In an increasingly digital world, it’s easy to overlook the importance of physical security in protecting critical infrastructure. However, for organizations in the power sector, safeguarding physical assets is just as vital as cybersecurity. 

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are a set of cybersecurity and physical security regulations designed to protect the Bulk Electric System (BES) from threats, including cyberattacks and physical intrusions. Let’s explore what NERC CIP is, its relationship to physical security, and potential compliance issues for physical security devices.

What is NERC-CIP?

NERC, a not-for-profit international regulatory authority, was created to assure the effective and efficient reduction of risks to the grid’s reliability and security. Its jurisdiction includes users, owners, and operators of the bulk power system, which serves nearly 400 million people.

NERC CIP compliance is mandatory for utilities and other entities operating critical infrastructure, including electric utilities, power generation facilities, and transmission companies.These standards help prevent disruptions that could lead to widespread power outages, financial losses, or national security risks. By enforcing strict security controls — covering everything from network protections to physical access restrictions — NERC CIP ensures the reliability and resilience of the power grid, making it a cornerstone of modern infrastructure security.

What does NERC CIP have to do with physical security?

NERC CIP regulations focus on cybersecurity and IT-related controls. Several standards directly relate to physical security teams, outlining the need for:

• Monitoring and cyber-protecting physical security devices
• Robust physical safeguards to prevent unauthorized access, tampering, or physical attacks
• Managing personnel access

What are the potential compliance issues for physical security devices?

There are a number of issues that can prevent physical security devices from meeting NERC-CIP standards, including:

• Incomplete device inventory
• Undetected vulnerabilities
• Default/old/weak passwords
• Unpatched vulnerabilities
• Outdated firmware
• Devices improperly configured (hardening policies)
• Prolonged or undetected downtime

How can you stay on top of NERC CIP?

NERC CIP standards continuously evolve in response to technological advancements, emerging threats, and regulatory requirements. It’s essential to be aware of any updates or revisions so that your organization can stay compliant with physical security requirements. Put people, processes, and programs in place to track ongoing developments. NERC CIP compliance should be a key aspect of a company’s physical security strategy.

For a deep dive into specific NERC CIP standards and physical security, download the eBook “Intro to NERC CIP Compliance and Physical Security.”