implementing-nerc-cip-compliance-controls
This skill covers implementing North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) compliance controls for Bulk Electric System (BES) cyber systems. It addresses asset categorization (CIP-002), electronic security perimeters (CIP-005), system security management (CIP-007), configuration management (CIP-010), supply chain risk management (CIP-013), and the 2025 updates including mandatory MFA for remote access and expanded low-impact asset requirements.
What this skill does
# Implementing NERC CIP Compliance Controls
## When to Use
- When a registered entity must achieve or maintain NERC CIP compliance for BES cyber systems
- When preparing for a NERC CIP compliance audit by the Regional Entity
- When implementing the 2025 CIP standard updates (CIP-003-9, CIP-005-7, CIP-010-4, CIP-013-2)
- When categorizing BES cyber systems after commissioning new generation, transmission, or control center assets
- When developing a compliance monitoring and evidence collection program
**Do not use** for non-BES industrial systems (see implementing-iec-62443-security-zones), for general IT compliance frameworks (see auditing-cloud-with-cis-benchmarks), or for physical security of substations without cyber components.
## Prerequisites
- Understanding of NERC CIP standards (CIP-002 through CIP-014)
- BES cyber system inventory with impact ratings (high, medium, low)
- Access to Electronic Security Perimeter (ESP) network diagrams and firewall configurations
- Compliance management system for evidence collection and audit documentation
- Familiarity with NERC Glossary of Terms (BES Cyber Asset, BES Cyber System, Electronic Access Point)
## Workflow
### Step 1: Categorize BES Cyber Systems (CIP-002-5.1a)
Identify and categorize all BES cyber systems based on their impact to the reliable operation of the Bulk Electric System.
```python
#!/usr/bin/env python3
"""NERC CIP BES Cyber System Categorization Tool.
Implements CIP-002-5.1a categorization criteria to classify
BES cyber systems as high, medium, or low impact.
"""
import json
import sys
from dataclasses import dataclass, field, asdict
from datetime import datetime
@dataclass
class BESCyberSystem:
"""Represents a BES Cyber System for CIP-002 categorization."""
system_id: str
name: str
description: str
location: str
asset_type: str # control_center, generation, transmission, distribution
connected_mw: float = 0
transmission_kv: float = 0
is_control_center: bool = False
is_backup_control_center: bool = False
has_cranking_path: bool = False
has_blackstart: bool = False
is_sps_ras: bool = False # Special Protection System / Remedial Action Scheme
impact_rating: str = "" # high, medium, low
categorization_basis: str = ""
cyber_assets: list = field(default_factory=list)
class CIP002Categorizer:
"""NERC CIP-002-5.1a BES Cyber System categorization engine."""
def __init__(self):
self.systems = []
self.categorization_date = datetime.now().isoformat()
def add_system(self, system: BESCyberSystem):
self.systems.append(system)
def categorize_all(self):
"""Apply CIP-002 Attachment 1 criteria to all systems."""
for system in self.systems:
self._categorize_system(system)
def _categorize_system(self, sys):
"""Apply high, medium, low impact criteria per CIP-002 Attachment 1."""
# HIGH IMPACT criteria (CIP-002 Attachment 1, Criterion 1)
if sys.is_control_center and sys.asset_type == "control_center":
# Control Centers that perform the functional obligations
# of a Reliability Coordinator, Balancing Authority, or TOP
sys.impact_rating = "high"
sys.categorization_basis = (
"CIP-002 Att.1 Criterion 1.1: Control Center performing "
"RC/BA/TOP functional obligations"
)
return
if sys.is_backup_control_center and sys.asset_type == "control_center":
sys.impact_rating = "high"
sys.categorization_basis = (
"CIP-002 Att.1 Criterion 1.2: Backup Control Center performing "
"RC/BA/TOP functional obligations"
)
return
if sys.connected_mw >= 3000:
sys.impact_rating = "high"
sys.categorization_basis = (
f"CIP-002 Att.1 Criterion 1.3: Generation >= 3000 MW "
f"(actual: {sys.connected_mw} MW)"
)
return
# MEDIUM IMPACT criteria (CIP-002 Attachment 1, Criterion 2)
if sys.connected_mw >= 1500 and sys.asset_type == "generation":
sys.impact_rating = "medium"
sys.categorization_basis = (
f"CIP-002 Att.1 Criterion 2.1: Generation >= 1500 MW "
f"(actual: {sys.connected_mw} MW)"
)
return
if sys.transmission_kv >= 500:
sys.impact_rating = "medium"
sys.categorization_basis = (
f"CIP-002 Att.1 Criterion 2.5: Transmission >= 500 kV "
f"(actual: {sys.transmission_kv} kV)"
)
return
if sys.has_cranking_path:
sys.impact_rating = "medium"
sys.categorization_basis = (
"CIP-002 Att.1 Criterion 2.6: Cranking path element"
)
return
if sys.has_blackstart:
sys.impact_rating = "medium"
sys.categorization_basis = (
"CIP-002 Att.1 Criterion 2.7: Blackstart resource"
)
return
if sys.is_sps_ras:
sys.impact_rating = "medium"
sys.categorization_basis = (
"CIP-002 Att.1 Criterion 2.9: SPS/RAS component"
)
return
if sys.is_control_center and sys.asset_type == "generation":
sys.impact_rating = "medium"
sys.categorization_basis = (
"CIP-002 Att.1 Criterion 2.11: Generation control center "
"for medium impact generation"
)
return
# LOW IMPACT - all other BES Cyber Systems
sys.impact_rating = "low"
sys.categorization_basis = (
"CIP-002 Att.1 Criterion 3: BES Cyber System not meeting "
"high or medium impact criteria"
)
def generate_report(self):
"""Generate CIP-002 categorization report."""
high = [s for s in self.systems if s.impact_rating == "high"]
medium = [s for s in self.systems if s.impact_rating == "medium"]
low = [s for s in self.systems if s.impact_rating == "low"]
report = []
report.append("=" * 70)
report.append("NERC CIP-002-5.1a BES CYBER SYSTEM CATEGORIZATION")
report.append(f"Date: {self.categorization_date}")
report.append("=" * 70)
report.append(f"\nTotal BES Cyber Systems: {len(self.systems)}")
report.append(f" High Impact: {len(high)}")
report.append(f" Medium Impact: {len(medium)}")
report.append(f" Low Impact: {len(low)}")
for category, systems in [("HIGH", high), ("MEDIUM", medium), ("LOW", low)]:
if systems:
report.append(f"\n--- {category} IMPACT SYSTEMS ---")
for s in systems:
report.append(f" [{s.system_id}] {s.name}")
report.append(f" Location: {s.location}")
report.append(f" Type: {s.asset_type}")
report.append(f" Basis: {s.categorization_basis}")
report.append(f" Cyber Assets: {len(s.cyber_assets)}")
return "\n".join(report)
def export_json(self, output_file):
"""Export categorization to JSON for compliance evidence."""
data = {
"categorization_date": self.categorization_date,
"standard": "CIP-002-5.1a",
"systems": [asdict(s) for s in self.systems],
}
with open(output_file, "w") as f:
json.dump(data, f, indent=2)
if __name__ == "__main__":
categorizer = CIP002Categorizer()
# Example BES Cyber Systems
categorizer.add_system(BESCyberSystem(
system_id="BCS-001", name="Main Energy Control Center EMS",
description="Energy Management System for BA operations",
location="Control Center Alpha", asset_type="control_center",
is_Related in Security
mac-ops
IncludedComprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.
a11y-audit
IncludedRun accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).
erpclaw
IncludedAI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.
assess
IncludedAssesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.
spring-boot-security-jwt
IncludedProvides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.
code-hardcode-audit
IncludedDetect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.