The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system (BPS) in North America. NERC develops and enforces mandatory standards that define requirements for reliable planning and operation of the bulk power system.

NERC’s Critical Infrastructure Protection (CIP) Reliability Standards, represent a comprehensive, risk-based approach to further enhance the security of the North American bulk power system by providing a physical and cyber-security framework for the identification and protection of Critical Cyber Assets that control or affect the reliability of North America’s bulk power systems.

RSI Security is a full service cyber security assessor and advisory company helping entities meet security compliance needs. RSI Security has the experience, skills and resources to help your organization identify and protect critical cyber assets by helping you meet NERC CIP compliance requirements.

Why do you need to be NERC CIP Compliant?

In 2006, the U.S. Federal Energy Regulatory Commission (FERC) made the CIP Cyber Security Standards mandatory for all registered entities identified by NERC, and enforceable across all users, owners, and operators of the bulk power system in the United States.

Entities that own, operate or use any portion of the North American power system are required to identify critical assets and regularly perform risk assessments on those assets.

Let us help your organization implement a plan with all necessary controls so you can meet all 45 requirements and avoid a non-compliance status.


Schedule a FREE consultation



Our NERC CIP Services

  • Patch Management
  • Vulnerability Assessment and Management
  • Asset Identification and Configuration Management
  • Systems Security Management
  • Reliability Standard Audit Worksheet Development
  • Mock Audits
  • Personnel and Training
  • Policy, Process, Procedure Development, Documentation and Evidence Reporting
  • Security Information & Event Management
  • Incident Reporting and Response Planning
  • Recovery Planning

Value and Benefits of Being NERC CIP Compliant

  • Audit Ready Electronic Security Perimeter and Cyber Asset Environment
  • Cyber Asset Security Risk Management
  • NERC CIP Compliance
  • Increased Cyber Asset Protection
  • Increased Customer Trust and Organizational Reputation
  • Implementation of Information Security Program
  • Effective Incident Response Planning

Download our NERC CIP Services Data Sheet Here

Why work with RSI Security for
your NERC CIP Compliance needs?

  • RSI Security has worked comprehensively with NERC entities in their NERC CIP standards implementation program
  • RSI Security’s skilled, experienced and qualified security assessment, advisory, engineering and testing teams utilize a risk-based and strategic value based approach to achieving your organization’s NERC CIP Compliance.
  • Our advisory services help you identify and meet required NERC CIP standards requirements
  • Our qualified security assessors possess information security assessment, auditing, administrative and technical skills, knowledge and experience to help organizations achieve NERC CIP compliance.
  • RSI Security is a full service security service provider organization with many years of experience providing systems and data security compliance, information security program implementation and testing services.

Overview of
NERC CIP Standards

RSI Security can help you comply with all of the following and associated standards, contact us today to get started.

CIP-002-5.1a Cyber Security — BES Cyber System Categorization

  • BES Cyber Systems at each site location have varying impact on the reliable operation of the Bulk Electric System. Attachment 1 provides a set of “bright-line” criteria that the Responsible Entity must use to identify these BES Cyber Systems in accordance with the impact on the BES.
  • BES Cyber Systems must be identified and categorized according to their impact so that the appropriate measures can be applied, commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. These impact categories will be the basis for the application of appropriate requirements in CIP-003 through CIP-011.

CIP-003-6 Cyber Security — Security Management Controls

  • This requirement is intended to demonstrate a clear line of authority and ownership for security matters. One or more security policies demonstrate that entity’s management supports the accountability and responsibility necessary for effective implementation of the requirements and provide a management and governance foundation for all requirements. It also ensures that delegations are kept up-to-date and that individuals do not assume undocumented authority.

CIP-004-6 Cyber Security — Personnel and Training

  • Ensure that Responsible Entities with personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Assets take action so that those personnel with such authorized electronic or authorized unescorted physical access maintain awareness of the Responsible Entity’s security practices.
  • Ensure that the Responsible Entity’s training program for personnel who need authorized electronic access and/or authorized unescorted physical access to BES Cyber Systems covers the proper policies, access controls, and procedures to protect BES Cyber Systems and are trained before access is authorized.
  • Ensure that individuals who need authorized electronic or authorized unescorted physical access to BES Cyber Systems have been assessed for risk. Whether initial access or maintaining access, those with access must have had a personnel risk assessment completed within the last 7 years.
  • Ensure that individuals with access to BES Cyber Systems and the physical and electronic locations where BES Cyber System Information is stored by the Responsible Entity have been properly authorized for such access as well as timely revocation of such access.

CIP-005-5 Cyber Security — Electronic Security Perimeter(s)

  • The Electronic Security Perimeter (“ESP”) serves to control traffic at the external electronic boundary of the BES Cyber System. It provides a first layer of defense for network based attacks as it limits reconnaissance of targets, restricts and prohibits traffic to a specified rule set, and assists in containing any successful attacks.

CIP-006-6 Cyber Security — Physical Security of BES Cyber Systems

  • Ensure that physical access to all BES Cyber Systems is restricted and appropriately managed. Entities may choose for certain Physical Access Control Systems (PACS) to reside in a Physical Security Perimeter (PSP) controlling access to applicable BES Cyber Systems.
  • Control when personnel without authorized unescorted physical access can be in any Physical Security Perimeters protecting BES Cyber Systems or Electronic Access Control or Monitoring Systems
  • Ensure all Physical Access Control Systems and devices continue to function properly

CIP-007-6 Cyber Security — System Security Management

  • The requirement is intended to minimize the attack surface of BES Cyber Systems through disabling or limiting access to unnecessary network accessible logical ports and services and physical I/O ports.
  • Ensure security patch management by proactively monitoring and addressing known security vulnerabilities in software before those vulnerabilities can be exploited in a malicious manner to gain control of or render a BES Cyber Asset or BES Cyber System inoperable.
  • Ensure malicious code prevention in order to limit and detect the addition of malicious code onto the applicable Cyber Assets of a BES Cyber System. Malicious code (viruses, worms, botnets, targeted code such as Stuxnet, etc.) may compromise the availability or integrity of the BES Cyber System.
  • Ensure security event monitoring in order to detect unauthorized access, reconnaissance and other malicious activity on BES Cyber Systems, and comprises of the activities involved with the collection, processing, alerting and retention of security-related computer logs. These logs can provide both (1) the detection of an incident and (2) useful evidence in the investigation of an incident. The retention of security-related logs is intended to support post-event data analysis.
  • Ensure that no authorized individual can gain electronic access to a BES Cyber System until the individual has been authenticated

CIP-008-5 Cyber Security — Incident Reporting and Response Planning

  • The implementation of an effective Cyber Security Incident response plan mitigates the risk to the reliable operation of the BES caused as the result of a Cyber Security Incident and provides feedback to Responsible Entities for improving the security controls applying to BES Cyber Systems. Preventative activities can lower the number of incidents, but not all incidents can be prevented. A preplanned incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services.

CIP-009-6 Cyber Security — Recovery Plans for BES Cyber Systems

  • Preventative activities can lower the number of incidents, but not all incidents can be prevented. A preplanned recovery capability is, therefore, necessary for rapidly recovering from incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services so that planned and consistent recovery action to restore BES Cyber System functionality occurs.
  • The implementation of an effective recovery plan mitigates the risk to the reliable operation of the BES by reducing the time to recover from various hazards affecting BES Cyber Systems. This requirement ensures continued implementation of the response plans.
  • To improve the effectiveness of BES Cyber System recovery plan(s) following a test, and to ensure the maintenance and distribution of the recovery plan(s).

CIP-010-2 Cyber Security — Configuration Change Management and Vulnerability Assessments

  • The configuration change management processes are intended to prevent unauthorized modifications to BES Cyber Systems.
  • The configuration monitoring processes are intended to detect unauthorized modifications to BES Cyber Systems.
  • The vulnerability assessment processes are intended to act as a component in an overall program to periodically ensure the proper implementation of cyber security controls as well as to continually improve the security posture of BES Cyber Systems.

CIP-011-2 Cyber Security — Information Protection

  • The intent of the information protection program is to prevent unauthorized access to BES Cyber System Information.
  • The intent of the BES Cyber Asset reuse and disposal process is to prevent the unauthorized dissemination of BES Cyber System Information upon reuse or disposal.

Speak with a NERC CIP expert by filling out the form at the top of the page.

ORGANIZATIONS THAT TRUST RSI SECURITY

Samsung
RSI Security Client - Finix Payments
Cisco Impact
ComplianceMetrix
RSI Security Client - Jet's Pizza
HD Vest
Sandag
Verizon Wireless