NERC CIP-009 Tips

Recent events of the Oroville Dam flooding, which cause hundreds of thousands of people to be evacuated and impacted several utility companies, reminds us all of the importance of Cyber Asset Recovery Plans. NERC CIP-009-6 Requirement 1 mandates registered entities with High and Medium impact Bulk Electric System (BES) Cyber Systems to implement recovery plans, including the following (among others):

  • Conditions for activation of the recovery plan(s)
  • Roles and responsibilities of responders
  • One or more processes for the backup and storage of information required to recover BES Cyber System functionality

 The recent disruptions bring to mind that conditions for activating recovery plans can be varied and surprising. Registered entities are expected to create a table or list of different types of events or magnitude of loss. A table could be designed as follows:

BES Cyber System Impact Actions
Loss of backup system Investigate and Recover
Loss of primary system Automatic Failover, Investigate, and Recover
Loss of primary and backup system Investigate and Recover


Recent events also highlight the benefits of geographically dispersed BES Cyber Systems. For example, if your data center suddenly becomes submerged by water, it would be critical to operations to have another data center to fail over to that was not underwater.

Another tip is to have recovery plans available to those with a role in the plan at their homes and in a way that would be easily transportable. Consider the following:

  • Do Subject Matter Experts (SME), the people charged with bringing systems back online, have access to recovery plans from their homes? Ideas include encrypted thumb drives and paper copies stored in safe locations (perhaps a safe). Both are transportable.
  • How can we allow SMEs to restore BES Cyber Systems if they can't get to the office? Good VPN security and practice can help with this. Consider having SMEs work from home one day a month to test remote administration and find recommendations for improvement.
  • How can we help SMEs feel more comfortable leaving their families during a disaster? Interviewing SMEs and asking them will reveal interesting information. Perhaps minimal food storage and a backup radio can make all the difference.

There are many ways registered entities can comply with NERC CIP-009-6, and Proven Compliance Solutions helps its clients find the best solution. Please contact us for further information.

Our Services