NERC CIP
North American Electric Reliability Corporation Critical Infrastructure Protection — the mandatory cyber-security standards for the Bulk Electric System in North America. The legal regime that turns 'we should secure the substation' into 'a FERC fine if we don't', and the closest the world has to a directly-enforced OT cyber-security framework.
Also: CIP, NERC, NERC Critical Infrastructure Protection
NERC CIP is the family of mandatory cyber-security reliability standards issued by the North American Electric Reliability Corporation and enforced by the Federal Energy Regulatory Commission (FERC) for owners and operators of the Bulk Electric System (BES). It is the only OT cyber-security regime in the world that is directly legally enforceable against asset owners with material financial penalties — up to one million US dollars per violation per day.
The regime is what gives the rest of the industry its compliance grammar: when European or UK utilities talk about CIP-style controls, they are usually talking about CIP even when the regime they are subject to is NIS.
What it covers
There are 13 currently active CIP standards; the ones that show up most in substation conversations are:
| Standard | Topic |
|---|---|
| CIP-002 | Categorisation of BES Cyber Systems by impact (High / Medium / Low) |
| CIP-003 | Security management controls (CIP-003-9 enforceable from April 2026 expanded low-impact controls) |
| CIP-004 | Personnel and training |
| CIP-005 | Electronic Security Perimeter(s) — the firewalled boundary around BES Cyber Systems |
| CIP-006 | Physical security of BES Cyber Systems |
| CIP-007 | System security management — patching, ports/services, malware, logging |
| CIP-008 | Incident reporting and response |
| CIP-009 | Recovery plans for BES Cyber Systems |
| CIP-010 | Configuration change management and vulnerability assessments |
| CIP-011 | Information protection |
| CIP-012 | Communications between Control Centres (CIP-012-2 strengthens real-time data confidentiality) |
| CIP-013 | Supply chain risk management — the post-SolarWinds requirement |
| CIP-014 | Physical security (substations) — added after the 2013 Metcalf attack |
| CIP-015 | Internal Network Security Monitoring (INSM) — added in 2024 in response to advanced persistent threat tradecraft |
CIP-015 is the most recent addition. It mandates network-based detection inside the Electronic Security Perimeter, not just at it — a direct consequence of the Industroyer-class threat tradecraft that operates from already-trusted positions on the OT network.
Impact-based scoping
CIP-002 categorises BES Cyber Systems into three impact tiers and the obligations scale accordingly:
- High impact — Control Centres performing functional registration obligations. The strictest control set.
- Medium impact — Generation and transmission assets above defined thresholds (typically transmission stations operating at ≥500 kV, certain ≥200 kV stations, generation aggregating ≥1500 MW).
- Low impact — Everything else in scope. The least onerous — but CIP-003-9 (April 2026) materially expands what low-impact entities have to do, particularly around vendor remote access and supply-chain controls.
This impact-based scoping is the part that 62443’s risk-driven approach echoes most clearly, though the two arrived at the structure independently.
Where it sits relative to 62443
CIP is outcome- and process-based; IEC 62443 is architecture- and control-based. They map onto each other but were not designed to. The ISA Security Compliance Institute publishes a comparison claiming approximately 95% of CIP technical controls can be evidenced through 62443 conformance, which is the basis for the “use 62443 as your control catalogue, demonstrate CIP compliance with the resulting evidence” pattern that mature North American utilities adopt.
The difference is enforcement: 62443 is voluntary; CIP is law. A 62443-compliant substation that violates CIP gets fined; a CIP-compliant substation that ignores 62443 does not.
Why the GB reader cares
NERC CIP is not directly applicable in GB. But:
- Vendor product roadmaps are driven by it. Any IED, gateway, or substation product from a global vendor (SEL, Siemens, Hitachi Energy, GE Vernova, ABB) is built to CIP-relevant requirements first, because the North American market sets the floor.
- The FERC orders point the threat-model conversation. FERC Order 850 (supply chain), Order 887 (INSM), and similar are the public regulatory acknowledgement of what threat actors are doing, often years before the analogous UK or EU requirements.
- The CIP audit cadence is what produces the public lessons-learned reports that the rest of the world reads — the NERC Lessons Learned series and the ICS-CERT/CISA advisories overlap heavily with what gets surfaced in CIP audits.
For a GB transmission or distribution operator, CIP is the standard the kit was built to comply with even if the operator is regulated under NIS.