NERC / CIP



Qualys Solutions for IT Security & Compliance

Qualys' on demand approach to IT security and compliance enables organizations of all sizes to successfully achieve both vulnerability management and policy compliance initiatives cohesively, while reducing costs and streamlining operations. Solutions include:



Related Links

NERC is the North American Electric Reliability Corporation. It was formed in 1968 to develop security standards to ensure that the bulk electric system in North America is reliable. More than 334 million people rely on 1,865 Registered Entities that produce electricity and serve it over 211,000 miles of high-voltage transmission line. NERC's Critical Infrastructure Protection (CIP) Reliability Standards provide Registered Entities with requirements for compliance. This page provides background information about CIP and describes how solutions from Qualys help Registered Entities to be compliant.



About NERC / CIP

NERC introduced its Critical Infrastructure Protection (CIP) Reliability Standards CIP-002-1 through CIP-009-1 in 2006. In 2009, it approved version 2 of these standards and began auditing Registered Entities for compliance. All Registered Entities must comply with these eight categories of controls for securing critical cyber assets used to protect the bulk electric system. They include: Cyber Asset Identification, Security Management Controls, Personnel & Training, Electronic Security Perimeter(s), Physical Security, Systems Security Management, Incident Reporting and Response, and Recovery Plans for Critical Cyber Assets. Verification of compliance with CIP shows that a Registered Entity is providing optimal protection for the bulk electric system.



Why NERC / CIP Matters to Your Organization

Registered Entities are familiar with threats to critical cyber infrastructure, which may range from sovereign states, terrorists, criminals, and even lone hackers. A successful exploit would be disastrous if it stopped delivery of electric power. NERC provided CIP controls to strengthen security of the bulk electric system, and after years of preparation, Registered Entities must now prove they are compliant. As of June 30, 2010, all Registered Entities must prove "auditable compliance" on a semi-annual basis or be subject to penalties, which could be substantial — up to $1 million per day depending on risk and severity. Other breach-related costs will be incurred for discovery and containment, investigation of the incident, remediation expenses, attorney and legal fees, loss of customer confidence, lost sales and revenue, brand degradation, and so on. Compliance is a serious responsibility on many levels.



Considerations for a NERC / CIP Security Compliance Program

Registered Entities have had several years to implement CIP standards and should have, by now, deployed most of their controls. NERC is now engaged in three kinds of compliance activities. These include compliance monitoring, compliance enforcement, and managing a due process for contestations by Registered Entities who receive audit violation findings. NERC relies on Regional Entities to enforce CIP standards with bulk power system owners, operators, and users. Guidelines for CIP compliance are specified in the NERC Compliance Monitoring and Enforcement Program: 2010 Implementation Plan. NERC expects all Registered Entities to be subject to self-certifications on CIP requirements for the past year. As noted, inability of passing an audit (including remediation of outstanding critical issues) can result in substantial financial penalties to each Registered Entity, depending on severity level.



How Qualys Solutions Help Registered Entities Meet NERC / CIP Requirements

Qualys solutions in the QualysGuard IT Security and Compliance Suite directly fulfill CIP requirements for scanning of vulnerabilities in critical cyber assets. These Qualys solutions also serve as a "control of controls," which means they are the crucial means for auditing a multitude of other security controls to ensure that those are operational and properly configured.


Qualys solutions touch six of CIP's eight reliability standards. The following is a summary of how these requirements are met by solutions in the QualysGuard IT Security & Compliance Suite. For a detailed explanation requirement-by-requirement, see Vulnerability and Policy Management for NERC Compliance.


NERC RequirementsQualysGuard Capabilities
CIP-002 Critical Cyber Asset Identification

Identify and document a risk-based assessment method that will be used to identify critical assets. R2 requires an identifiable list and annual asset list review to update all critical cyber assets. Management will approve the list of critical cyber assets. A third-party, without vested interest, shall monitor the compliance to CIP002 outcome of NERC.

  • On demand risk assessment automatically fulfills the Cyber Asset Identification requirement of NERC by discovering all assets on the critical network and documenting security vulnerabilities for remediation (R2 and R3)
  • Management is given the opportunity to review and approve the assets and assessments with either the vulnerability or policy compliance modules (R4)
  • Qualys becomes the third party with no vested interest
CIP-003 Cyber Security Management Controls

"The Responsible entity shall document and implement cyber security policy that represents management's commitment and ability to secure critical assets. Exceptions to cyber security policy must include an explanation and approval.

  • Provides technical controls for the cyber assets, along with the datapoints or policies for those technical assets, and management's ability to add their own company or technical policies
  • Documents exceptions, approvals and denials (R3)
CIP-005 Cyber Electronic Security Perimeter(s)

Requires the identification and protection of the Electronic Security Perimeter(s) and Access Points where Cyber Assets reside (R1 and R4).

  • Automatically fulfills the requirement to identify by discovery and protect the Cyber Assets and Electronic Security devices, including Access Points
  • Uses the largest database of vulnerability tests and intelligent scanning technology to ensure comprehensiveness and accuracy
CIP-007 Cyber Systems Security Management

Define methods, processes and procedures for securing those systems determined to be Critical Cyber Assets (R1 and R3)". "Document technical and procedural controls to enforce authentication, accountability and user activity (R5)". Finally, a third party annual review is required of the perimeter (R8).

  • Automated, comprehensive reports provide instant assessment of risks, priorities and tips for vulnerability remediation
  • Includes the guidelines provided by vendors and best practice or adopted frameworks
  • Security patch management information is passed on to the user/assessor
  • Includes controls for authentication and account management
  • Qualys becomes the third party annual reviewer
CIP-008 Cyber Security Incident Reporting and Response Planning

"...ensure the identification, classification, response and reporting of Cyber Incidents"

  • Automatically documents all security incidents and subsequent effects of vulnerability remediation
  • Security audit assessments provide hard data for conceiving, implementing and managing security incidents
CIP-009 Cyber Security Recovery Plans for Critical Cyber Assets

...ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices.

  • Provides for customization of CIP vulnerability management compliance data for monitoring and retention by the Registered Entity.
Qualys Solutions
Qualys Community
Free Tools & Trials
Free Trial

Nothing to install or download!

1 (800) 745 4355