Checklists, templates, and guides built from 15+ years of real project experience — NERC CIP audits, SCADA deployments, and renewable energy operations. No fluff. Just useful.
A structured pre-audit review framework covering CIP-002 through CIP-011. Includes exact evidence auditors request, requirement references, a 60-day preparation timeline, and practical notes from real audit experience across generation and transmission assets.
A space for SCADA integrators, operations teams, and compliance managers to ask questions, share experience, and get practical answers — not vendor pitches.
Start a thread, ask a technical question, or share how your team handled a problem others are dealing with too.
Every month, Annett answers community questions live — SCADA architecture, NERC CIP, renewable energy ops. Next session: July 2025.
If your question is time-sensitive or specific to your system, book a 30-minute advisory call. Straight answer — no sales pitch, no follow-up pressure.
Book a free callThe PROMEC Documentation Generator is coming soon — I/O lists, loop sheets, and compliance exports in minutes. Join the waitlist for 3 months free at launch.
Join the waitlist →Active threads across these areas:
We publish checklists, guides, and articles for OT engineers and compliance teams. One email when something new drops — no newsletters, no noise.
Free resources are a starting point. When your project needs real advisory support — architecture review, NERC CIP audit prep, or IT/OT integration guidance — we're here.
CIP-002 is the foundation of the entire NERC CIP compliance program. Get it wrong and every other standard has a problem — because the BES Cyber Systems you identify here determine what CIP-003 through CIP-011 apply to. This guide walks through how to do it correctly, what auditors look for, and the mistakes that generate findings.
CIP-002 requires responsible entities to identify their BES (Bulk Electric System) assets, identify the BES Cyber Systems associated with those assets, and then categorise each BES Cyber System as High, Medium, or Low impact based on defined criteria.
There are three requirements:
Common misunderstanding: CIP-002 categorises BES Cyber Systems, not individual devices. A BES Cyber System is a grouping of BES Cyber Assets that share the same impact rating and are logically related. One generator may have one BES Cyber System — or several, depending on the functions performed.
Before you can identify BES Cyber Systems, you need to identify your BES assets. Typical BES assets include generation resources at or above 20 MVA, transmission facilities at 100 kV or above, reactive and black start resources, and control centers performing reliability functions. If you're unsure whether a specific asset is BES, request a formal BES determination from your Regional Entity — this is documented, which is exactly what you want for audit purposes.
For each BES asset, identify the Cyber Assets that could, if compromised, affect reliable operation within 15 minutes. These are your BES Cyber Assets. Group them into BES Cyber Systems — one or more BES Cyber Assets logically grouped to perform one or more reliability tasks.
Practical grouping guidance: Group by function, not by physical location. A SCADA system performing multiple reliability functions may be a single BES Cyber System. Document your grouping rationale — auditors will ask.
Attachment 1 of CIP-002 defines the criteria for High and Medium impact ratings. Anything that doesn't meet High or Medium criteria is Low impact by default. High impact typically covers Control Centers at 300 kV or above and transmission facilities at 500 kV or above. Medium impact covers most other Control Centers, generation above 1500 MW, and systems performing UFLS/UVLS or Special Protection System functions.
Don't self-exclude too aggressively. The most common CIP-002 audit finding is under-categorisation — marking systems as Low when they should be Medium, or excluding BES Cyber Assets that should be included. When in doubt, include it and document your reasoning.
| Req | Audit focus | Common finding |
|---|---|---|
| R1 | Completeness of BES asset inventory | Missing assets, especially smaller generation resources |
| R1 | BES Cyber System grouping rationale | No documented reason for how assets were grouped |
| R1 | 15-minute applicability assessment | Cyber Assets not properly assessed against 15-minute criterion |
| R2 | Annual review completion date | Review not completed within calendar year |
| R2 | 60-day triggered review evidence | Changes to assets not triggering re-evaluation |
| R3 | CIP Senior Manager approval signature | Missing or outdated approval |
Your BES Cyber System inventory must include at minimum: BES asset name and location, BES Cyber System identifier, impact rating (H/M/L), categorisation rationale citing the specific Attachment 1 criterion, list of BES Cyber Assets in the system, review date, and CIP Senior Manager approval signature. Keep prior versions — auditors may review changes over time and ask why a rating changed.
CIP-002 R2 requires re-evaluation within 60 days of any change that might affect a BES Cyber System's categorisation — new assets coming online, facility upgrades crossing a voltage threshold, changes to how a Control Center performs reliability functions, and new Cyber Assets added to an existing system. Build a process integrated with your change management system that flags these events automatically.
Many organisations focus heavily on High and Medium impact systems and treat Low impact as a checkbox. CIP-003 R4 and R5 impose real requirements on Low impact BES Cyber Systems. Your Low impact inventory doesn't need to be as detailed as High/Medium, but it needs to exist. An undocumented Low impact BES Cyber System is still a compliance gap.
Use our free NERC CIP Audit Readiness Checklist for a structured self-assessment covering all nine active CIP standards with specific evidence requirements and a 60-day preparation timeline.
Published by PROMEC Systems. Based on NERC CIP v6. Always verify against current NERC standards and your Regional Entity's audit guidance. Not legal or regulatory advice.
The I/O list is the foundational document of every SCADA project. Everything else — loop sheets, tag databases, alarm philosophies, commissioning checklists — flows from it. Yet most engineers either include too little (leaving gaps that cause rework) or too much (creating a document nobody maintains). This guide covers what belongs in an Ignition I/O list and why each column matters.
An I/O list is a structured register of every field signal entering or leaving your control system — every analogue input, digital input, analogue output, and digital output, plus any virtual or calculated points that need to be documented. It serves four purposes simultaneously: design reference for the tag database, procurement base for I/O card counts, commissioning record for signal verification, and as-built documentation for ongoing maintenance.
| Column | What it contains | Example |
|---|---|---|
| Tag path | Full Ignition tag path — provider, folder structure, tag name | [default]Site_A/Pump_01/RunStatus |
| Tag name | Tag name only, following naming convention | RunStatus |
| Description | Human-readable, 40–60 chars max | Pump 01 Run Status Feedback |
| Signal type | AI, DI, AO, DO, Calc, OPC | DI |
| Data type | Boolean, Float4, Int4, String | Boolean |
| PLC address | Memory address in the controller | I:0/3 or %I0.3 |
| Engineering units | Units for analogue signals | kPa, degC, m3/h |
| Range low / high | Raw and engineering range for AI signals | 4–20 mA / 0–1000 kPa |
| Instrument tag | P&ID instrument tag number | FIT-201 |
| P&ID reference | Drawing number where this signal appears | P&ID-003 Rev B |
For analogue inputs feeding an Ignition Tag Historian or OSIsoft PI, document the deadband or exception reporting threshold. Without this, you get either too much data (every scan stored) or too little. Put it in the I/O list so it gets configured correctly at commissioning — not discovered missing six months after go-live.
If a tag has process alarms configured in Ignition's Alarm Notification system, document the setpoints — High, High-High, Low, Low-Low. This doesn't replace an alarm philosophy document, but it gives commissioning engineers a reference during FAT and SAT.
If you're using OSIsoft PI alongside Ignition, document the PI Point Name for each historically logged signal. Mismatches between Ignition tag names and PI point names are a common source of data quality issues that are expensive to untangle after go-live.
Column sprawl is real. Don't add wire colour, cable number, junction box, conduit, and contractor name. Keep commissioning-specific detail in a separate commissioning schedule. The I/O list is a configuration document, not a cable schedule.
Ignition's folder-based tag structure means your naming convention determines your tag path structure. Getting this right at the start saves significant rework.
# Structure: [Provider]/Site/Equipment/Signal [default]/SITE_A/PUMP_01/RunStatus [default]/SITE_A/PUMP_01/SpeedFeedback # AI — kW [default]/SITE_A/PUMP_01/StartCommand # DO [default]/SITE_A/PUMP_01/FaultStatus # DI
Key rules: use underscores not spaces or hyphens, UPPER_CASE for equipment and site identifiers, PascalCase for signal names, keep equipment codes consistent with P&ID tag numbers, and don't embed engineering units in the tag name. Most importantly — agree the convention before the first tag is created.
The most expensive naming mistake: inconsistent site codes across a multi-site project. If one engineer calls it SITE_A and another calls it SITE1, your reporting queries and alarm analysis will fail — silently, and usually at the worst moment.
| Mistake | Consequence | Prevention |
|---|---|---|
| No engineering units documented | Wrong EU configured at commissioning, found in SAT | Mandatory EU column, validated in design review |
| PLC addresses not verified against vendor drawings | Tag database built on wrong addresses, full remap required | Cross-reference I/O list against approved PLC drawings before programming |
| P&ID reference missing | No traceability from tag to instrument — troubleshooting is guesswork | Mandatory P&ID reference column, checked against drawing register |
| Description too vague | Operators can't identify alarms in Ignition Alarm Journal | 40-char max, include equipment identifier and signal function |
The PROMEC Documentation Generator automates I/O list creation — import your Ignition gateway CSV export and generate a fully structured, formatted I/O list in minutes. Join the waitlist for early access and 3 months free at launch.
Published by PROMEC Systems. Based on Ignition 8.1. Tag naming recommendations reflect best practices from production SCADA deployments across generation, transmission, and process industries.
Connecting an OT network to enterprise infrastructure without proper segmentation is one of the highest-risk things an industrial organisation can do. Not because connectivity is inherently dangerous — but because most teams design the firewall rules before they design the architecture, put the wrong servers in the wrong zones, and create paths between IT and OT that are never documented and therefore never reviewed.
IT network segmentation is about protecting data. OT network segmentation is about protecting physical processes — and the consequences of getting it wrong are not a data breach, they're a generation trip, a process upset, or physical damage to equipment. This changes the design priorities. In OT, patch windows are planned months in advance, system restarts may require controlled process rundown, and brief communication interruptions can cause spurious trips or missed events. The architecture must protect the OT network without affecting system availability or performance.
The defensible baseline architecture for industrial systems connecting to enterprise infrastructure is three zones separated by two firewalls:
| Zone | Contents | Key principle |
|---|---|---|
| Corporate | Workstations, AD, email, ERP, business intelligence, internet access | No direct access to OT zone |
| DMZ | Historian, jump server, file transfer, patch staging, AV update server | Buffer between IT and OT — neither side directly reaches the other |
| OT Zone | SCADA servers, HMIs, engineering workstations, PLCs, RTUs, IEDs | OT-initiated traffic allowed out; enterprise-initiated traffic cannot come in |
The key principle: OT-initiated traffic can flow from OT to DMZ. Enterprise-initiated traffic cannot reach the OT zone. The historian in the DMZ pulls data from the OPC server in the OT zone — not the other way around.
The most dangerous DMZ mistake: putting a SCADA server in the DMZ because "it doesn't have write access." Write access is not the only risk. A compromised DMZ server can be used as a pivot point or to manipulate the data operators see. SCADA servers belong in the OT zone.
Every rule in your firewall ruleset should be justified by a specific operational requirement. "Allow any" rules in either firewall are a compliance failure under NERC CIP CIP-005 and a security failure. Each rule needs a named source, named destination, specific protocol and port, and a business justification. Rules without justifications don't survive an audit review.
For NERC CIP-regulated systems, CIP-005 defines the Electronic Security Perimeter (ESP). The three-zone DMZ architecture maps directly to compliance: the OT zone boundary (Firewall 2) defines your ESP; all Interactive Remote Access must go through an Intermediate System (your jump server); MFA is required for all remote access; and sessions must be encrypted. Auditors will ask for your ESP diagram and want to see that every line maps to a documented, justified firewall rule.
| Mistake | Why it's a problem | Correct approach |
|---|---|---|
| Flat OT network with a single firewall | No DMZ — one compromised server reaches OT directly | Deploy two firewalls with a proper DMZ between them |
| Historian in the corporate network | Requires opening direct ports to/from OT — bypasses DMZ concept | Historian lives in the DMZ |
| Vendor VPN terminating in the OT zone | Vendor network gets direct access to OT devices | VPN terminates in DMZ — vendor uses jump server to reach OT |
| No session logging on the jump server | CIP-005 requires logging of Interactive Remote Access | Configure session recording and retain logs per your retention policy |
Our free IT/OT Integration Planning Framework guides you through architecture decisions, DMZ design, security risk assessment, and testing in a structured five-phase sequence.
Published by PROMEC Systems. Architecture recommendations align with NERC CIP CIP-005 and IEC 62443 zone-and-conduit model principles. Review designs with your IT security team and validate against your regulatory requirements.