The CIP standards are mandated through NERC as the Energy Reliability Organization for the U.S.A. as chartered by the U.S. Federal Energy Regulatory Commission (FERC). By design, the CIP standards are a combination of performance based and risk based standards.‡
Performance Based
Performance based standards define a particular reliability objective or outcome to be achieved.
In its simplest form, a results based requirement has four components: who, under what conditions (if any), shall perform what action, to achieve what particular result or outcome?
For example, CIP-007 R9 (Documentation Review and Maintenance), states that "changes resulting from modifications to the systems or controls shall be documented within thirty calendar days of the change being completed." This CIP Standard establishes a change control performance requirement for the responsible entity; however, it is up to the responsible entity to develop and implement the system that ensure compliance with the performance measure, as the CIP Standards are based on generally accepted and ISO defined business practices.
Risk Based
Risk based standards describe preventive requirements to reduce the risks of failure to acceptable tolerance levels.
A risk based reliability requirement is framed as: who, under what conditions (if any), shall perform what action, to achieve what particular result or outcome that reduces a stated risk to the reliability of the bulk power system?
For example, CIP-007 R1 (Test Procedures) requires the responsible entity to develop testing and control procedures for changes made to new and existing Critical Cyber Assets, and to define the criteria for identifying the "risk" level of implemented changes. Assessing the vulnerability of cyber security systems based on specific criteria, although not defined within the requirement itself, fulfills the "risk" need of the CIP Standard to prevent the occurrence of non-compliant events.
WFPA Understands Standards
WFPA understands that most organizations involved in the Bulk Electric System are already working to provide cyber security. These performance and risk based standards build on industry best practices to ensure both physical and cyber security. WFPA works with each client organization from this starting point to improve current work processes so that they meet or exceed the CIP requirements.
Your organization may already apply ISO and utility industry best practice in process management and cyber security controls related to NERC CIP Standard requirements. WFPA provides your organization’s management with expert guidance for closing CIP Program performance and achievement gaps. WFPA also facilitates improved cyber security policy and procedure documentation for both current and upcoming CIP Standard version changes.
‡NERC, “Results Based Reliability Standard Development Guidance”. http://www.nerc.com/files/Results_Based_Standard_Guidance.pdf, Princeton: 2010.