NERC CIP-008 and CIP-009 require documented, tested incident response and recovery plans for Bulk Electric System assets. Skyhigh delivers 65 ready-to-run ICS/OT scenarios, AI-generated After Action Reports, and audit-ready compliance evidence — so your Registered Entity can demonstrate exercise completion to NERC and Regional Entities.
NERC CIP applies to entities that own or operate Bulk Electric System (BES) assets above defined thresholds. Tabletop exercises directly satisfy CIP-008 plan testing requirements.
Entities owning or operating transmission lines, substations, and interconnected facilities at High and Medium BES Cyber System impact levels must document and exercise incident response plans under CIP-008.
Generation facilities meeting BES applicability thresholds (typically ≥75 MW) must maintain CIP-008 response plans and exercise recovery procedures under CIP-009 for BES Cyber Systems.
Entities responsible for system-wide reliability must exercise coordination and communication procedures for Cyber Security Incidents that could impact BES reliability at scale.
Eight active CIP standards directly or indirectly require exercise activity. CIP-008 and CIP-009 are the most directly addressed by tabletop exercises.
| Standard | Title | Key Requirement Addressed | Skyhigh Capability | Relevance |
|---|---|---|---|---|
| CIP-008-6 | Incident Reporting & Response Planning | R4: Test Cyber Security Incident response plans at least once every 15 months through exercises, drills, or operational use | Live session mode, scenario-driven exercise flow, timestamped participant responses, AI-generated AAR with CIP-008 evidence export | Direct |
| CIP-009-6 | Recovery Plans for BES Cyber Systems | R3: Test recovery plans at least once every 15 months through operational exercise or full operational test | Recovery-focused scenario variants, step-by-step recovery procedure walkthrough, AAR documents recovery timeline, compliance evidence export | Direct |
| CIP-003-8 | Security Management Controls | Documented cybersecurity policies and annual review; delegated authority for Cyber Security Incident response | AI Facilitator Briefing references organisational policies; exercise pre-planning surfaces gaps in policy documentation | Supporting |
| CIP-005-7 | Electronic Security Perimeters | Access point management, interactive Remote Access; ESP breach detection and response | Substation RTU and ESP scenarios exercise breach detection, lateral movement identification, and access control response procedures | Scenario |
| CIP-007-6 | Systems Security Management | Port management, security patch management, malware prevention and mitigation | SCADA and EMS scenarios exercise response to malware propagation, unpatched system exploitation, and OT asset hardening gaps | Scenario |
| CIP-010-4 | Configuration Change Management | Baseline configuration documentation; change control process for BES Cyber Systems | Scenarios involving configuration drift and unauthorised changes exercise team procedures for detecting and responding to baseline deviations | Scenario |
| CIP-011-3 | BES Cyber System Information Protection | Identification, classification, and protection of BCSI; handling and storage controls | Data exfiltration and insider threat scenarios exercise information protection procedures; AI AAR flags information-handling gaps | Scenario |
| CIP-013-2 | Supply Chain Risk Management | Vendor risk assessment, software integrity, hardware authenticity controls for industrial control systems | Supply chain attack scenarios exercise vendor compromise detection, isolation procedures, and coordination with procurement and legal teams | Scenario |
Three platform capabilities work together to satisfy CIP-008 and CIP-009 exercise and documentation requirements.
Live Session mode provides a structured, real-time exercise environment. Participants join by code, respond to scenario steps, and all activity is timestamped — creating an auditable exercise record.
Skyhigh's AI engine (Claude claude-3-5-haiku) generates a structured AAR immediately after each exercise — documenting gaps identified, recommended corrective actions, and framework alignment.
The Compliance Dashboard generates per-framework evidence packages — a 6-page audit PDF covering exercise log, controls mapping, gap analysis, remediation timeline, and formal attestation page.
Six high-fidelity energy and power sector scenarios are immediately available. Each exercises BES-relevant procedures across your OT, IT, and executive teams.
Ransomware propagates from IT into OT systems with PLCs and RTUs showing anomalous behaviour. Tests CIP-008 incident response activation and cross-team communication.
An adversary gains access to a substation's RTU via a phishing-induced foothold. Tests Electronic Security Perimeter breach response and ESP isolation procedures.
SCADA system at a thermal generation plant begins sending anomalous setpoint commands. Tests recovery plan activation under CIP-009 and cross-team coordination.
The Energy Management System (EMS) begins displaying incorrect topology data. Teams must determine if this is a cyber incident, instrument failure, or adversarial manipulation.
A trusted software update from an ICS vendor contains a backdoor. Tests supply chain incident detection, vendor communication procedures, and CIP-013 risk management processes.
A disgruntled contractor with legitimate access exfiltrates BES Cyber System Information and alters device configurations. Tests BCSI protection and insider incident response under CIP-011.
Plus 59 additional scenarios across Oil & Gas, Nuclear, Manufacturing, Water, Healthcare, and more. Browse the full library →
Every Skyhigh exercise automatically generates four categories of compliance evidence that map directly to NERC CIP documentation requirements.
AI-generated structured PDF with gap analysis, corrective actions, and NERC CIP framework references. Ready within minutes of exercise completion.
6-page per-framework audit PDF: exercise log, controls mapping, gap analysis, remediation timeline, and signed attestation page.
Timestamped record of all participant responses, host actions, and step progression. Demonstrates real exercise activity to auditors.
Gaps identified in the exercise are automatically pushed to ServiceNow or Jira as remediation tickets — creating a documented corrective action trail.
Skyhigh exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start with 3 free exercises — no credit card required. Or talk to our energy sector team about CIP-008 and CIP-009 exercise programs at scale.
Also explore: NIST CSF 2.0 Toolkit · IEC 62443 Toolkit · NIS2 Compliance Toolkit