Support

What Is NERC CIP: The Ultimate Guide

July 26, 2025

NERC CIP compliance continues to grow in complexity, demanding significant time and energy from utilities. Cyber attacks on utilities and critical infrastructure have gained mainstream attention, prompting increased efforts from both government and industry authorities to enhance cybersecurity. For utilities, in particular, there is a heightened focus on securing the electric bulk system, maintaining resilience, and ensuring safe, reliable operations, overseen by FERC and NERC. Emerging NERC CIP requirements, such as internal network security monitoring, reflect these priorities. Evolving conversations around robust cybersecurity for the electrical grid now include new compliance and operational technology management considerations for low-impact assets and virtualization. These changes add layers of complexity and necessitate continuous adaptation and vigilance.

Implementing NERC CIP compliance can be complex and resource-intensive. To help guide you in efficiently and effectively meeting NERC CIP standards—whether you are experienced and trying to keep up with evolving standards or are new to compliance—we have created this NERC CIP guide. Industrial Defender has partnered closely with electric utilities and responsible entities since 2006. We hope reading through this guide will help you navigate the NERC CIP landscape and understand measures to protect the bulk power system.

Table of Contents

NERC is Created
NERC Critical Infrastructure Protection (CIP) Standards Are Established
Evolution of the NERC CIP Standards
The NERC CIP Standards Today

Latest Developments
Conclusion

North American Electric Reliability Corporation (NERC) Is Created

The United States Federal Power Commission investigated and reported on the blackout and recommended:

"A council on power coordination made up of representatives from each of the nation’s Regional coordinating organizations to exchange and disseminate information on Regional coordinating practices to all of the Regional organizations, and to review, discuss, and assist in resolving matters affecting interregional coordination.”

⎯ Legislation proposed: Electric Power Reliability Act of 1967

Enter NERC (National Electrical Reliability Council), quietly formed on June 1st, 1968 as a voluntary organization by the electric utility industry to promote the reliability and adequacy of bulk power transmission in the electric utility systems of North America.

As the years went by, new regions and members were added, and in 1981 NERC changed its name to the North American Electric Reliability Corporation in recognization in Canada's participation. The organization analyzed and made recommendations to increase the overall reliability of the North American power grid. It also become very clear that utilities in many cases were operating as monopolies because they were not agreeing to a rate reduction for large industrial companies or allowing those customers to shop for better rates. The lack of flexibility within the electric utility monopoly created the drive for deregulation. NERC enters to help here, as well, regarding competition, fair pricing and how to work with independent power producers, marketers and brokers.

NERC Critical Infrastructure Protection (CIP) Standards Are Established

Who remembers Y2K? NERC was there to ensure that the grid was prepared and that there were no interruptions as NSYNC and Jessica Simpson rang us into the new Millennium. Right around this time, NERC stepped into the security arena and became the spearhead for issues related to national security and the power grid. To formalize these efforts, NERC became a founding member of the Partnership for Critical Infrastructure Security (PCIS). Deregulation is now running full steam, and California is lead into a power crisis due to a little company called Enron and their manipulation of the power market. Clearly this relationship is getting complicated.

Then in 2003, a butterfly flaps it wings in Ohio and creates one of the most widespread blackouts in history. People start asking questions. How can some foliage that affected transmission lines in Ohio impact power to the NYC subway system for 2 days? This blackout puts the NERC Urgent Action 1200 temporary standard on the map and fast tracks the development of NERC CIP (Critical Infrastructure Protection). Anyone who believes that NERC CIP was truly born from the need for cybersecurity was not a utility employee in the Northeast in August 2003. This is where the reliability vs. security dance really begins. Fast forward a few years to 2005, and the NERC CIP Version 3 is drafted and goes out for public review comments to over 61 separate entities. The standards are agreed to and published.

Utilities realize that to properly comply with these standards they need to make investments in time, training, processes and tools, none of which are planned or budgeted for, and rate hikes are not popular, so what happens? There is enough flexibility in the standard for utilities to do some interesting things. Entities were able to define their own risk-based methodologies. Weak contingency analyses are done. Infrastructure changes are made to minimize the footprint of the Electric Security Perimeter. Serial communications and non-routable protocols are frequently leveraged to take as many assets as possible out of scope. This also stunts the transition to IP connected devices and slows grid modernization. Data diodes become extremely popular as a method of limiting inbound communications and further reducing assets in scope.

Evolution of the NERC CIP Standards

The dance continues, and NERC CIP v5 is ratified in 2013. Modifications are created to remove some of the gray areas. It creates the concept of the BES (bulk electric system) and Cyber System Categorization. Bright-line criteria are published, and critical assets that do not have non-routable connectivity fall into scope. Utilities began budgeting and planning for the changes. Compliance and audits with the guidelines become more widespread. Even with this new clearer guidance utilities continue to employ strategies to keep as many assets as possible out of scope. Most commonly physically or logically breaking up High and Medium impact BES Cyber Systems to reduce their compliance requirements. Often this included large capital investments in new infrastructure purely to avoid having to comply with the new standards. Did this really make our nation’s infrastructure more secure?

The Evolution of the NERC CIP Standards

2013 was also significant for another reason, but this time physical security was in the literal crosshairs with California in the spotlight once again. I’m talking about the sophisticated physical attack on a substation. A team of highly trained operatives cut the communications to the substation and systematically shot the cooling systems of several transformers with high powered rifles. The police arrived and were unable to enter the substation due to a locked gate. They surveyed the area to the best of their ability and ultimately left after finding nothing suspicious. All told, approximately $15M in damage was done to this utility’s equipment, and the substation was offline for approximately a month. Amazingly this attack did little to impact the stability of the grid as power was able to be re-routed from other parts of California. Now, I’m not one to normally don a tin foil hat, but something does not add up here. Like clockwork NERC introduces new standards (NERC CIP-014) around physical security to address the attack. I continue to maintain that these types of attacks are still the biggest threat vector to the grid, and it should not take another attack to decide we need more protections in place.

The NERC CIP Standards Today

The standards continued to evolve, covering uncharted area like use of removable media, transient assets and supply chain. Again, more solid guidance, but the devil is in the implementation details.

The NERC CIP Standards Today

As of today, NERC has 12 critical infrastructure protection requirements:

CIP-002-5.1a BES Cyber System Categorization — Identify and categorize BES cyber assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES cyber assets could have on the reliable operation of the BES.

CIP-003-8 Security Management Controls — Specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES cyber systems against compromise.

CIP-004-7 Personnel & Training — Minimize the risk against compromise that could lead to misoperation or instability in the BES from individuals accessing BES cyber systems by requiring an appropriate level of personnel risk assessment, training, and security awareness.

CIP-005-7 Electronic Security Perimeter(s) — Manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.

CIP-006-6 Physical Security of BES Cyber Systems — Manage physical access to BES cyber systems by specifying a physical security plan in support of protecting BES cyber systems against compromise.

CIP-007-6 System Security Management — Manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES cyber systems against compromise.

CIP-008-6 Incident Reporting and Response Planning— Mitigate the risk to the reliable operation of the BES by specifying incident response requirements.

Remember that in 2021, following the SolarWinds attacks, NERC introduced new requirements within CIP-008-6 that mandate the reporting of "attempted" compromises (in addition to actual compromises) of their systems to national cybersecurity entities.

CIP-009-6 Recovery Plans for BES Cyber Systems— Recover reliability functions performed by BES cyber systems by specifying recovery plan requirements.

CIP-010-4 Configuration Change Management and Vulnerability Assessments — Prevent and detect unauthorized changes to BES cyber systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES cyber systems from compromise.

CIP-011-3 Information Protection— Prevent unauthorized access to BES cyber systems from compromise that would affect the stability of the BES.

CIP-013-2 Supply Chain Risk Management— Mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.

CIP-014-3 Physical Security — Identify and protect transmission stations and transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or cascading within an interconnection.

CIP-015-1 Internal Network Security Monitoring (INSM) — Establish requirements for monitoring internal network communications within the Electronic Security Perimeter to detect anomalous activity, reduce dwell time, and improve incident response. Applies to high-impact BES Cyber Systems and medium-impact systems with External Routable Connectivity.

Latest Developments

Regulatory changes continue to evolve, and there are two recent updates from the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) that organizations should address now.

CIP-015-1: Internal Network Security Monitoring (INSM)

On June 26, 2025, FERC issued Order No. 907, formally approving NERC Reliability Standard CIP-015-1: Cyber Security – Internal Network Security Monitoring (INSM). This marks a major step forward in how the electric sector must approach lateral threat detection and internal network visibility.

CIP-015-1 requires registered entities to implement INSM for:

  • All high-impact BES Cyber Systems, regardless of external routable connectivity, and
  • Medium-impact BES Cyber Systems with external routable connectivity (ERC)

INSM provides continuous visibility within the trusted zone, such as the Electronic Security Perimeter (ESP), enabling earlier detection of malicious activity that bypasses perimeter defenses. This capability is critical for reducing dwell time, enhancing incident response, and supporting recovery.

FERC has also directed NERC to expand the standard within 12 months (by June 2026) to include Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS)—even when located outside the ESP. This expansion reflects current threat trends, such as the Volt Typhoon campaign, where adversaries compromise identity and access infrastructure to gain persistent access and pivot within trusted networks.

Conclusion

The NERC Critical Infrastructure Protection (CIP) standards form the backbone of cybersecurity regulation for the Bulk Electric System. As threats evolve and digital modernization expands across the grid, these standards continue to adapt—most recently with the introduction of CIP-015-1 and updated requirements for internal visibility and supply chain risk management.

While each standard addresses a specific aspect of cyber or physical risk, their collective intent is clear: to establish a baseline of security controls across high-, medium-, and increasingly low-impact assets. Together, they help ensure the reliability, resilience, and trustworthiness of the systems that underpin North America’s electric grid.

As the regulatory landscape continues to evolve, organizations must not only maintain compliance with existing CIP standards, but also anticipate future changes. Proactive engagement with these requirements—through strong asset management, defensible architectures, staff training, and effective monitoring—can help transform compliance efforts into operational security gains.

Maintaining alignment between security strategy and regulatory expectations is essential. Doing so enables utilities to manage risk effectively, meet audit expectations, and strengthen the broader defense of critical infrastructure.