The IT Law Wiki


The North American Electric Reliability Corporation (NERC) developed the CIP standards that require the utilities to put a baseline set of security measures in place intended to protect the bulk power system. Currently, NERC-CIP is the only mandatory requirement that must be met by the electric utilities in the area of cybersecurity-related to operations, outside of customer data privacy.

NERC-CIP has the following nine sections:

  • CIP-001 Sabotage reporting
  • CIP-002 Critical Cyber-Asset Identification
  • CIP-003 Security Management Controls
  • CIP-004 Personnel and Training
  • CIP-005 Electronic Security Perimeter
  • CIP-006 Physical Security of Critical Cyber-Assets
  • CIP-007 Systems Security and Management
  • CIP-008 Incident Reporting and Response Planning
  • CIP-009 Recovery Plans for Critical Cyber-Assets.