Market Research Logo

Understanding the NERC-CIP Regulations for Critical Infrastructure Organizations, 2018

Understanding the NERC-CIP Regulations for Critical Infrastructure Organizations, 2018

The most significant threat is no longer threats to human lives or property from physical attacks—rather the threat lies in more covert warfare tactics, including cyber-attacks and attacks that can cripple, obstruct, or destroy operations within critical infrastructure facilities, such as utility companies, communications towers, ports, manufacturing facilities, or other critical services. In order to protect critical national infrastructure (CNI) entities from these more sophisticated attacks and ensure proper security postures, the North America Electric Reliability Corporation (NERC) has updated its Critical Infrastructure Protections (CIP) regulations to encourage CNI organizations to improve their security posture; protect their information and operational technology systems, networks, and physical assets; and plan for how to keep their networks and assets secure through a continually advancing technological environment. The NERC-CIP regulations provide specific guidance, requirements, and measures for CNI organizations to follow to protect their current assets, enforce proper security protocols and standards, plan for and respond to any security incidents accordingly, and ensure their assets remain protected from malicious actors.

Research Scope
This research service includes all of the NERC-CIP regulations as written by the NERC Organization, as well as the listed measurements and evidence required for critical infrastructure. Each CIP includes the specified requirements for each compliance category as well as types of documentation, evidence, and plans to show requirements have been met. This service also includes analyst insight into the specific tasks to be performed for each requirement and a clear listing of evidence types for CNI organizations to provide in order to show compliance. This service further details some of the key vendors offering compliance technology solutions, consulting expertise in NERC-CIP regulations, or both types of services for customers. This listing, however, is not exhaustive of all vendors in the market. Key information includes:

NERC-CIP listings for requirements 002-011, and CIP-014
Listing of CIP measurements to show compliance
History of the NERC Organization and the evolution of the requirements
Key changes to the NERC-CIP regulatory enforcement and raised security profiles for CNI organizations
Summary of requirement listings and key takeaways for CNI organizations
Listing of key vendors and specialization

Key Issues Addressed
What are the full regulatory requirements for NERC-CIP compliance?
What is the history behind the evolution of the NERC-CIP requirements?
What documentation, measurements, or evidence do critical infrastructure entities need to provide to show compliance?
Who are some of the key vendors who can help critical infrastructure customers reach full compliance?
What NERC-CIP requirements do these vendors’ solutions help customers to achieve?


  • Executive Summary
    • Key Findings
  • Definitions
  • Evolution of NERC-CIP Requirements
    • The New Cyber Threat-Critical Infrastructure Sites
    • Critical Infrastructure Sites Already Targeted
    • Standardizing the Regulatory Environment
    • Revised Standards to Meet Changing Technology Needs
  • Drivers and Restraints
    • Market Drivers
    • Drivers Explained
    • Market Restraints
    • Restraints Explained
  • Regulatory Breakdown
    • Introduction to NERC-CIP Regulations
    • CIP-002: Classification of BES Systems
    • CIP-003: Security Management Controls
    • CIP-004.1: Personnel and Training
    • CIP-004.2: Personnel and Training
    • CIP-004.3: Personnel and Training
    • CIP-004, 4.1-4.2: Personnel and Training
    • CIP-004, 4.3-4.4: Personnel and Training
    • CIP-004, 5.1-5.3: Personnel and Training
    • CIP-004, 5.4-5.5: Personnel and Training
    • CIP-005, 1.1-1.5: Electronic Security Perimeters
    • CIP-005, 2.1-2.3: Electronic Security Perimeters
    • CIP-006, 1.1-1.3: Physical Security of BES Cyber Systems
    • CIP-006, 1.4-1.7: Physical Security of BES Cyber Systems
    • CIP-006, 1.8-1.10: Physical Security of BES Cyber Systems
    • CIP-006, 2.1-2.3: Physical Security of BES Cyber Systems
    • CIP-006, 3.1: Physical Security of BES Cyber Systems
    • CIP-007, 1.1-1.2: Cybersecurity Systems Management
    • CIP-007, 2.1-2.2: Cybersecurity Systems Management
    • CIP-007, 2.3-2.4: Cybersecurity Systems Management
    • CIP-007, 3.1-3.3: Cybersecurity Systems Management
    • CIP-007, 4.1-4.4: Cybersecurity Systems Management
    • CIP-007, 5.1-5.4: Cybersecurity Systems Management
    • CIP-007, 5.5-5.7: Cybersecurity Systems Management
    • CIP-008, 1.1-1.4: Cybersecurity Incident Reporting and Response Planning
    • CIP-008, 2.1-2.3: Cybersecurity Incident Reporting and Response Planning
    • CIP-008, 3.1-3.2: Cybersecurity Incident Reporting and Response Planning
    • CIP-009, 1.1-1.5: Recovery Plans for BES Cyber Systems
    • CIP-009, 2.1-2.3: Recovery Plans for BES Cyber Systems
    • CIP-009, 3.1-3.2: Recovery Plans for BES Cyber Systems
    • CIP-010, 1.1-1.2: Configuration Change Management and Vulnerability Assessments
    • CIP-010, 1.3-1.5: Configuration Change Management and Vulnerability Assessments
    • CIP-010, 2.1: Configuration Change Management and Vulnerability Assessments
    • CIP-010, 3.1-3.2: Configuration Change Management and Vulnerability Assessments
    • CIP-010, 3.3-3.4: Configuration Change Management and Vulnerability Assessments
    • CIP-010, 4.1: Configuration Change Management and Vulnerability Assessments
    • CIP-011, 1.1-1.2: Cybersecurity Information Protection
    • CIP-011, 2.1-2.2: Cybersecurity Information Protection
    • CIP-014, 1.1-1.2: Physical Security
    • CIP-014, 2.1-2.4: Physical Security
    • CIP-014, 3.1: Physical Security
    • CIP-014, 5.1-5.4: Physical Security
    • CIP-014, 6.1-6.4: Physical Security
  • Key Vendors
    • Vendor Landscape per Regulation
    • Solution Providers or Consultancies
  • Growth Opportunities
    • Growth Opportunity 1-Consultancy Services
    • Growth Opportunity 2-Industrial-Specific Cyber Solutions
    • Growth Opportunity 3-Ongoing Security Convergence
    • Growth Opportunity 4-Partner Networks for Full Compliance
    • Strategic Imperatives for Success and Growth
  • The Last Word
    • The Last Word-3 Big Predictions

Download our eBook: How to Succeed Using Market Research

Learn how to effectively navigate the market research process to help guide your organization on the journey to success.

Download eBook

Share this report