NERC CIP-004 & CIP-003 security awareness training.
Personnel training, phishing simulation, and security awareness evidence for Bulk Electric System entities — with zero testing footprint on OT/ICS assets.
What NERC CIP actually requires.
CIP-004-6, Requirement R2
CIP-004 exists to minimize the risk of a compromise that could destabilize the Bulk Electric System, and R2 is its personnel training requirement: role-appropriate training must be completed and documented before anyone gets electronic or unescorted physical access to a BES Cyber Asset, and refreshed on a defined cycle. The standard gives entities flexibility in how the training program is structured, but the documentation burden — who was trained, on what, and when — is not optional.
CIP-003, Security Management Controls
CIP-003 establishes accountability for protecting BES Cyber Systems, including — for low-impact systems specifically — cyber security awareness as one of its named control domains. Reviewers expect to see a documented, sustained awareness program, not a one-time training event.
A structural note that matters in this industry more than most: active security testing on OT/ICS networks carries real operational risk — traditional scanning and exploitation techniques built for IT environments can destabilize control systems that were never designed to handle them. That's exactly why personnel training and phishing simulation are where most of the near-term compliance and risk-reduction work happens — it's evidence you can produce without putting a single packet near a control system.
How this maps to what we do.
CIP-004-6, R2
Per-employee campaign results and completion records give your compliance team the documented personnel-training evidence R2 asks for, without any testing footprint on OT/ICS assets.
CIP-003
An append-only, tamper-resistant log of every campaign action supports the security-awareness-program documentation reviewers expect alongside your broader CIP-003 controls.
IT Audits & Testing
For the IT side of the house — corporate systems outside the Electronic Security Perimeter — we run the same audits and penetration tests we run for any client, scoped well clear of OT/ICS boundaries.
Building out your CIP-004 training program?
Tell us your entity's impact rating and audit cycle — we'll scope what fits.