The NERC CIP requirements were designed to ensure the security of North American bulk electric systems (BES) and consist of 12 standards covering security management controls, personnel and training, system security management, electronic security perimeters, disaster recovery planning, and configuration change management. These requirements are constantly evolving, and some of the most recent updates include new language around the security of transient assets, supply chain risk, and removable media events.
To comply with these regulations, utilities must collect and produce detailed information about digital assets and analyze whether these devices are deployed and accessed securely. Doing this manually can be an incredibly time-consuming (and boring) task, especially since these standards are continuously changing. In this guide, we outline:
We also include bonus tips from cybersecurity experts who have real-world experience complying with NERC CIP regulations at North American utilities.
