What to Expect When You’re Expecting… a NERC CIP Audit (Part 2)

Aaron Crow

Host at PrOTect IT All Podcast || Web

Aaron Crow is an executive leader with more than 20 years of experience in the technology field. He has expertise in technical architecture and design, data migration, network and application security, major network system rollouts, reorganizations, and technology refreshes. Aaron has an analytical mind that enables him to quickly grasp new concepts and communicate technical details to both technical and non-technical audiences. He builds consensus for reliable standardized deployment of enabling technologies by building strong relationships with management teams and staff members at all levels. His extensive leadership skills enable him to influence others while maintaining focus on his objectives.

This is the second in a two-part NERC CIP series, and now we get into the heart of it. Instead of looking at the audit process, we’re digging into the standards themselves and what they mean for real operators in real environments. When you understand the why behind each requirement, the how becomes a whole lot easier. You can read the first blog here.

Breaking Down the Standards: What They Really Mean

Every CIP standard exists because somewhere, sometime, something bad happened. These aren’t theoretical requirements. These are the lessons written during downtime and recovery hours.

CIP-002: Critical Cyber Asset Identification Know what matters. If you don’t know what’s critical, how can you protect it? Missing a critical asset isn’t an oversight; it’s negligence.

CIP-003: Security Management Controls This is about leadership and culture. Security programs fail when leadership doesn’t own them. Period.

CIP-004: Personnel and Training Your people are your biggest risk and your best defense. Train them, vet them, and document everything. That operator who’s been there 30 years? They still need annual training.

CIP-005: Electronic Security Perimeter Know where IT ends and OT begins. Control those boundaries like your reliability depends on it, because it does.

CIP-006: Physical Security If someone can walk up and touch your critical cyber assets, all your other controls are worthless. Lock it down.

CIP-007: System Security Management This is the daily grind. Patching, ports and services, malicious code prevention, and security event monitoring. Not quarterly tasks, daily discipline.

CIP-008: Incident Reporting and Response Planning When bad things happen (not if, when), you need a plan that works under pressure. Test your incident response plan when things are calm so it works when they’re not.

CIP-009: Recovery Plans Backups are worthless if they don’t work when you need them. Test your recovery processes like your job depends on it.

CIP-010: Configuration Change Management and Vulnerability Assessments Know what you have, control how it changes, and understand your vulnerabilities. You can’t protect what you don’t understand.

CIP-011: Information Protection Protect your sensitive information from creation to destruction. Every copy, every transmission, every storage location matters.

CIP-012: Cyber Security Communications Protect data in transit between Control Centers. Real-time data needs real-time protection.

CIP-013: Supply Chain Risk Management Your vendors’ security is your security. Their compromise becomes your incident. Vet them accordingly.

CIP-014: Physical Security (Transmission) Some substations and control centers are so critical that physical attacks could destabilize the grid. These need extraordinary protection.

Building Compliance Into Operations

Here’s where I see organizations either succeed or fail: Do they treat compliance as a separate activity, or integrate compliance practices into operations?

The best programs I’ve worked with don’t “do compliance.” They operate securely, and compliance is the natural outcome of those efforts. These program operators understand why they follow procedures. Their engineers can explain the risk behind every control. Their leadership funds security because they understand the consequences of failure, not just the cost of fines.

Think about it from an operational perspective. Every requirement in NERC CIP maps to something that makes your systems more reliable:

• Network segmentation prevents cascading failures
• Access control keeps unauthorized people from breaking things
• Change management prevents “Friday afternoon surprises”
• Incident response gets you back online faster

When you frame compliance as operational excellence rather than a regulatory burden, your entire approach perspective changes. Your team stops asking “What’s the minimum we can do?” and starts asking “How does this make us better?”

The Reality Check

Let me be absolutely clear about something. The penalty for non-compliance isn’t just a fine or a bad audit score. It’s potential downtime, financial loss, or a cascading outage that affects thousands of people.

I’ve seen organizations get hit with significant findings not because they were careless, but because they treated compliance as paperwork instead of practice. They had beautiful policies… that no one followed. They had detailed procedures that didn’t reflect reality. They had evidence that was created after an audit, instead of being captured during operations.

Don’t be those organizations.

Tools and Systems: Making Compliance Sustainable

One of the biggest mistakes I see is organizations trying to manage compliance manually. Spreadsheets, shared drives, and email chains might work for a small municipal utility, but they don’t scale to larger programs..

Good tools don’t just help with compliance. They improve your entire security posture. That SIEM you implement for log collection? It also helps you troubleshoot problems faster. The asset management system for CIP-002? It helps you manage patches and warranties. The access control system? It prevents those 2 a.m. calls about locked-out operators.

Pick tools that serve multiple purposes. Budget them for operational benefits, not just compliance. When a tool improves both security and reliability, it pays for itself regardless of audit results.

The Human Factor

At the end of the day, “all business is the people business”. This is especially true in OT environments. Your auditor is a person. Your operators are people. Your engineers are people. Treat them accordingly.

Build relationships before you need them. When that auditor shows up, they should already know you take this seriously because they know you professionally. When findings come up, you should have enough credibility that the auditor trusts your corrective actions. When you need an operator to follow a new procedure, the operator should trust that you understand their world and, therefore, trust in your directive.

This isn’t about playing politics or being fake friendly. It’s about genuinely respecting the expertise everyone brings to the table. The auditor understands compliance in ways you might not. The operator understands the physical process in ways the auditor doesn’t. Bridge those gaps and everyone wins.

Looking Forward

NERC CIP will continue to evolve. Threats change, technology advances, and standards adapt. But the fundamentals remain the same: Know your assets, control access, monitor for threats, respond to incidents, and recover from failures.

If you build a strong foundation on those fundamentals, new requirements become incremental improvements instead of massive overhauls. When compliance is integrated with operations, audits become validations instead of interrogations. 

Most importantly, if you focus on the why behind each requirement, the how becomes much clearer. We’re not protecting paperwork. We’re protecting the reliability of the grid. We’re ensuring hospitals don’t lose power during surgeries. We’re keeping water flowing to communities. We’re maintaining the infrastructure that modern life depends on.

That’s worth doing right, whether there’s an audit coming or not.

Final Thoughts

Look, compliance can feel overwhelming. I get it. But it’s also an opportunity. It’s a chance to build discipline into your operations. It’s justification for the budget and headcount you need. It’s a framework for continuous improvement.

Use it wisely. Don’t just check boxes. Build capabilities. Don’t just document procedures. Train people to execute them. Don’t just pass audits. Build resilient systems that deserve to pass.

And remember, we’re all on the same team here. Auditors, operators, engineers, security folks,  we all want the same thing: reliable, secure, critical infrastructure. When we work together instead of against each other, that’s exactly what we build.

The next time you’re preparing for an audit, don’t think about it as something happening to you. Think about it as an opportunity to prove you’re doing things right. And if there’s room for improvement? Well, better to find out from an auditor than from an adversary.

Stay safe out there, and remember: when it comes to audits, 100% is the only passing grade that matters.