NERC CIP VERSION 5 STANDARDS: Actual
COMPREHENSIVE GUIDE & ASSESSMENT –
Verified Review & Solutions
PART 1: CIP v5 FRAMEWORK OVERVIEW
1.1 Foundation: CIP-002 BES Cyber System Categorization
Purpose: Identify and categorize BES Cyber Systems based on their reliability impact to
determine applicable security requirements.
Key Concepts:
● The 15-Minute Rule: Critical Assets are those that, if rendered unavailable,
unstable, or disconnected within 15 minutes, would result in instability,
uncontrolled separation, or cascading failures affecting >300,000 persons or
>3,000 MW.
● Impact Rating Methodology: Top-down approach starting with BES Facilities
(Control Centers, Transmission Stations, Generation Resources).
● Categories:
○ Critical Impact: Applies only to assets meeting the 15-minute threshold
(rare).
○ High Impact: Control centers, aggregate generation >1,500 MW, Special
Protection Schemes (SPS) with >1,500 MW impact, transmission
substations >500 kV or switching 300 kV+ at single location.
○ Medium Impact: Distributed generation 500-1,500 MW, transmission
200-500 kV (non-critical functions), load serving >1,000 MW peak.
○ Low Impact: All other BES Cyber Systems not meeting higher thresholds.
1.2 The Security Standards (CIP-003 through CIP-011)
CIP-003: Security Management Controls
,Governance layer requiring:
● Designation of a CIP Senior Manager (accountable executive)
● Documented security policies with senior manager approval
● Delegation authority for decision-making
CIP-004: Personnel & Training
Human element security:
● Personnel Risk Assessments: Pre-access screening and periodic (every 7 years
minimum)
● Training: Initial training before access, continuing every 15 months
● Access Management: Revocation within 24 hours of termination/transfer
CIP-005: Electronic Security Perimeters (ESP)
Network boundary protection:
● ESP Definition: Encompasses cyber assets within routable communication of
BES Cyber Systems
● Access Points: All entry points to ESP must have access control and monitoring
● Electronic Access Controls: Authentication, encryption (when using external
networks), automated session timeout (15 minutes for Critical/High)
CIP-006: Physical Security
Physical boundary protection:
● Physical Security Perimeter (PSP): Physical boundary encompassing BES Cyber
Systems (may differ from ESP)
● Access Controls: Key/card/badge systems, logging of entry/exit (7-year
retention)
● Monitoring: Continuous monitoring or manual patrols every 30 days for
Critical/High
CIP-007: Systems Security Management
Technical controls:
, ● Patch Management: Critical patches within 35 days; High/Medium within 60 days
● Ports/Services: Document all active ports/services; disable unused/unneeded
● Malware Prevention: Antivirus/whitelist on all applicable assets
● Security Event Monitoring: Monitor logs for security events (30-day retention
minimum)
CIP-008: Incident Reporting and Response Planning
Incident handling:
● Response Plans: Documented procedures for cyber security incidents
● Classification: "Reportable" vs. "Non-reportable" incidents
● Timeframes: Initial assessment within specified periods; notification to ES-ISAC
for reportable
CIP-009: Recovery Plans for BES Cyber Systems
Business continuity for control systems:
● Recovery Plans: Documented procedures to recover BES Cyber Systems within
defined timeframes
● Testing: Paper drill (tabletop) or operational testing (full or partial) every 15
months
CIP-010: Configuration Change Management
System integrity:
● Baseline Configuration: Documented "gold standard" for each BES Cyber System
● Change Management: Authorized changes only; test before implementation
● Vulnerability Assessments: Annual assessment of BES Cyber Systems
CIP-011: Information Protection
Data handling:
● BES Cyber System Information (BCSI): Information that could be used to
compromise BES Cyber Systems
, ● Protection: Encryption for transit/storage; disposal methods; need-to-know
access
PART 2: CIP v5 PRACTICE ASSESSMENT
Section A: Categorization & Scope (Questions 1-10)
Q1: A generating station is categorized as having High Impact BES Cyber Systems.
During an audit, you're asked to identify which of the following would be considered part
of the Electronic Security Perimeter (ESP) for these systems. Which selection is MOST
accurate?
A) The entire plant fence line
B) Only the control room housing the Human-Machine Interface (HMI)
C) All cyber assets within routable communication paths to the High Impact BES Cyber
Systems
D) The corporate business network connected to the plant
Correct Answer: C
Complete Solution:
● Standard Reference: CIP-005 R1 defines the ESP as encompassing "all Cyber
Assets within a routable network that contains one or more BES Cyber Systems."
● Compliance Logic: The ESP is defined by logical (network) connectivity, not
physical boundaries. Any device with TCP/IP connectivity to High Impact BES
Cyber Systems—including intermediate network devices, engineering
workstations, or data historians—falls within the ESP and requires protection.
● Implementation Context: In practice, this means firewalls, switches, routers, and
any workstations with network access to the control system must be
documented within the ESP and subject to CIP-005 requirements (monitoring,
authentication, etc.).
● Distractor Analysis:
○ A: Describes the Physical Security Perimeter (PSP) under CIP-006, not the
logical ESP.
COMPREHENSIVE GUIDE & ASSESSMENT –
Verified Review & Solutions
PART 1: CIP v5 FRAMEWORK OVERVIEW
1.1 Foundation: CIP-002 BES Cyber System Categorization
Purpose: Identify and categorize BES Cyber Systems based on their reliability impact to
determine applicable security requirements.
Key Concepts:
● The 15-Minute Rule: Critical Assets are those that, if rendered unavailable,
unstable, or disconnected within 15 minutes, would result in instability,
uncontrolled separation, or cascading failures affecting >300,000 persons or
>3,000 MW.
● Impact Rating Methodology: Top-down approach starting with BES Facilities
(Control Centers, Transmission Stations, Generation Resources).
● Categories:
○ Critical Impact: Applies only to assets meeting the 15-minute threshold
(rare).
○ High Impact: Control centers, aggregate generation >1,500 MW, Special
Protection Schemes (SPS) with >1,500 MW impact, transmission
substations >500 kV or switching 300 kV+ at single location.
○ Medium Impact: Distributed generation 500-1,500 MW, transmission
200-500 kV (non-critical functions), load serving >1,000 MW peak.
○ Low Impact: All other BES Cyber Systems not meeting higher thresholds.
1.2 The Security Standards (CIP-003 through CIP-011)
CIP-003: Security Management Controls
,Governance layer requiring:
● Designation of a CIP Senior Manager (accountable executive)
● Documented security policies with senior manager approval
● Delegation authority for decision-making
CIP-004: Personnel & Training
Human element security:
● Personnel Risk Assessments: Pre-access screening and periodic (every 7 years
minimum)
● Training: Initial training before access, continuing every 15 months
● Access Management: Revocation within 24 hours of termination/transfer
CIP-005: Electronic Security Perimeters (ESP)
Network boundary protection:
● ESP Definition: Encompasses cyber assets within routable communication of
BES Cyber Systems
● Access Points: All entry points to ESP must have access control and monitoring
● Electronic Access Controls: Authentication, encryption (when using external
networks), automated session timeout (15 minutes for Critical/High)
CIP-006: Physical Security
Physical boundary protection:
● Physical Security Perimeter (PSP): Physical boundary encompassing BES Cyber
Systems (may differ from ESP)
● Access Controls: Key/card/badge systems, logging of entry/exit (7-year
retention)
● Monitoring: Continuous monitoring or manual patrols every 30 days for
Critical/High
CIP-007: Systems Security Management
Technical controls:
, ● Patch Management: Critical patches within 35 days; High/Medium within 60 days
● Ports/Services: Document all active ports/services; disable unused/unneeded
● Malware Prevention: Antivirus/whitelist on all applicable assets
● Security Event Monitoring: Monitor logs for security events (30-day retention
minimum)
CIP-008: Incident Reporting and Response Planning
Incident handling:
● Response Plans: Documented procedures for cyber security incidents
● Classification: "Reportable" vs. "Non-reportable" incidents
● Timeframes: Initial assessment within specified periods; notification to ES-ISAC
for reportable
CIP-009: Recovery Plans for BES Cyber Systems
Business continuity for control systems:
● Recovery Plans: Documented procedures to recover BES Cyber Systems within
defined timeframes
● Testing: Paper drill (tabletop) or operational testing (full or partial) every 15
months
CIP-010: Configuration Change Management
System integrity:
● Baseline Configuration: Documented "gold standard" for each BES Cyber System
● Change Management: Authorized changes only; test before implementation
● Vulnerability Assessments: Annual assessment of BES Cyber Systems
CIP-011: Information Protection
Data handling:
● BES Cyber System Information (BCSI): Information that could be used to
compromise BES Cyber Systems
, ● Protection: Encryption for transit/storage; disposal methods; need-to-know
access
PART 2: CIP v5 PRACTICE ASSESSMENT
Section A: Categorization & Scope (Questions 1-10)
Q1: A generating station is categorized as having High Impact BES Cyber Systems.
During an audit, you're asked to identify which of the following would be considered part
of the Electronic Security Perimeter (ESP) for these systems. Which selection is MOST
accurate?
A) The entire plant fence line
B) Only the control room housing the Human-Machine Interface (HMI)
C) All cyber assets within routable communication paths to the High Impact BES Cyber
Systems
D) The corporate business network connected to the plant
Correct Answer: C
Complete Solution:
● Standard Reference: CIP-005 R1 defines the ESP as encompassing "all Cyber
Assets within a routable network that contains one or more BES Cyber Systems."
● Compliance Logic: The ESP is defined by logical (network) connectivity, not
physical boundaries. Any device with TCP/IP connectivity to High Impact BES
Cyber Systems—including intermediate network devices, engineering
workstations, or data historians—falls within the ESP and requires protection.
● Implementation Context: In practice, this means firewalls, switches, routers, and
any workstations with network access to the control system must be
documented within the ESP and subject to CIP-005 requirements (monitoring,
authentication, etc.).
● Distractor Analysis:
○ A: Describes the Physical Security Perimeter (PSP) under CIP-006, not the
logical ESP.
