NERC CIP Standards 002-009

The North American Electric Reliability Corporation (NERC) is a non-profit corporation chartered to ensure that the bulk electric system in North America is reliable, adequate and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, commonly referred to as the NERC CIP Standards 002-009, which are designed to ensure the protection of the Critical Cyber Assets which control or affect the reliability of North America’s bulk electricity systems.

NERC CIP standards and guidelines apply to all Responsible Entities (REs) within the bulk-power system, which are required to retain 12 months of auditable data, documents and records on their information security controls and specific logs for 90 days in order to be compliant with the new CIP standards. There are nine NERC CIP requirements:

  • CIP-002-1: Critical Cyber Asset Identification - Requires the identification and documentation of a risk-based assessment methodology which applied annually will identify Critical Assets.
  • CIP-003-1: Security Management Controls - Specifies that security management controls be implemented - information associated with Critical Cyber Assets must be classified and protected, access control to this information must be maintained and change control must be documented.
  • CIP-004-1: Personnel and Training - Requires that REs must include a security awareness and training program for personnel having authorized cyber or authorized unescorted physical access.
  • CIP-005-1: Electronic Security Perimeters - Dictates that Electronic Security Perimeter(s) (ESP) and all access points to the perimeter(s) must be identified and all Critical Cyber Assets must reside within the ESP(s). REs must implement electronic access controls, continuously monitor access and conduct annual vulnerability assessments at access points.
  • CIP-006-1: Physical Security of Critical Cyber Assets - Specifies that an RE create and maintain an approved physical security plan and implement access controls as well as monitoring of the access points to Physical Security Perimeter(s).
  • CIP-007-1: Systems Security Management - Specifies a broad range of methods, processes and procedures for securing Critical and non-critical Cyber Assets within the ESP(s), such as patch management, malicious software prevention, annual vulnerability assessment and port and service lockdown should be implemented and documented for Cyber Assets within the ESP(s).
  • CIP-008-1: Incident Reporting and Response Planning - Dictates maintaining a Cyber Security Incident response plan and retaining Incident documentation for a period of 3 years.
  • CIP-009-1: Recovery Plans for Critical Cyber Assets - Specifies the creation and annual review Critical Cyber Assets recovery plan(s) which include backup and storage of information to successfully restore Critical Cyber Assets.


Lumension’s Security Management Solutions Help Responsible Entities Ensure NERC Compliance

Lumension’s security management software addresses NERC CIP security standards and enables responsible entities to ensure security management controls and protect Critical Cyber Assets. These solutions include:

  • Lumension® Patch and Remediation - Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks.
  • Lumension® Scan - Complete network-based scanning solution enables assessment and analysis of threats impacting all network devices.
  • Lumension® Security Configuration Management - Out-of-the-box regulatory and standards-based assessment to ensure endpoints are properly configured.
  • Lumension® Content Wizard - Create custom remediation packages to address configuration issues, remove unauthorized files and applications, address Zero-day threats, patch custom software and more.
  • Lumension® Enterprise Reporting - Robust data warehouse that enables easy creation and sharing of reports on all aspects of your remediation efforts in support of policy compliance.
  • Lumension® Application Control - Policy-based enforcement of application use to secure your endpoints from malware, spyware and unwanted or unlicensed software.
  • Lumension® Device Control - Policy-based enforcement of removable device use to control the flow of inbound and outbound data from your endpoints.

Lumension solutions can help REs identify all managed and unmanaged Cyber Assets, proactively monitor security configurations, lock down critical systems to allow only required functions, and enforce up-to-date patch implementation and improve NERC audit-readiness.

The Cost of Non-Compliance

Due to the importance of securing the North American power supply, financial penalties for NERC non-compliance are hefty—entities can be fined up to $1 million per day until they have brought themselves back into a compliant state. Although NERC audits are regularly scheduled, additional NERC audits can result if there is a power outage or other incident. Therefore, many entities are taking a proactive approach to vulnerability management, endpoint and data protection to ensure continuous NERC compliance.