Gartner Research

Electric Utility Cyber Security Standards: Practical Implementation Guidance

Published: 14 December 2009

ID: G00203898

Analyst(s): Doug Simmons, Ken Agress, Kim May, Bob Smock


Industries must address compliance challenges to avoid regulatory, legal, or industry sanctions. The latest compliance standards to come into force in the utility industry are the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) standards, which focus on protecting critical infrastructure in electrical generation and delivery. Burton Group's systematic and comprehensive approach to defining protection standards can assist enterprises as they develop their compliance models in a systematic and comprehensive fashion that can address both NERC-CIP requirements and future protection needs. Without such an approach, enterprises risk inflexibility and inadequate coverage as their protection requirements change to meet demands.

Table Of Contents

Summary of Findings



  • The Standards and What's at Stake
  • The Need for a Comprehensive Security Architecture
  • The Need for a Holistic Architecture
  • Legacy System Considerations
  • The Cost of Non-Compliance

Infrastructure and Architecture to Address NERC

  • Cyber Security Risk Management
    • Security Policy and Governance
    • Risk Assessment
    • Information Classification
    • Change Control
    • Security Event Management
    • Intrusion Detection and Response
    • Training and Awareness
  • Identity Management
    • Access Control
    • Provisioning and Role Assignment
    • Authentication
    • Identity Lifecycle Management and Auditing
  • Perimeter Security
    • Network Perimeters and Zones
    • Physical Access Control
  • Data Center and Networking
    • Reliability, Availability, and Business Continuity
    • Performance Requirements
    • Technology Trends


Appendix A: Critical Infrastructure Protection (CIP) Standards

  • CIP-001-1 “Sabotage Reporting”
  • CIP-002-2 “Critical Cyber Asset Identification”
  • CIP-003-2 “Security Management Controls”
  • CIP-004-2 “Personnel and Training”
  • CIP-005-2 “Electronic Security Perimeter(s)”
  • CIP-006-2 “Physical Security of Critical Cyber Assets”
  • CIP-007-2 “Systems Security Management”
  • CIP-008-2 “Incident Reporting and Response Planning”
  • CIP-009-2 “Recovery Plans for Critical Cyber Assets”

©2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.