Survey: Majority Of Energy IT Professionals Do Not Understand NERC CIP Version 5 Requirements

In addition, 57 percent do not have the automation tools in place to efficiently prepare for their next NERC CIP audit

November 22, 2013

3 Min Read


PORTLAND, OREGON -- November 21, 2013 -- Tripwire, Inc., a leading global provider of risk-based security and compliance management solutions, today announced the results of a survey on NERC CIP Compliance. The online survey was conducted from July through September 2013 and evaluated the attitudes of more than 100 IT professionals.

According to a report by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the energy industry faced more cyberattacks than any other industry sector from October 2012 through May 2013, and a successful attack on any of the country's sixteen critical infrastructure sectors could have devastating results. However, Tripwire's survey indicates that IT professionals are still unclear on the most recent version of North American Electric Reliability Corporation's (NERC) critical infrastructure protection (CIP) security controls.

The survey reveals that 70% of the respondents have a clear understanding of current NERC CIP compliance requirements. However, that confidence quickly evaporates in the face of the upcoming version – 62% of respondents say they do not understand the requirements of NERC CIP version 5.

"NERC CIP version 5 represents significant security and compliance changes and will affect most of North America's power and utilities companies," said Jeff Simon, director of service solutions for Tripwire. "Although version 5 has been submitted but not yet approved by the Federal Energy Regulatory Commission, power and utility companies still need to understand the impact of the increase in scope and the need for automation. NERC CIP version 5 should already be a key part of their 2014 initiatives."

Additional survey findings include:

55% are currently preparing to comply with NERC CIP version 5.

83% believe CIP version 5 will enhance the security of the Bulk Electric System (BES).

63% collect the majority of evidence needed for NERC CIP compliance audits manually or with limited support from automation.

57% do not have the automation tools in place to efficiently prepare for their next NERC CIP audit.

Tripwire has helped registered entities achieve and maintain NERC compliance since 2008. With Tripwire's NERC Solution Suite, organizations can access award-winning security configuration management and incident detection solutions, along with specialized intelligence including policy rules, correlation rules, tools, templates, customized reports and dashboards. Together with customized services from NERC-experienced consultants, the NERC Solution Suite dramatically reduces the time and resources required to pass NERC CIP audits and minimize audit findings.

For more information, please visit:

About Tripwire

Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management, vulnerability management, file integrity monitoring, log and event management. Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats. Learn more at, get security news, trends and insights at or follow us on Twitter @TripwireInc.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights