Introduction and Background

Introduction and Background

At Enaxy, we recently wrapped up a blog series exploring how organizations can choose the right cybersecurity standard to build or enhance their OT/ICS security programs. That series focused on broadly applicable frameworks such as NIST CSF, ISA/IEC 62443, NIST SP 800-82, and the CIS Controls comparing their strengths, limitations, and strategic fit across different industrial sectors.

But what about standards designed for specific industries?

To put it plainly: Why might an organization choose to implement the ISA/IEC 62443 standards instead of the NIST Cybersecurity Framework? Or why lean on the SP 800-82 control catalog rather than the CIS Critical Security Controls when defining technical safeguards? These are questions of alignment, choosing what fits best for your environment, resources, and risk landscape.

Some standards, however, aren’t optional. They’re mandated.

One of the most prominent examples is the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards, which apply specifically to entities operating in the Bulk Electric System (BES). Overseen by the Federal Energy Regulatory Commission (FERC), the NERC CIP standards were first introduced in 2008 and have evolved significantly through ongoing revisions and working groups.Compliance with CIP is not just best practice, it’s a legal requirement.

Failure to comply can result in significant regulatory penalties, making it essential for covered entities to understand the scope, structure, and enforcement of these standards.¹

Who Must Comply with NERC CIP Regulations?

NERC CIP regulations apply to a specific subset of organizations operating within the North American Bulk Electric System (BES). Entities typically required to comply with NERC CIP standards include:

• Electric Generation Owners and Operators
• Electric Transmission Owners and Operators
• Balancing Authorities –  Entities responsible for maintaining the supply-demand balance within a given area
• Reliability Coordinators – The highest level of authority for ensuring BES reliability in a defined region 
• Interchange Authority – Entities coordinating energy transfers between Balancing Authorities 

However, NERC CIP applicability is not universal across all electric utilities. Instead, it depends on several operational and infrastructure-related factors, such as:

• The voltage level of the transmission lines owned or operated
• The total generating capacity of the facilities
• The potential impact of the entity’s assets on the overall reliability of the Bulk Electric System

Some smaller utilities or those not directly connected to the bulk power system may be exempt from NERC CIP requirements. But just because you are a small utility doesn’t mean you are not required to comply with the NERC CIP requirements. For example, a dam which is necessary for re-energizing the BES in a blackstart scenario (i.e. the entire grid in a region/area is down) would generally be subject to the CIP requirements even if its total generating capacity was minimal.

Understanding whether your organization falls under NERC CIP jurisdiction is a crucial first step in ensuring compliance and contributing to the overall security of the North American power grid. If you have questions about whether your organization must comply with the NERC CIP standards then the first step would be to check with any internal compliance department your organization may have, and if it is still not clear then to reach out to the NERC Regional Entity, the organizations responsible for auditing NERC standards compliance, which has responsibility for your region of the country.

Overview of NERC CIP Impact Rating Levels

NERC CIP standards recognize that not all assets within the BES have the same level of criticality or potential impact on overall grid reliability. To address this, the standards implement a tiered approach based on the potential impact of cyber systems on the reliable operation of the Bulk Electric System. These tiers are known as Impact Rating Levels, and they determine the specific security requirements that apply to each asset. The three Impact Rating Levels are referred to as High, Medium, or Low Impact.

• High Impact Systems: Control Centers used by Reliability Coordinators or used by Transmission or Generation Operators and Balancing Authorities which meet specific size/criticality criteria.
• Medium Impact Systems: BES Cyber Assets which meet specific criteria related to their size or criticality. For example, Transmission Facilities which are operated at 500 kV or higher would meet the Medium Impact criteria.
• Low Impact Systems: All other BES Cyber Systems that do not meet the criteria for High or Medium Impact. While these systems are considered to have a lower potential impact on grid reliability, they are still subject to certain baseline security requirements.

The Impact Rating Level of a system determines the specific set of security controls that must be implemented. Generally, the requirements become more stringent as the impact level increases. For example:

• High and Medium Impact systems require more comprehensive access control measures, including multi-factor authentication for remote access.
• High and Medium Impact systems have more stringent requirements for security event monitoring and incident response planning.
• Physical security requirements are more detailed and extensive for High and Medium Impact systems.

It’s important to note that a single organization may have systems at multiple impact levels. For instance, a large utility might have High Impact Control Centers, Medium Impact generation facilities, and Low Impact Transmission substations. Each of these would be subject to different sets of requirements under the NERC CIP standards.

Understanding these Impact Rating Levels is crucial for organizations to properly categorize their systems and implement the appropriate security controls. In the following sections, we’ll delve deeper into the specific requirements for Low Impact systems and Medium/High Impact systems.

Overview of NERC CIP Low Impact Requirements

While Low Impact BES Cyber Systems are subject to less stringent requirements compared to their Medium and High Impact counterparts, they are by no means insignificant. They still play a crucial role in maintaining the overall security of the Bulk Electric System. The requirements for Low Impact systems focus on establishing foundational cybersecurity practices and plans. Let’s examine the key areas of NERC CIP requirements for Low Impact systems:²

1. Cyber Security Awareness

Organizations must implement a cybersecurity awareness program that reinforces sound security practices. This typically involves regular training or communications, usually at least once a year,³ to ensure that personnel are aware of cyber security risks and their role in protecting BES Cyber Systems.

2. Physical Security Controls

Entities are required to implement measures to restrict physical access to Low Impact BES Cyber Systems. This can include, but is not limited to:

• Locked doors
• Security guards 
• Access control systems (e.g., badges, card readers, or biometric systems)

The intent is to prevent unauthorized physical access that could compromise the security or reliability of these systems. For Low Impact assets, NERC CIP provides flexibility in how these controls are implemented. Entities have significant discretion to tailor their physical security measures based on the facility’s risk profile, layout, and operational needs so long as the controls are effective and enforceable.

3. Electronic Access Controls

Organizations must implement electronic access controls to protect Low Impact BES Cyber Systems. This involves identifying all remote electronic access connections from external (e.g. outside the Facility) to BES Cyber Systems and implementing access control measures to permit only necessary inbound and outbound electronic access. There are two carveouts for this requirement, though, where it only applies if the communications are using a routable protocol and if they are “not used for time-sensitive protection or control functions between intelligent electronic devices.”

4. Cyber Security Incident Response

Entities must have a Cyber Security Incident Response (IR) plan that includes processes for identification, classification, and response to Cyber Security Incidents related to Low Impact BES Cyber Systems. Entities must also test their IR plans (or actually use them in a Reportable Cyber Security Incident) at least every 36 calendar months.

5. Transient Cyber Asset and Removable Media Management

Organizations must implement plans to mitigate the risks associated with:

• Transient Cyber Assets (TCA) – such as laptops, tablets, or diagnostic tools used temporarily for maintenance or troubleshooting
• Removable Media – such as USB drives, external hard drives, or SD cards

These plans must apply not only to internal assets but also to those brought in by third parties, such as contractors and vendors. The objective is to prevent these portable devices from introducing malware or unauthorized access into Low Impact BES Cyber Systems, maintaining system integrity and reliability. 

6. Declaring and Responding to CIP Exceptional Circumstances

The NERC CIP standards recognize that certain emergency situations may require flexibility in how requirements are applied. These situations are known as CIP Exceptional Circumstances. During such events, entities are not held to standard compliance expectations for certain requirements, such as those related to Transient Cyber Assets (TCA) and Removable Media.
For example, if emergency responders such as firefighters need immediate access to a facility to prevent injury or loss of life, the organization would not be considered non-compliant simply because those responders were not escorted, did not log their visit, or bypassed other standard physical security protocols.
This provision ensures that safety and emergency response are prioritized, while still aligning with the intent of the CIP standards. However, entities should document the exceptional circumstance and take appropriate actions after the fact, such as reviewing access logs or conducting post-event assessments, to ensure security integrity is maintained.

7. (BONUS!!) Vendor Electronic Remote Access Security Controls

Going into effect on April 1, 2026, CIP-003-9 adds requirements to mitigate risks involved with vendor remote access and have methods to determine where that remote access exists, ways to disable vendor remote access, and methods to detect malicious communications which may exist within vendor electronic remote access. 

While the NERC CIP requirements for Low Impact systems are less prescriptive than those for Medium and High Impact assets, they establish a foundational level of cybersecurity designed to address common threats. Organizations should treat these requirements not as the finish line, but as a baseline framework, a starting point for building a more comprehensive security posture. Entities are encouraged to evaluate their own risk environment and implement additional controls as needed to safeguard critical infrastructure effectively.

Overview of NERC CIP Medium/High Impact Requirements

Medium and High Impact BES Cyber Systems (BCS) are subject to significantly more robust and detailed security requirements due to the critical role they play in maintaining the reliability of the BES. Although there are nuanced differences between Medium and High Impact requirements, many of the standards and control families are shared between the two. These requirements are typically organized thematically across the NERC CIP standards. For example, CIP-005 focuses on electronic security perimeters, while CIP-007 addresses system security management. Here’s an overview of the key NERC CIP requirements for Medium and High Impact systems:

1. CIP-003: Security Management Controls

This standard outlines the foundational policies and procedures needed to govern a compliant cybersecurity program.

2. CIP-004: Personnel and Training

This standard focuses on ensuring that personnel who access BES Cyber Assets (BCAs) or BES Cyber System Information (BCSI) are properly vetted and trained. It includes requirements related to security awareness programs, cyber security training programs, and personnel risk assessment programs (e.g. background checks). These requirements generally include both initial requirements, such as the need to perform a personnel risk assessment prior to granting electronic access to BCA, as well as ongoing reviews, such as the need to verify at least once every 15 months that people with access to BCSI still need the provisioned access.

3. CIP-005: Electronic Security Perimeters

This standard is focused on securing the electronic boundaries around BCS. It requires organizations to identify a controlled Electronic Security Perimeter (ESP) and implement measures to control and monitor all electronic access points. CIP-005 also includes requirements related to remote access management, such as that it must be encrypted and require multi-factor authentication, and to be configured in a way to not allow direct access from an external source directly to the BCS. This standard ensures that only authorized communications can traverse into or out of sensitive OT environments and that these communications are secure and auditable.

4. CIP-006: Physical Security of BES Cyber Systems

CIP-006 establishes requirements for protecting BES Cyber Systems from physical threats by enforcing layered, risk-based physical security controls. Entities must develop and maintain a physical security plan tailored to the impact rating of each BCS. For Medium Impact BCS with External Routable Connectivity, these must utilize “at least one physical access control” before entering Physical Security Perimeters, while for High Impact BCS it requires “two or more different physical access controls.” Entities also must diligently monitor for unauthorized physical access. CIP-006 also includes requirements around logging visitor access and testing of Physical Access Control Systems.

5. CIP-007: Systems Security Management

CIP-007 includes technical, operational, and procedural requirements to manage system security. Requirements in this standard relate to the following areas:

1. Ports and services management
2. Security patch management
3. Malicious code prevention
4. Security event monitoring
5. System access control

6. CIP-008: Incident Reporting and Response Planning

CIP-008 outlines the requirements for developing, maintaining, and executing a Cyber Security Incident Response (IR) plan for BES Cyber Systems. This standard ensures that organizations can effectively detect, respond to, and recover from cyber incidents. There are also requirements around testing the IR plans at least once every 15 calendar months and to update IR plans to incorporate any lessons learned from either tests or actual Incidents. CIP-008 also includes notification requirements. Entities must notify both the E-ISAC and the United States National Cybersecurity and Communications Integration Center within one hour of confirming that a Reportable cyber Incident has occurred. 

7. CIP-009: Recovery Plans for BES Cyber Systems

CIP-009 focuses on ensuring that organizations are prepared to restore critical cyber assets after a disruption. Organizations must develop recovery plans that address the restoration of BCS following a cyber incident or failure. Recovery plans must be tested periodically to ensure effectiveness. Lessons learned from tests or actual recovery efforts must be incorporated into updated plans. Entities must also implement and maintain backup systems and documented restore procedures. These backups must be protected to ensure availability and integrity during emergencies.  

8. CIP-010: Configuration Change Management and Vulnerability Assessments

This standard contains requirements around establishing baseline configurations of systems and detecting changes to the baseline configuration. It also covers vulnerability assessments. High Impact BCS must have an active vulnerability assessment every 36 calendar months (using a testbed rather than a live system is acceptable, if not preferred), while both High and Medium Impact BCS require a “paper or active vulnerability assessment” be performed at least once very 15 calendar months. 

9. CIP-011: Information Protection

CIP-011 focuses on the protection and proper handling of BES Cyber System Information (BCSI)—sensitive data that, if compromised, could negatively impact the reliability of the BES. It requires entities to identify and classify information which is BCSI. BCSI must be secured against unauthorized access, disclosure, or misuse. This applies during storage, use, and transmission. Entities also must implement procedures for the secure disposal of BCSI. For example, simply throwing hard drives with sensitive data into a dumpster is not acceptable, data must be securely deleted, and physical media must be destroyed according to industry best practices.

10. CIP-012: Communications between Control Centers

CIP-012 is designed to safeguard the confidentiality and integrity of Real-time Assessment and monitoring data as it is transmitted between Control Centers. It is written as an objective-based requirement, where the goal of the security of communications is given, but entities have freedom to determine how they meet that objective.

11. CIP-013: Supply Chain Risk Management

CIP-013 focuses on reducing cybersecurity risks associated with third-party vendors and suppliers who provide products or services that impact the security of BES Cyber Systems. Entities must develop, document, and implement a supply chain cyber security risk management plan that addresses procurement of BES Cyber Systems and services. This plan must include vendor notification of incidents, coordinating responses with vendors, disclosure of known vulnerabilities, and verifying software and patches provided by the vendor. It also must include a plan to coordinate controls for vendor-initiated remote access and for the vendor to notify the entity when remote or onsite access is no longer needed. While entities have flexibility in how they meet these requirements, they must be able to demonstrate the existence and effectiveness of their risk management processes during audits.

12. CIP-014: Physical Security

CIP-014 stands out among the NERC CIP standards due to its narrow and highly targeted scope. Unlike other standards that apply broadly across cyber systems, CIP-014 is specifically focused on the physical security of the most critical Transmission Facilities. It requires a physical risk assessment to be performed for the Facility, evaluated by an unaffiliated third-party with expertise in physical security protections, and then the plan must be implemented and regularly reviewed and updated. CIP-014 is designed to protect the BES from physical attacks that could cause widespread outages or compromise grid stability. Given the high-impact nature of these facilities, this standard ensures that physical risks are addressed with the same rigor as cyber threats.

13. (Another Bonus!!) CIP-015: Internal Network Security Monitoring

CIP-015 has been written and approved by FERC, and will go into effect in 2028. It is focused on detecting anomalous or unauthorized network traffic in order to improve response and recovery from an attack. Organizations will need to determine how they will get data (e.g. configuring traffic monitoring feeds) and then how they will use the data to identify anomalous activity on the network. If FERC approves the Implementation Plan as written, then the requirements will go into effect for High Impact Control Centers and for Medium Impact Control Centers with External Routable Connectivity 36 months after that approval. For other Medium BES with ERC (e.g. not Medium Control Centers) then there will be an additional 24 months to comply with the requirements.

These requirements form a comprehensive security framework for Medium and High Impact BES Cyber Systems, encompassing both technical controls and essential organizational practices. They address not just systems and technology but also the governance, documentation, testing, and personnel readiness required to maintain a resilient cybersecurity program.

While many requirements overlap between Medium and High Impact systems, High Impact environments demand greater rigor including more frequent assessments, stricter access controls, and deeper validation of security mechanisms.

Achieving and sustaining compliance with NERC CIP standards requires a substantial commitment of resources, continuous monitoring, and expert insight. From building robust technical defenses to maintaining extensive documentation and training programs, organizations must remain agile and audit-ready.

More Questions?

Navigating the complex landscape of NERC CIP compliance can be challenging, but it’s crucial for maintaining the security and reliability of our power grid. Whether your organization manages Low, Medium, or High Impact BES Cyber Systems, implementing and maintaining compliance with NERC CIP standards requires ongoing effort, expertise, and resources. Enaxy can provide invaluable support in several ways:

1. Compliance Assessment: Evaluate your current cybersecurity posture against NERC CIP requirements and identify any gaps.
2. Strategy Development: Create a tailored roadmap for achieving and maintaining NERC CIP compliance.
3. Implementation Support: Assist in implementing necessary technical controls, policies, and procedures.
4. Training and Awareness: Develop and deliver customized training programs to ensure your staff understands their roles in maintaining compliance.
5. Audit Preparation: Help you prepare for NERC CIP audits, including documentation review and mock audits.
6. Ongoing Support: Provide continuous monitoring and support to help you stay compliant as regulations evolve and your systems change.

Cybersecurity is about more than just compliance, it’s a responsibility. By taking proactive measures to protect your BES Cyber Systems, you’re not only securing your organization you’re helping to safeguard the reliability of the power grid millions rely on every day.

Let’s build a more resilient future together.

Reach out to info@enaxy.com to take the first step toward strong, sustainable NERC CIP compliance.

Your organization and the energy sector as a whole will be stronger because of it.

---

¹ Some definitions and concepts, especially in the background sections, are simplified for the purposes of this blog. The NERC CIP standards have an official glossary, and LiveWire’s NERCipedia is also a good resource for specific definitions of the various terms used throughout the standards.

² The Low Impact requirements are found in NERC CIP-003-8. The general areas are identified in Requirement 1.2, while more detailed descriptions of what the various areas require are in Attachment 1 of the same document.

³ This is an example where the CIP standard itself says “at least once every 15 calendar months,” but in implementing the requirement most organizations will treat the activity as an annual requirement, where the extra three months allows the organization to be compliant even if a long weekend (for example) makes the activity actually be completed in 12 months and 2 days after the previous occasion.