One topic that has been receiving a lot of attention recently in the information security community is NERC (North American Electric Reliability Corporation). In this post, I’ll attempt to provide a brief overview of CIP and describe how solutions from Qualys help Registered Entities to become compliant.
NERC / CIP background
- 2006 – NERC introduced its Critical Infrastructure Protection (CIP) Reliability Standards CIP-002-1 through CIP-009-1.
- 2007 (June) – U.S. Federal Energy Regulatory Commission (FERC) granted NERC the legal authority to enforce reliability standards.
- 2009 – NERC approved version 2 of CIP standards and began auditing Registered Entities for compliance.
- All Registered Entities must comply with these eight categories of controls for securing critical cyber assets used to protect the bulk electric system.
All NERC registered entities must comply with the eight categories of controls (defined within CIP) for securing critical cyber assets used to protect the bulk electric system. They include: Cyber Asset Identification, Security Management Controls, Personnel & Training, Electronic Security Perimeter(s), Physical Security, Systems Security Management, Incident Reporting and Response, and Recovery Plans for Critical Cyber Assets. Verification of compliance with CIP shows that a Registered Entity is providing optimal protection for the bulk electric system.
For additional information on how Qualys can help NERC registered entities – refer to the following link: