Skip to content ↓ | Skip to navigation ↓

The power and electric industry has one underlying mission: the reliable delivery of electricity. Many in the industry see audit requirements, such as the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Cyber Security Standards to be a major distraction from their core mission. Nevertheless, the industry is mandated to comply or face serious financial costs – yet, fines and penal­ties totaling nearly $160 million have been levied in the past five years, accord­ing to sources at NERC.

The NERC May 2013 Reliability Coordinator Compliance Analysis Report summarizes 140 total CIP viola­tions since 2008 (when compliance with CIP-002 through CIP-009 became mandatory). Compared to a total of 58 Operations & Procedures recorded viola­tions (ten in the past two years), clearly CIP violations are the majority of all reported violations.

Despite improved compliance trends, especially in self-identified violations within the power and electric industry, these five CIP standards continue to challenge registered entities:

Source: Top Five NERC CIP Audit Fails White Paper, Tripwire

CIP-004 – Personnel and Training


shutterstock_163629272Entities are required to maintain a list of personnel who have authorized cyber or unescorted physical access to critical cyber assets, which must be reviewed at least every quarter and updated within seven calendar days of any change in access rights of personnel or change of personnel with access to critical cyber assets. Further, in the event an employee is terminated, the entity must revoke the employee’s access to these assets within 24 hours.

Notable violations of this requirement include:

  • Failure to revoke cyber access to critical cyber assets for employ­ees within seven days after employees retired.
  • Granting personnel unescorted, physical access (using temporary access cards) without properly documenting authorization.
  • Vendor access lists for EMS and SCADA systems reviewed annually, not quarterly.

In order to mitigate these violations, additional security measures should be enforced, such as key card access, security guards and video monitoring the access to critical cyber assets. Entities should consider enhancing procedures for updating lists when user access changes or an employee is terminated. Lastly, authorized user access lists should be reviewed quarterly, not annually.


shutterstock_134733341Entities are mandated to have a documented personnel risk assessment program for personnel with authorized cyber or unescorted, physical access to critical cyber assets and personnel risk assessments must be updated at least every seven years.

Notable violations of this requirement include:

  • Failure to demonstrate that personnel risk assessments have been received by all personnel with logical or physical access to critical cyber assets.
  • Employees granted physical access to a protected area without prior documentation of a personnel risk assessment or within 30 days of being granted access.
  • Failure to ensure personnel risk assessments include identify verification and a seven-year criminal check, as well as updating the risk assessment every seven years.

New hire training, access procedures and access lists maintained by compliance can help mitigate the likelihood of violating this requirement. Revoke critical cyber assets for individuals who do not have an up-to-date risk assessment completed. Consolidate access lists into one list to be maintained by the compliance department, and establish procedures that mandate employees complete risk assessments as part of their new hire training.

CIP-007 – Systems Security Management


shutterstock_121667698Entities are required to establish, implement and document technical and procedural controls that enforce access authentica­tion of—and accountability for—all user activity, and that minimize the risk of unauthorized system access. These controls ensure user permissions are consistent with need-to-know informa­tion and prevent shared access of user accounts that do not have audit trails.

Notable violations of this requirement include:

  • Undefined password criteria in CIP policy as requiring the three CIP-specific characters (alpha, numeric, special).
  • Not changing the factory default accounts for cyber assets prior to putting the devices into service.
  • No policy implementa­tion to minimize and manage the scope and acceptable use of admin­istrator, shared and other generic account privileges (including factory default accounts).

The best way to manage personnel access is to create a ‘need-to-know’ basis by creating and maintaining a list of personnel with system access and documenting the access each user has. Implement software that enforces users to change passwords to critical cyber assets at least annually, although a 90-day or less password age is best practice. Review and confirm that passwords are changed and avoid joint accounts that allow multiple user access to the system under one user name and password. Institute and audit trail to document all individuals with access to the account, if joint accounts must be used. Lastly, Technical Feasibility Exception (TFE) requests should be submitted when potential gaps are required due to limited equipment.

shutterstock_134715908CIP-006 — PHYSICAL SECURITY OF CYBER ASSETS


This requirement holds entities liable for maintaining, imple­menting and documenting a physical security plan that is approved by the senior manager.

Notable violations include:

  • Failure to maintain physical security perimeters of a six-wall border.
  • Failure to provide all the protections specified for cyber assets that authorize and log access to the physical security parameter.
  • Failure to provide continuous escorted access of visitors within the physical security perimeter.

Mitigation of these violations likely calls for additional training, reminders and signage. Develop a mitigation plan that distributes reminders of procedures required for all personnel to follow when escorting visitors. Install clearly visibly door signs at each applicable access door reminding employees to be aware of individuals behind them when entering secure areas. Lastly, require all corporate IT personnel to complete the cyber security training program.

shutterstock_223225459REQUIREMENT 2 — TRAINING

Entities are required to establish, docu­ment, implement and maintain an annual cyber-security training program for personnel with authorized cyber or unescorted physical access to critical cyber assets. The cyber security train­ing program shall be reviewed annually at a minimum, and shall be updated whenever necessary.

Notable violations of this requirement include:

  • Employees failing to complete the company training for access, yet have physical access to critical cyber assets.
  • Failure to provide evidence that security training was completed for employees who had unescorted access to critical cyber assets.
  • Failure to provide evidence of train­ing within 90 calendar days for all personnel with authorized cyber or unescorted physical access to critical cyber assets, including contractors and service vendors.

Once again, reminding personnel of the required training can be a simple, yet effective step to avoiding these failures. Purchase standards compliance tracking software that can automatically send an email notification to all personnel with authorized access to critical cyber assets, reminding them to complete the required training.

In the internet security field, none of this is news. However, when critical infrastructure is at risk due to themes of week password hygiene, poor physical and cyber access controls and a lack of good training and awareness, urgency is due.

Download the complete “Top Five NERC CIP Audit Fails” white paper for more common violations, suggested mitigations and key takeaways.

Related Articles:


picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.

picThe Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

*Images courtesy of