SUBNET helps electrical transmission and distribution companies meet NERC CIP-004 Personnel and Training standard through its professional services group and software products. For over a decade, SUBNET has been training industry professionals
. When it comes to managing which personnel have access to critical cyber assets, SUBNET’s PowerSYSTEM Center
helps manage and control access leveraging your current corporate IT policies. Learn more about PowerSYSTEM Center
UNIFIED GRID INTELLIGENCE
Standard CIP-004 requires that personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness.Standard CIP-004 should be read as part of a group of standards numbered Standards CIP-002 through CIP-009. Responsible Entities should interpret and apply Standards CIP-002 through CIP-009 using reasonable business judgment.
Awareness — The Responsible Entity shall establish, maintain, and document a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as:
- Direct communications (e.g., emails, memos, computer based training, etc.);
- Indirect communications (e.g., posters, intranet, brochures, etc.);
- Management support and reinforcement (e.g., presentations, meetings, etc.).
Training — The Responsible Entity shall establish, maintain, and document an annual cyber
security training program for personnel having authorized cyber or authorized unescorted
physical access to Critical Cyber Assets, and review the program annually and update as
This program will ensure that all personnel having such access to Critical Cyber Assets,
including contractors and service vendors, are trained within ninety calendar days of
Training shall cover the policies, access controls, and procedures as developed for the
Critical Cyber Assets covered by CIP-004, and include, at a minimum, the following
required items appropriate to personnel roles and responsibilities:
- The proper use of Critical Cyber Assets;
- Physical and electronic access controls to Critical Cyber Assets;
- The proper handling of Critical Cyber Asset information; and,
- Action plans and procedures to recover or re-establish Critical Cyber Assets
and access thereto following a Cyber Security Incident.
The Responsible Entity shall maintain documentation that training is conducted at least
annually, including the date the training was completed and attendance records.
Personnel Risk Assessment —The Responsible Entity shall have a documented personnel risk
assessment program, in accordance with federal, state, provincial, and local laws, and subject to
existing collective bargaining unit agreements, for personnel having authorized cyber or
authorized unescorted physical access. A personnel risk assessment shall be conducted
pursuant to that program within thirty days of such personnel being granted such access.
Access — The Responsible Entity shall maintain list(s) of personnel with authorized cyber or
authorized unescorted physical access to Critical Cyber Assets, including their specific
electronic and physical access rights to Critical Cyber Assets.
Visit the NERC website for more details regarding Critical Infrastructure Protection Standards.
Learn more about how SUBNET can help you meet NERC CIP standards with PowerSYSTEM Center.
Visit the following links to learn more about NERC CIP standards and how SUBNET can help you to comply.