NERC CIP Reliability Standards
NERC has passed the following nine Critical Infrastructure Protection (CIP) cyber-security reliability standards that NERC registered entities must be in compliance with.
CIP-001 Sabotage Reporting
CIP-002 Critical Cyber Assets
All network assets must be audited to identify Critical Cyber Assets. A risk-based assessment methodology should be utilized with annual reviews.
CIP-003 Security Management Controls
Documentation on access control levels for critical assets such as Internet-facing systems and critical backend systems. Solutions should be in place to mitigate risks.
CIP-004 Personnel & Training
Employees should be trained on policies, access controls and general awareness issues.
CIP-005 Electronic Security
An Electronic Security Perimeter should be established that provides the following:
Disabling of non-essential computer ports & services
Computer Monitor and Log Access 24/7, 365 days
Annual Vulnerability Assessments
Documentation of Network Changes
CIP-006 Physical Security
Physical Security access controls should be documented and implemented that provide perimeter monitoring and logging.
CIP-007 Systems Security Management
All procedures for securing Critical Assets should include automated controls. System and network events should be monitored automatically with alerts sent to key personnel.
CIP-008 Incident Reporting & Response
All cyber security incidents should be addressed by an internal computer incident response team (CIRT) and reported to the Electricity Sector Information Sharing and Analysis Center (ES ISAC).
CIP-009 Disaster Recovery
A disaster recovery plan should be created and tested with annual drills.