CIP Standard Gap Assessment

Client: Ontario Power Generation
Completion Date: 2008
Location: Various locations throughout Ontario


Burns & McDonnell performed a gap assessment of the state of fossil and hydro facilities with respect to the North American Electric Reliability Corp. Critical Infrastructure Protection (NERC CIP) standards (CIP-002 through CIP-009).

The facilities involved in this review were identified by Ontario Power Generation as critical cyber assets (CCAs). All findings were clearly distinguished between those items that are required in order to achieve compliance with the NERC CIP standards and opportunities for improvement to go above and beyond the requirements. Where possible, Burns & McDonnell provided recommendations for strategies to reduce the number of CCAs within the electronic security perimeter at each facility in order to reduce the overall compliance effort.

Burns & McDonnell uses a multi-layered approach to cyber and physical security. When surveying a facility, risks, protection measures and mitigating factors are considered and assessed for their ability to facilitate core the security principles of prevention, detection and response. This survey was performed on 15 separate CCAs, including fossil fuel and hydro generation and regional control centers throughout Ontario.

Burns & McDonnell’s electronic system security methodology included surveys of physical security systems, fire alarm systems, SCADA systems, HVAC systems, and utility monitoring and control systems.

Using integrated access control and alarm management as per the NERC CIP standard, along with credential readers, locking devices and alarm contacts, protects the CCA area with a rigorous and auditable process for granting, revoking and monitoring access, as well as retaining a computerized log for an extended period. Each location will have an interior video surveillance system to log people entering a physical security perimeter that contains protected CCAs.

The alarm contact inherent on an access-controlled door allows a captured video log of authorized and unauthorized entry. Limiting access points to the physical security perimeter combined with fixed cameras on those access points results in a highly effective video surveillance coverage area. Integrated security systems combine the functions of many security platforms (access control, closed-circuit television, fire and intrusion alarms). When combined, they offer centralized monitoring for rapid assessment and response.


  • NERC CIP assessment (CIP-002-1 through CIP-009-1) at eight generation sites and hydro sites
  • Physical security assessment (CIP-006-1)