Debriefing: NERC CIP 011 Standards

Thursday, March 31, 2011

Ron Lepofsky


A few weeks ago I wrote about the anticipated positive aspects of NERC CIP 011.

I received comments and questions about timing of approval and implementation, as well as a request to briefly clarify the intent of the current standards. So here goes.

Approval Status of CIP Version 4 Standards

NERC CIP 011 was approved by the NERC Board of Trustees on January 24, 2011, and is now collectively called CIP Version 4 standards; CIP 002-4 through CIP-009-4.

My understanding is the standards have been recently filed with FERC for approval for the US, and they have similarly been filed for approval with a variety of Canadian provincial authorities for consideration.

Once approved, CIP Version 4 standards will completely replace the current CIP standards.

To assist those wishing to receive first hand updates on CIP developments directly from the NERC site, I'm providing a navigation guide to get you directly to where you need to go:

1. NERC CIP home page:

2. In the top blue banner, click "Standards"

3. In the drop-down menu, click "Standards under development".

4. In the search box in the upper right, search for "CIP".

5. Select "CIP 011-1"

6. Click on "Project 2008-6- Cyber Security - Phase II Standards" (Jan 31, 2011)

7. This page shows you the current status of approval and you can review each standard during its various versions of iteration.

Summary of Current NERC CIP Standards

The current standards can be reviewed on the NERC site by clicking "Standards" in the top blue banner, and then "Reliability Standards" and then finally click Critical Infrastructure Protection (CIP) or just click:|20

As they now stand, here's what they mean:

  • CIP 001-1a Sabotage Detection
    Identify and report on anomalous activities. Triage to determine if they constitute possible sabotage and report accordingly.
  • CIP 003-3 Security Management Controls
    Implement control points for the critical assets identified in CIP 002. In my opinion this standard is not sufficiently proscriptive, but version 4 will add immensely.
  • CIP 004-3 Personnel and Training
    Training employees on how to comply with physical security access controls as well as IT security awareness training.
  • CIP 005-2a, 005-3, and 005-4 Electronic Security Perimeter(s)
    Just like it sounds for IT perimeter security, but overlaying the standard on some of the other standards. Again in my opinion this standard is insufficient in specific security controls: deterrent, preventative, detective, corrective, recovery, and compensating. I'm looking forward to Version 4!
  • CIP 006-3c and 006-4 Physical Security of Critical Cyber Assets
    Ditto for CIP 005 but for physical security.
  • CIP 007-3 and 007-4 Systems Security Management
    This is the compliance piece; monitoring, testing, gap analysis, for logical (technical), physical, and policy control points. It includes having test or audit plans and actually implementing the plans.
  • CIP 008-3 Incident Reporting and Response Planning
    This standard identifies compliance requirements for incident reporting plans for other CIP standards, but does not really identify how to create and test a process for incident monitoring / analysis and triage / reporting.
  • CIP 009-3 and 009-4 Recovery Plans for Critical Cyber Assets
    Ditto for CIP 008-3 but for DRP.
  • CIP 010-1 BES Cyber System Categorization ( in draft)
    This is a superset of CIP 002 cyber asset identification, to include the systems to which cyber assets belong. This is more in-line with classic IT security as a compromised system can provide an attack vector to one of its subsystems.

Have a secure week.

Ron Lepofsky CISSP, CISM, BA. SC. (mechanical)

Possibly Related Articles:
SCADA Compliance Networks Standards NERC CIP FERC
Post Rating I Like this!
Tom Alrich For those looking to see the CIP standards that are currently approved by NERC, go to|20 There you can see both CIP Versions 3 (currently in force) and 4 (approved by NERC but awaiting FERC approval).
For following the progress of CIP version 5, which is in active development by what's called the CSO706 Standards Drafting Team, the best way to get details is to subscribe to the SDT's "Plus List". I can tell anyone who wishes how to do that if you'll email me at
Matrikon also has a very recent Open Letter on the status of CIP Version 5, available here:
Natasha Sheel Hi all you might find this link useful in NERC CIP implementation.
A pragmatic guide to NERC CIP 003

There are also a couple of papers on Stuxnet as well which are very interesting!

Hope they are helpful!
Mr. Winston Shines Dear Mr. Ron Lepofsky,
What you are writing about is the key to the U.S. securing our grid against cyber attacks for example the attack on the NASDAQ. For more info and other cyber attacks go to though from reading your blog I am sure the top 5 is old news to you. Great work, writings such as your blog lessen the chances and lower the damages of future attacks.


The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.