300 Questions and Answers for Exam Preparation
Q1: What does NERC stand for?
ANSWER NERC stands for North American Electric Reliability
Corporation, a not-for-profit international regulatory authority responsible
for the reliability and security of the bulk power system in North America.
Q2: What is the primary purpose of NERC CIP standards?
ANSWER The primary purpose of NERC CIP (Critical Infrastructure
Protection) standards is to protect the critical cyber assets of the bulk
electric system from security compromises that could lead to instability,
uncontrolled separation, or cascading failures.
Q3: When were NERC CIP standards first mandated?
ANSWER NERC CIP standards became mandatory and enforceable on
June 18, 2007, following approval by the Federal Energy Regulatory
Commission (FERC).
Q4: What is a Bulk Electric System (BES)?
ANSWER The Bulk Electric System includes facilities and control systems
necessary for operating an interconnected electric energy transmission
network, generally operating at 100 kV or higher, and real power and
reactive supplies connected to such facilities.
Q5: What is the difference between High Impact, Medium Impact, and Low
Impact BES Cyber Systems?
ANSWER High Impact systems can cause widespread instability or
uncontrolled separation; Medium Impact systems can cause instability,
,uncontrolled separation, or cascading within an interconnection; Low
Impact systems, if compromised, would not create an adverse impact on
the reliable operation of the BES.
Q6: What is a BES Cyber System?
ANSWER A BES Cyber System is one or more BES Cyber Assets
logically grouped by a responsible entity to perform one or more reliability
tasks for a functional entity.
Q7: What is a BES Cyber Asset?
ANSWER A BES Cyber Asset is a cyber asset that, if rendered
unavailable, degraded, or misused, would adversely impact one or more
facilities, systems, or equipment that are necessary for the reliable
operation of the BES.
Q8: What is an Electronic Access Point (EAP)?
ANSWER An Electronic Access Point is a physical or logical interface that
allows electronic access to BES Cyber Systems from Cyber Assets that are
not Intermediate System Access Points, located within the Electronic
Security Perimeter.
Q9: What is an Electronic Security Perimeter (ESP)?
ANSWER An Electronic Security Perimeter is the logical border
surrounding a network to which BES Cyber Systems are connected, using
a routable protocol.
Q10: What is a Physical Security Perimeter (PSP)?
ANSWER A Physical Security Perimeter is the physical border
surrounding locations in which BES Cyber Systems, BES Cyber Assets, or
Electronic Access Control and Monitoring Systems reside, and for which
access is controlled.
Q11: What is FERC?
ANSWER FERC is the Federal Energy Regulatory Commission, an
independent agency that regulates the interstate transmission of electricity,
natural gas, and oil, and has authority to approve and enforce NERC
standards.
,Q12: What are the consequences of non-compliance with NERC CIP
standards?
ANSWER Consequences include monetary penalties up to $1 million per
day per violation, mandated corrective actions, increased oversight,
potential loss of operating authority, and damage to reputation and
stakeholder confidence.
Q13: What is a Responsible Entity?
ANSWER A Responsible Entity is an entity registered with NERC that has
obligations under one or more reliability standards, including Balancing
Authorities, Generator Owners, Generator Operators, Transmission
Owners, Transmission Operators, and Distribution Providers.
Q14: What is the purpose of CIP-002?
ANSWER CIP-002 (BES Cyber System Categorization) requires
responsible entities to identify and categorize their BES Cyber Systems
and associated BES Cyber Assets according to their impact on the reliable
operation of the bulk electric system.
Q15: What is the purpose of CIP-003?
ANSWER CIP-003 (Security Management Controls) requires entities to
develop and implement security management controls that provide cyber
security policies and procedures for protecting BES Cyber Systems.
Q16: What is the purpose of CIP-004?
ANSWER CIP-004 (Personnel and Training) requires entities to implement
personnel risk assessment programs, training programs, and access
control for personnel with authorized electronic or physical access to BES
Cyber Systems.
Q17: What is the purpose of CIP-005?
ANSWER CIP-005 (Electronic Security Perimeter) requires entities to
identify and protect the Electronic Security Perimeters within which BES
Cyber Systems reside and to control electronic access at all EAPs.
Q18: What is the purpose of CIP-006?
ANSWER CIP-006 (Physical Security of BES Cyber Systems) requires
entities to implement physical security controls and monitoring to protect
BES Cyber Systems from unauthorized physical access.
, Q19: What is the purpose of CIP-007?
ANSWER CIP-007 (System Security Management) requires entities to
implement security controls for BES Cyber Systems, including patch
management, malicious code prevention, security event monitoring,
account and password management, and security patch management.
Q20: What is the purpose of CIP-008?
ANSWER CIP-008 (Incident Reporting and Response Planning) requires
entities to develop, implement, and maintain cyber security incident
response plans to mitigate the impact of cyber security incidents.
Q21: What is the purpose of CIP-009?
ANSWER CIP-009 (Recovery Plans for BES Cyber Systems) requires
entities to develop recovery plans for BES Cyber Systems to ensure
continuity of operations following a cyber security incident.
Q22: What is the purpose of CIP-010?
ANSWER CIP-010 (Configuration Change Management and Vulnerability
Assessments) requires entities to implement configuration management
and vulnerability assessment programs for BES Cyber Systems.
Q23: What is the purpose of CIP-011?
ANSWER CIP-011 (Information Protection) requires entities to implement
information protection programs to prevent unauthorized access,
modification, or disclosure of BES Cyber System Information.
Q24: What is the purpose of CIP-013?
ANSWER CIP-013 (Supply Chain Risk Management) requires entities to
develop and implement plans for mitigating cyber security risks to the BES
from vendor, supplier, and contractor relationships.
Q25: What is a CIP Senior Manager?
ANSWER A CIP Senior Manager is a single senior management official
with overall authority and responsibility for leading and managing the
entity’s implementation of, and adherence to, CIP standards.
Q26: What is a cyber security incident?
ANSWER A cyber security incident is a malicious act or suspicious event
that disrupts, or was an attempt to disrupt, the operation of those
Q1: What does NERC stand for?
ANSWER NERC stands for North American Electric Reliability
Corporation, a not-for-profit international regulatory authority responsible
for the reliability and security of the bulk power system in North America.
Q2: What is the primary purpose of NERC CIP standards?
ANSWER The primary purpose of NERC CIP (Critical Infrastructure
Protection) standards is to protect the critical cyber assets of the bulk
electric system from security compromises that could lead to instability,
uncontrolled separation, or cascading failures.
Q3: When were NERC CIP standards first mandated?
ANSWER NERC CIP standards became mandatory and enforceable on
June 18, 2007, following approval by the Federal Energy Regulatory
Commission (FERC).
Q4: What is a Bulk Electric System (BES)?
ANSWER The Bulk Electric System includes facilities and control systems
necessary for operating an interconnected electric energy transmission
network, generally operating at 100 kV or higher, and real power and
reactive supplies connected to such facilities.
Q5: What is the difference between High Impact, Medium Impact, and Low
Impact BES Cyber Systems?
ANSWER High Impact systems can cause widespread instability or
uncontrolled separation; Medium Impact systems can cause instability,
,uncontrolled separation, or cascading within an interconnection; Low
Impact systems, if compromised, would not create an adverse impact on
the reliable operation of the BES.
Q6: What is a BES Cyber System?
ANSWER A BES Cyber System is one or more BES Cyber Assets
logically grouped by a responsible entity to perform one or more reliability
tasks for a functional entity.
Q7: What is a BES Cyber Asset?
ANSWER A BES Cyber Asset is a cyber asset that, if rendered
unavailable, degraded, or misused, would adversely impact one or more
facilities, systems, or equipment that are necessary for the reliable
operation of the BES.
Q8: What is an Electronic Access Point (EAP)?
ANSWER An Electronic Access Point is a physical or logical interface that
allows electronic access to BES Cyber Systems from Cyber Assets that are
not Intermediate System Access Points, located within the Electronic
Security Perimeter.
Q9: What is an Electronic Security Perimeter (ESP)?
ANSWER An Electronic Security Perimeter is the logical border
surrounding a network to which BES Cyber Systems are connected, using
a routable protocol.
Q10: What is a Physical Security Perimeter (PSP)?
ANSWER A Physical Security Perimeter is the physical border
surrounding locations in which BES Cyber Systems, BES Cyber Assets, or
Electronic Access Control and Monitoring Systems reside, and for which
access is controlled.
Q11: What is FERC?
ANSWER FERC is the Federal Energy Regulatory Commission, an
independent agency that regulates the interstate transmission of electricity,
natural gas, and oil, and has authority to approve and enforce NERC
standards.
,Q12: What are the consequences of non-compliance with NERC CIP
standards?
ANSWER Consequences include monetary penalties up to $1 million per
day per violation, mandated corrective actions, increased oversight,
potential loss of operating authority, and damage to reputation and
stakeholder confidence.
Q13: What is a Responsible Entity?
ANSWER A Responsible Entity is an entity registered with NERC that has
obligations under one or more reliability standards, including Balancing
Authorities, Generator Owners, Generator Operators, Transmission
Owners, Transmission Operators, and Distribution Providers.
Q14: What is the purpose of CIP-002?
ANSWER CIP-002 (BES Cyber System Categorization) requires
responsible entities to identify and categorize their BES Cyber Systems
and associated BES Cyber Assets according to their impact on the reliable
operation of the bulk electric system.
Q15: What is the purpose of CIP-003?
ANSWER CIP-003 (Security Management Controls) requires entities to
develop and implement security management controls that provide cyber
security policies and procedures for protecting BES Cyber Systems.
Q16: What is the purpose of CIP-004?
ANSWER CIP-004 (Personnel and Training) requires entities to implement
personnel risk assessment programs, training programs, and access
control for personnel with authorized electronic or physical access to BES
Cyber Systems.
Q17: What is the purpose of CIP-005?
ANSWER CIP-005 (Electronic Security Perimeter) requires entities to
identify and protect the Electronic Security Perimeters within which BES
Cyber Systems reside and to control electronic access at all EAPs.
Q18: What is the purpose of CIP-006?
ANSWER CIP-006 (Physical Security of BES Cyber Systems) requires
entities to implement physical security controls and monitoring to protect
BES Cyber Systems from unauthorized physical access.
, Q19: What is the purpose of CIP-007?
ANSWER CIP-007 (System Security Management) requires entities to
implement security controls for BES Cyber Systems, including patch
management, malicious code prevention, security event monitoring,
account and password management, and security patch management.
Q20: What is the purpose of CIP-008?
ANSWER CIP-008 (Incident Reporting and Response Planning) requires
entities to develop, implement, and maintain cyber security incident
response plans to mitigate the impact of cyber security incidents.
Q21: What is the purpose of CIP-009?
ANSWER CIP-009 (Recovery Plans for BES Cyber Systems) requires
entities to develop recovery plans for BES Cyber Systems to ensure
continuity of operations following a cyber security incident.
Q22: What is the purpose of CIP-010?
ANSWER CIP-010 (Configuration Change Management and Vulnerability
Assessments) requires entities to implement configuration management
and vulnerability assessment programs for BES Cyber Systems.
Q23: What is the purpose of CIP-011?
ANSWER CIP-011 (Information Protection) requires entities to implement
information protection programs to prevent unauthorized access,
modification, or disclosure of BES Cyber System Information.
Q24: What is the purpose of CIP-013?
ANSWER CIP-013 (Supply Chain Risk Management) requires entities to
develop and implement plans for mitigating cyber security risks to the BES
from vendor, supplier, and contractor relationships.
Q25: What is a CIP Senior Manager?
ANSWER A CIP Senior Manager is a single senior management official
with overall authority and responsibility for leading and managing the
entity’s implementation of, and adherence to, CIP standards.
Q26: What is a cyber security incident?
ANSWER A cyber security incident is a malicious act or suspicious event
that disrupts, or was an attempt to disrupt, the operation of those
