In this series of articles, I’ll explore the NERC CIP Standards applicable to low impact Bulk Electric System Cyber Systems. These articles are my opinions only – consider them to be my advice to you. Most of this advice will reference the enforceable language of the Reliability Standards, and I’ll quote the applicable wording or provide links to the applicable documents. The enforceable language of the standards will always govern, and if you think my advice conflicts with this language, please let me know.

In the low-impact series, I will tell you what you must accomplish and what you should accomplish with your compliance program. But I cannot tell you how to be compliant. How you implement these standards is individual to each organization.

I’m going to assume you are new to the CIP Standards. I will begin with some foundational material before progressing to more advanced topics and provide links that may be useful for your own reference library.

In Part 1 of this series, I discussed why Reliability Standards are needed, how NERC came into existence, and what a Reliability Standard looks like and how to read it. In this, Part 2 , I’ll give you an introduction to applicable CIP Standards and an overview of the steps needed to begin your CIP compliance program at the low impact level. 

Applicability of the CIP Standards

The CIP Standards are applicable to NERC registered entities that are registered as one or more of the following: 

• Balancing Authority (BA)
• Generator Operator (GOP)
• Generator Owner (GO)
• Reliability Coordinator (RC)
• Transmission Operator (TOP)
• Transmission Owner (TO)

The CIP Standards are also applicable to a Distribution Provider (DP) that owns a load shedding system (UFLS or UVLS), a Remedial Action Scheme, a transmission protection system, or a Blackstart cranking path. See the Applicability section of CIP-002 BES Cyber System Categorization for detailed information. 

The CIP Standards are not the only Reliability Standards. You should also be familiar with the non-CIP “Operations and Planning” Standards. 

Introduction to Low Impact Standards

At the low impact level, you are subject to three CIP Standards: CIP-002-5.1a, CIP-003-8, and CIP-012-1.  

If you are a Transmission Owner, you may also need to comply with the physical security standard, CIP-014-3. You can obtain a copy of each of these standards free of charge from the NERC Reliability Standards page.  

CIP-002-5.1a (Cyber Security – BES Cyber System Categorization) requires you to identify and document your medium and high impact BES Cyber Systems, or your BES assets containing low impact BES Cyber Systems. 

CIP-012-1 (Cyber Security – Communication between Control Centers) requires you to protect certain types of communications between Control Centers. 

CIP-014-3 (Physical Security) requires you to physically protect substations that could cause serious disruption if attacked. 

CIP-003-8 (Cyber Security – Security Management Controls) contains most of the requirements you will need to comply with at the low impact level. These requirements include: 

• Establishing cyber security policies
• Designating a CIP Senior Manager, and, optionally, delegates
• Reinforcing cyber security awareness
• Implementing physical security controls
• Implementing electronic security controls
• Incident planning and response
• Implementing protections for Transient Cyber Assets
• Implementing protections for Removable Media

I will explore each of these requirements more thoroughly in later articles.