NERC Compliance

Overview

The North American Electric Reliability Corporation – NERC – is a non-profit, international regulatory authority. The NERC ensures the reliability and security of the bulk power system in North America.  

With Cyber Security and Data Security breaches front line, the NERC continues to develop, evolve, and enforce new standards in the following areas:

  • Assessments : annual, seasonal, and long‐term reliability
  • System Awareness : monitoring the bulk power system throughout North America
  • Industry Personnel: education, training, and certification

NERC/FERC Authority and Reporting Chains

NERC’s total area of responsibility and authority serves nearly 3.5 million people across the United States, Canada, and Mexico.

NERC maintains authority over:

  • Users of the bulk power system
  • Owners of the bulk power system
  • Operators of the bulk power system

NERC is responsible and accountable to the Federal Energy Regulatory Commission (FERC) and various regulatory authorities in the Canadian government.

 

CIP: Critical Infrastructure Protection

Currently Enforced CIP Regulations Applicable to Regional Entities and Responsible Entities – CIPv3:

  • CIP-002-3   Cyber Security – Critical Cyber Asset Identification
  • CIP-003-3   Cyber Security – Security Management Controls
  • CIP-004-3a Cyber Security – Personnel & Traning
  • CIP-005-3a Cyber Security – Electronic Security Perimeter(s)
  • CIP-006-3c Cyber Security – Physical Security of Critical Cyber Assets
  • CIP-007-3a Cyber Security – Systems Security Management – “The version number was updated from CIP-007-3a to incorporate the approved interpretation that should have previously been appended”
  • CIP-008-3   Cyber Security – Incident Reporting and Response Planning
  • CIP-009-3   Cyber Security – Recovery Plans for Critical Cyber Assets
  • CIP-002-5.1 Cyber Security – BES Cyber System Categorization – Errata approved by the SC on 9/27/2013
  • CIP-003-5    Cyber Security – Security Management Controls – has an enforcement date of 4/1/2016, except for CIP-003-5 R2 which has an enforcement date of 4/1/2017
  • CIP-004-5.1 Cyber Security – Personnel & Training – Errata approved by the SC on 9/27/2013
  • CIP-005-5    Cyber Security – Electronic Security Perimeter(s)
  • CIP-006-5    Cyber Secuirty – Physical Security of BES Cyber Systems
  • CIP-007-5    Cyber Security – System Security Management
  • CIP-008-5    Cyber Security – Incident Reporting and Response Planning
  • CIP-009-5    Cyber Security – Recovery Plans for BES Cyber Systems
  • CIP-010-1    Cyber Security – Configuration Change Management and Vulnerability Assessments
  • CIP-011-1    Cyber Security – Information Protection

According to the Cyber Security Standards Transition Guidance (Revised), NERC’s CIP Version 5 Reliability Standards represent a significant improvement over the current CIP Version 3 Standards. CIP Version 5 adopts new cyber security controls, both technical and administrative, as well as extends the scope of the IT infrastructure’s expanded list of systems that the newer CIP standards are designated to protect.

Click here to download a detailed comparison of CIPv3 vs CIPv5.

The spreadsheet is ordered by CIPv5 rule, then requirements. The additional requirements to CIPv5 are in yellow/orange text.  Accurate as of 10/23/2014.

Get an IT or Network Security Risk Assessment to validate and demonstrate your compliance with NERC, get a quote on a NERC Compliance Risk Assessment

Spohn Solutions
1 (512) 685-1837
8940 Research Blvd., Suite 300, Austin, Texas 78758
All Original Content © 1998-2024 Spohn Consulting, Inc. All Rights Reserved