NERC CIP Compliance

If you own or operate renewable energy assets, then you should be thinking about security—be it solar, wind, biomass, hydro, or anything else. Understanding your responsibilities under the North American Electric Reliability Corporation (NERC) can be a chore and, when implemented wrong, can cause serious problems. NERC supervises North American electrical grids, aiming to reduce risks to reliability and security. Here’s NERC CIP Compliance 101.

Compliance with NERC’s critical infrastructure plan (CIP) regulations is mandatory in the U.S., most of Canada and parts of Mexico—these regulations cover risk and security considerations around cyber assets, personnel, training, incident reporting and recovery planning. When done right, compliance can be a simple and useful process. Below are three key things to consider when setting up NERC CIP Compliance. 


1. Do I need to worry about NERC CIP compliance?


All bulk power system owners, operators and users need to comply with NERC regulations (if you don’t know what bulk power means, click here). To be compliant, owners and operators must enact and meet the minimum requirements laid out in all enforceable NERC standards. Targeted facilities by NERC are:


  1. Rated over 20 MVA as a single unit connected to the Bulk Electricity System (unlikely, as each inverter is currently assessed as a single unit), or
  2. Rated over 75 MVA as an aggregate site connected to the Bulk Electricity System.


Most solar and wind facilities would be considered “low impact,” but operation centers (over 1,500 MVA) have been considered “medium impact” since July 1, 2016.


It’s important to note that NERC standards evolve as the industry changes—they were partly put in place in response to the 2003 blackout in the first place. Therefore, if you are setting up internal processes and compliance mechanisms, it may make sense to go broader than the current regulations ask you to in order to be prepared. Perhaps a best practice within your organization would be to include any facility above 50 MVA within your NERC compliance planning. Our systems would certainly be more secure if everyone understood what is required under NERC, kept records of vital information like incident response plans, and centralized their data on an asset management platform to avoid future problems.


2. As the owner or operator, what do I need to do to be NERC CIP compliant?

Depending on whether you are an owner, an operator, or both, your NERC responsibilities will vary. But it’s important to remember that if you are an owner, you are responsible for ensuring your operators are doing their job—and that includes NERC compliance. If you are an operator or service provider to the owner, you have a role to play in helping your client manage these requirements.


Setting up expectations from day one in your operations agreements or other agreements is a best practice that avoids finger pointing further down the road (and potentially huge fines). To find out more about what is required of you under NERC CIP compliance, visit NERC’s website.


3. How and when should I have started managing my compliance program?

It’s never too late, but recently, there have been two key dates:


  • For operation centers above 1,500 MVA: July 1, 2016
  • For generating facilities above 75 MVA: April 1, 2017


Importantly, where your facility is located also has an impact on how you should present information to the delegated regional entities from NERC:

NERC CIP Compliance Regional entities diagram



Looking for a tool to better manage NERC CIP compliance? Schedule a demo with our team.


An earlier version of this post was updated for accuracy in 2018.