Back to

Qualys and NERC / CIP

One topic that has been receiving a lot of attention recently in the information security community is NERC (North American Electric Reliability Corporation).  In this post, I’ll attempt to provide a brief overview of CIP and describe how solutions from Qualys help Registered Entities to become compliant.

NERC / CIP background

  • 2006 – NERC introduced its Critical Infrastructure Protection (CIP) Reliability Standards CIP-002-1 through CIP-009-1.
  • 2007 (June) – U.S. Federal Energy Regulatory Commission (FERC) granted NERC the legal authority to enforce reliability standards.
  • 2009 – NERC approved version 2 of CIP standards and began auditing Registered Entities for compliance.
  • All Registered Entities must comply with these eight categories of controls for securing critical cyber assets used to protect the bulk electric system.

All NERC registered entities must comply with the eight categories of controls (defined within CIP) for securing critical cyber assets used to protect the bulk electric system. They include: Cyber Asset Identification, Security Management Controls, Personnel & Training, Electronic Security Perimeter(s), Physical Security, Systems Security Management, Incident Reporting and Response, and Recovery Plans for Critical Cyber Assets. Verification of compliance with CIP shows that a Registered Entity is providing optimal protection for the bulk electric system.

Qualys solutions in the QualysGuard IT Security and Compliance Suite directly fulfill CIP requirements for scanning of vulnerabilities in critical cyber assets. These Qualys solutions also serve as a “control of controls,” which means they are the crucial means for auditing a multitude of other security controls to ensure that those are operational and properly configured.  Qualys solutions touch six of CIP’s eight reliability standards. The following is a summary of how these requirements are met by solutions in the QualysGuard IT Security & Compliance Suite. For a detailed explanation requirement-by-requirement, see Vulnerability and Policy Management for NERC Compliance –


For additional information on how Qualys can help NERC registered entities – refer to the following link:

– Matt

Leave a Reply