 40 percent of generation. See IEPA
  • Electric Power Marketers – A combined 211 such marketers own about 19 percent of sales of electricity to consumers.
    The Federal Government – There are nine agencies owned by the government, which collectively account for seven percent of generation and eight percent of transmission.

Beyond ownership, the management of the grid comes down to a couple of other parties, of which the following two are probably the most important ones helping to run the grid:

  • Independent system operators (ISOs)
  • Regional transmission organizations (RTOs)

Another interesting point to note is that nuclear power plants are NOT measured by NERC CIP standards.

See this extract from the Federal Register:

1. Background


2. The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), developed the CIP Reliability Standards that require certain users, owners and operators of the Bulk-Power System, including generator owners and operators, to comply with specific requirements to safeguard critical cyber assets. In January 2008, pursuant to section 215 of the Federal Power Act (FPA).

The Commission approved the CIP Reliability Standards. In addition, pursuant to section 215(d)(5) of the FPA.

The Commission directed the ERO to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission.


3.  Each CIP Reliability Standard includes an exemption for facilities regulated by the NRC. For example, Reliability Standard CIP-002-1 provides:

The following are exempt from Standard CIP-002: Facilities regulated by the U.S. Nuclear Regulatory Commission * * *.


4. In an April 8, 2008 public joint meeting of the Commission and the NRC, staff of both Commissions discussed cyber security at nuclear power plants. While indicating that the NRC has proposed regulations to address cyber security at nuclear power plants, NRC staff raised a concern regarding a potential gap in regulatory coverage.

In particular, NRC staff indicated that the NRC’s proposed regulations on cyber security would not apply to all systems within a nuclear power plant. NRC staff explained:

The NRC’s cyber requirements are not going to extend to power continuity systems. They do not extend directly to what is not directly associated with reactor safety security or emergency response. * * * 

As a result, and when you look at the CIP standards that were issued, there is a discrete statement in each of the seven or eight standards where it specifically exempts facilities regulated by the United States Nuclear Regulatory Commission from compliance with those CIP Standards. So there is an issue there in the sense that our regulations for cyber security go up to a certain point, and end.


5. On September 18, 2008, the Commission issued an Order on Proposed Clarification.

Explaining its concern that a gap may exist in the regulatory process due to the provision in each of the CIP Reliability Standards exempting “facilities regulated by the U.S. Nuclear Regulatory Commission.” On the understanding that some facilities within a nuclear power plant would not be subject to compliance with cyber security regulations developed by the NRC, the Commission proposed to clarify that the facilities within a nuclear power plant in the United States that are not regulated by the NRC are subject to compliance with the CIP Reliability Standards approved in Order No. 706. The Commission explained its proposal and sought comment on not only the Proposed Clarification, but also two additional questions: (1) Whether a clear delineation exists between those facilities in a nuclear power plant which relate to safety and security, and the non-safety related “balance of plant,” and if a clear delineation does not exist, whether there is a need for owners and/or operators of nuclear power plants to identify the specific facilities that pertain to reactor safety, security or emergency response and are subject to NRC jurisdiction, and the balance of plant that is subject to the eight CIP Reliability Standards; and (2) if nuclear power plants were to be required to implement the CIP Reliability Standards, whether Table 3 of the implementation plan approved in Order No. 706 should control the implementation schedule.

See the order dismissing compliance filing here.

Just getting started with NERC CIP? Check out some of our resources