NERC CIP
North American Electric Reliability Corporation — Critical Infrastructure Protection Standards
Standard Introduction
NERC CIP (Critical Infrastructure Protection) is a set of mandatory cybersecurity and physical security standards developed by the North American Electric Reliability Corporation to protect the Bulk Electric System (BES). Approved by the Federal Energy Regulatory Commission (FERC) under the Energy Policy Act of 2005, these standards are legally enforceable for all BES owners, operators, and users across North America.
The NERC CIP framework comprises over 12 standards (CIP-002 through CIP-014, plus newer additions) covering cyber asset identification, security management controls, personnel training, electronic and physical security perimeters, system security management, incident response, recovery planning, configuration management, vulnerability assessment, information protection, supply chain risk management, and physical security. Violations carry penalties up to $1.3 million per violation per day, with compliance monitored through regional entities such as ReliabilityFirst and SERC.
Bulk Electric System Protection
Mandatory cybersecurity and physical security standards protecting the critical infrastructure of the North American electric grid serving over 400 million people.
Regulatory Enforcement
FERC-approved standards with legally binding compliance requirements. Violations can result in penalties up to $1.3 million per violation per day.
Defense-in-Depth
Comprehensive set of 12+ standards (CIP-002 through CIP-014) covering asset identification, access control, incident response, physical security, and supply chain risk management.
list_alt CIP Standard Areas
- BES Cyber System categorization (CIP-002)
- Security management controls and policies (CIP-003)
- Personnel and training requirements (CIP-004)
- Electronic security perimeters and access (CIP-005)
- Physical security of BES Cyber Systems (CIP-006)
- System security management and patching (CIP-007)
- Incident reporting and response planning (CIP-008)
- Recovery plans for BES Cyber Systems (CIP-009)
Who Needs to Comply?
Owners and operators of the Bulk Electric System (BES) in North America — including electric utilities, transmission operators, generation operators, reliability coordinators, and balancing authorities.
Key Requirements
BES Cyber System Identification
Identify and categorize BES Cyber Systems as high, medium, or low impact based on their criticality to Bulk Electric System reliability using criteria defined in CIP-002.
Electronic Security Perimeters
Define and protect Electronic Security Perimeters (ESPs) around high and medium impact BES Cyber Systems. Control all inbound and outbound network traffic through identified Electronic Access Points.
Physical Security Controls
Implement physical security plans for high and medium impact BES Cyber Systems including defined Physical Security Perimeters, access logging, visitor management, and monitoring.
Incident Response Planning
Develop, maintain, and test Cyber Security Incident Response Plans. Report Cyber Security Incidents to the Electricity Subsector ISAC (E-ISAC) within specified timeframes.
Supply Chain Risk Management
Implement a supply chain cyber security risk management plan (CIP-013) for high and medium impact BES Cyber Systems covering vendor assessment, software integrity, and remote access management.
Penalties & Enforcement
FERC can impose penalties up to $1,291,894 per violation per day. Systemic violations have resulted in fines exceeding $10 million. Non-compliance may also trigger mandatory corrective action plans, increased audit scrutiny, and public disclosure of violations.