NERC CIP (Critical Infrastructure Protection) standards govern the security of Bulk Electric System (BES) Cyber Systems in North America. The current applicable versions — CIP-002-5.1a through CIP-014-3 — require engineering implementations that many utilities have been addressing with documentation rather than technical controls. The enforcement pattern from NERC and the regional entities has been escalating as the regional entities develop more technically sophisticated audit capabilities.
The air-gap myth is the most dangerous assumption in OT security. Modern grid operations require remote access for maintenance, real-time data feeds for energy market operations, and SCADA/EMS systems that have legitimate connectivity requirements. The air-gap approach has been replaced by Electronic Security Perimeters (ESPs) and Electronic Access Points (EAPs) — but many utilities still treat any connectivity as a compliance exception rather than a design requirement.
CIP-005: Electronic Security Perimeter Architecture
CIP-005-7 requires that each BES Cyber System within an Electronic Security Perimeter have access controlled at all Electronic Access Points, with the EAP monitored for inbound and outbound communications. The failure mode: ESPs defined on paper that do not match the actual network architecture. NERC regional entity audits consistently find ESP boundary violations that were unknown to the compliance team but visible from network discovery.
CIP-007: Patch Management in OT Environments
CIP-007-6 Requirement R2 requires that the responsible entity determine the security patch availability for each applicable Cyber Asset within an ESP within 35 days of the patch's release. For applicable patches, the entity must either apply the patch within 35 days or document a mitigation plan. The operational problem: many ICS/SCADA components run firmware that cannot be updated without a maintenance window requiring coordination with operations. The compliance solution is not to skip patching — it is to implement the documented mitigation plan path for patches that cannot be applied within 35 days.
CIP-013-2 supply chain risk management requires utilities to develop and implement a plan to address potential security risks from vendor products and services. The plan must include evaluation of vendor security practices, notification requirements for vendor security incidents, and processes for managing verification of software integrity and authenticity. The enforcement finding that appears most frequently: utilities with a CIP-013 plan document but no evidence that the plan is being operationally executed. The plan must be executed — vendor assessments must be conducted, software integrity verification must be performed, and evidence must be retained.
CIP-010: Configuration Management in OT
CIP-010-4 requires that a baseline configuration be established for each BES Cyber Asset, and that unauthorized changes to the baseline be detected within 35 days and investigated. In OT environments, configuration management is significantly harder than in IT environments: many ICS components do not support agent-based configuration monitoring, vendor support is inconsistent, and the change management process for OT must account for the operational risk of configuration changes in running systems. The technical implementation: file integrity monitoring for ICS components that support it, network-based configuration baselining for components that do not, and a change management workflow that captures every authorized configuration change with approver identity and operational justification.
The Continuous Compliance Architecture
NERC CIP violations are most commonly found in the gap between point-in-time compliance and continuous compliance. The continuous compliance architecture: automated evidence collection that runs continuously and archives evidence with timestamps, deviation detection that alerts when configurations drift from baselines, and a dashboard providing real-time compliance status against each applicable CIP requirement. This architecture also supports the self-reporting obligation — self-reported violations have materially lower penalties than examiner-discovered violations.
- Conduct an ESP boundary verification using network discovery — does the documented ESP match the actual network connectivity?
- Implement the CIP-013 plan operationally — vendor assessments, software integrity verification, and evidence retention
- Build a patch management workflow that explicitly handles the "mitigation plan" path for patches that cannot be applied within 35 days
- Implement file integrity monitoring or network-based configuration baselining for all BES Cyber Assets in ESPs
- Deploy automated evidence collection for CIP compliance evidence — point-in-time evidence collection creates audit risk between audits
- Establish a self-reporting process and review internal compliance monitoring regularly — self-reported violations have materially lower penalties than examiner-discovered violations
EU AI Act: What CTOs Actually Need to Do Before August 2026
DORA Is Live. Here's What 'Operational Resilience' Means for Your Codebase
FedRAMP Rev 5: What Changed and Why Most Current ATO Holders Are Already Non-Compliant
The engineering behind this article is available as a service.
We have done this work — not advised on it, not reviewed documentation about it. If the problem in this article is your problem, the first call is with a senior engineer who has solved it.