NERC CIP: Critical Infrastructure Protection

NERC CIP is a set of regulations to protect the North America’s bulk electric system.

 How Do I Become NERC CIP Compliant?

The NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) plan is a set of requirements designed to secure the assets required for operating America’s bulk power systems.

What to know about the NERC CIP Compliance Regulations:


The NERC CIP Plan is a step of regulatory standards adopted in 2006 that specify the minimum requirements to support the reliability of the US electrical system in relation to:

  • security of electronic perimeters
  • protection of critical cyber assets
  • the personnel and training
  • security management
  • disastor recovery planning

All organizations who are involved risk significant fines and penalties for lack of compliance, ranging as high as $1 Million per day.


What You Need to Do - and How MDS Can Help:

The Certified MDS Cyber Security team is trained to identify the most efficient way for utilities to meet the CIP IT security requirements that are required under this compliance. The NERC Standards CIP-002 through CIP-009 provide a comprehensive cyber security framework, and are broken down as follows:

Critical Cyber Asset Identification (CIP-002)

Create an inventory of your existing IT hardware and software, without any downtime. Create clear, concise documentation of critical cyber assets to facilitate compliance audits as well as day-to-day operations.

Security Management Controls (CIP-003)

Creation of concise, compliant technical IT security and governance policy documents based on workshop results, updated on an annual basis.

Personnel & Training (CIP-004)

All personnel who has authorized access to Critical Cyber Assets, including contractors and vendors, have an appropriate level of personnel risk assessment, training and security awareness. The Responsible Entity must establish, maintain and document a security awareness program to ensure said personnel receive ongoing training and awareness on a quarterly basis.

Electronic Security Perimenter(s) (CIP-005)

The required implementation of multiple Electronic Security Perimeters (ESPs).

Physical Security of Cyber Cricial Assets (CIP-006)

The Responsible Entity must create and maintain a physical security program to ensure the protection of Critical Cyber Security Assets, approved by a senior manager or delegated Third-Party. It is required that that the said plan includes:

  • A Physical Security Plan
  • Physical Access Controls
  • Monitoring Physical Access
  • Logging Physical Access
  • Access Log Retention
  • Maintenance & Testing
Systems Security Management (CIP-007)

Responsible Parties must define methods, processes, and procedures for securing Critical and Non-Critical Cyber Assets within the Electric Security Perimeter(s) and comply with the following standards:

  • Test Procedures
  • Ports and Services
  • Security Patch Management
  • Malicious Software Prevention
  • Account Management
  • Security Monitoring
  • Disposal or Redeployment
  • Cyber Vulnerability Assessment
  • Documentation Review and Maintanence
Incidient Reporting and Response Planning (CIP-008)

Ensures the identification, classification, response and reporting of Cyber Security Incidents. To do this, the responsible entity must develop and maintain both a Cyber Security Incident Response Plan and keep the relevenat Cyber Security Incident Documentation reportable for three calendar years.

Recovery Plans for Critical Cyber Assets (CIP-009)

Regulation to ensure that recovery plan(s) are put in place for Critical Cyber Assets and that these plans are consistent with the standard disaster recovery techniques and practices. This compliance requires:

  • Recovery Plans
  • Exercises
  • Change Control
  • Regular Backups
  • Testing Backup Media

Which Regulations Matter to You?

The certified professionals at MDS will help you determine which regulations your organization needs to meet.

Our Pledge:

Building out and maintaining your IT ecosystem doesn’t have to be a do-it-yourself project. MDS can help identify network issues, configure devices, and optimize your infrastructure to maximize efficiency and performance. Our consultants are highly trained technology specialists that understand the complexities of multi-vendor environments and have the knowledge and skills to help your business become more agile, customer-focused and operationally efficient.

Contacts: |

NYC Headquarters:
307 West 38th Street, Suite 1801
New York, NY 10018
Tel: 646-744-1000

Miami Office:
Tel: 786-899-2980
San Juan Office: Tel: 646-460-6229