According to CIP-006 R1.1, what should be established to restrict physical access?

CIP-006 R1.1 specifies that operational or procedural controls must be established to restrict physical access to critical cyber assets. This requirement emphasizes the importance of implementing well-defined processes and procedures that dictate how access to physical locations is controlled. Operational controls may include measures such as access control lists, security personnel, visitor logs, and policies outlining who is permitted to enter specific areas.

These controls are essential to ensuring that only authorized personnel can access facilities housing critical infrastructure, thereby safeguarding the assets against unauthorized access and potential tampering. By focusing on the operational aspect, organizations can create workflows and practices that are practical and enforceable, leading to a stronger security posture against physical threats.

While the other options—technical surveillance measures, enhanced user training programs, and robust audit trails—are also important for overall security, they do not directly address the specific requirement of establishing controls for restricting physical access as outlined in CIP-006 R1.1. Technical measures may support the operational controls, but they do not replace the need for established procedures and protocols.