NERC CIP Standards 002-009

The North American Electric Reliability Corporation (NERC) is a non-profit corporation chartered to ensure that the bulk electric system in North America is reliable, adequate and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, commonly referred to as the NERC CIP Standards 002-009, which are designed to ensure the protection of the Critical Cyber Assets which control or affect the reliability of North America’s bulk electricity systems.

NERC CIP standards and guidelines apply to all Responsible Entities (REs) within the bulk-power system, which are required to retain 12 months of auditable data, documents and records on their information security controls and specific logs for 90 days in order to be compliant with the new CIP standards. There are nine NERC CIP requirements:

  • CIP-002-1: Critical Cyber Asset Identification - Requires the identification and documentation of a risk-based assessment methodology which applied annually will identify Critical Assets.
  • CIP-003-1: Security Management Controls - Specifies that security management controls be implemented - information associated with Critical Cyber Assets must be classified and protected, access control to this information must be maintained and change control must be documented.
  • CIP-004-1: Personnel and Training - Requires that REs must include a security awareness and training program for personnel having authorized cyber or authorized unescorted physical access.
  • CIP-005-1: Electronic Security Perimeters - Dictates that Electronic Security Perimeter(s) (ESP) and all access points to the perimeter(s) must be identified and all Critical Cyber Assets must reside within the ESP(s). REs must implement electronic access controls, continuously monitor access and conduct annual vulnerability assessments at access points.
  • CIP-006-1: Physical Security of Critical Cyber Assets - Specifies that an RE create and maintain an approved physical security plan and implement access controls as well as monitoring of the access points to Physical Security Perimeter(s).
  • CIP-007-1: Systems Security Management - Specifies a broad range of methods, processes and procedures for securing Critical and non-critical Cyber Assets within the ESP(s), such as patch management, malicious software prevention, annual vulnerability assessment and port and service lockdown should be implemented and documented for Cyber Assets within the ESP(s).
  • CIP-008-1: Incident Reporting and Response Planning - Dictates maintaining a Cyber Security Incident response plan and retaining Incident documentation for a period of 3 years.
  • CIP-009-1: Recovery Plans for Critical Cyber Assets - Specifies the creation and annual review Critical Cyber Assets recovery plan(s) which include backup and storage of information to successfully restore Critical Cyber Assets.



Security Management Solutions from Lumension Help Responsible Entities Ensure NERC Compliance

Endpoint management and security software from Lumension addresses NERC CIP security standards and enables Responsible Entities to ensure security management controls and protect Critical Cyber Assets. These solutions include:

  • Lumension® Patch and Remediation – Reduces organizational risk and optimizes IT operations through the timely, proactive elimination of OS and application vulnerabilities across all endpoints and servers. Heterogeneous platform and 3rd party vulnerability content support includes Microsoft® Windows®, UNIX®, Linux®, Apple®, Adobe®, Oracle®, Java™ and more.
  • Lumension® Content Wizard – Delivers customized extensibility through wizard-driven and custom scripting tools to take any action on endpoints including deploying and removing software, remediating configurations, performing systems management tasks and delivering custom patches.
  • Lumension® Security Configuration Management – Ensures that endpoints are securely configured and in compliance with industry best practices and regulatory mandates while reducing configuration drift.
  • Lumension® AntiVirus – Provides blacklist protection and removal for all malware including viruses, worms, spyware, Trojans and adware.
  • Lumension® Application Control – Defines and enforces trusted application usage through whitelist policies to ensure that only applications explicitly authorized or trusted are allowed to execute. Includes Advanced Memory Protection to defend against sophisticated memory injection attacks.
  • Lumension® Device Control – Enforces usage policies for device and ports while providing FIPS 140-2 level 2 validated encryption of data on removable media to prevent data loss / theft.
  • Lumension® Disk Encryption – Enables full disk encryption to maximize endpoint security and performance with proven, FIPS 140-2 validated encryption algorithms; and offers encrypted swap and hibernation files for complete security.
  • Lumension® Risk Manager – Comprehensive IT-GRC software that streamlines and automates audit workflows and IT risk management to provide crucial visibility and continuous monitoring across the IT environment to ensure compliance with HIPAA as well as with other pertinent regulations (i.e. PCI), mandates, and internal policies.

Lumension solutions can help REs identify all managed and unmanaged Cyber Assets, proactively monitor security configurations, lock down critical systems to allow only required functions, and enforce up-to-date patch implementation and improve NERC audit-readiness.

The Cost of Non-Compliance

Due to the importance of securing the North American power supply, financial penalties for NERC non-compliance are hefty—entities can be fined up to $1 million per day until they have brought themselves back into a compliant state. Although NERC audits are regularly scheduled, additional NERC audits can result if there is a power outage or other incident. Therefore, many entities are taking a proactive approach to vulnerability management, endpoint and data protection to ensure continuous NERC compliance.