Quick Overview of FERC’s CIP Version 5 Final Rule

CIP Verision 5As a quick follow-up to my post yesterday, here are some key snippets from the final rule that were posted this morning here – http://elibrary.ferc.gov/idmws/file_list.asp?accession_num=20131122-3003

The following are just a few of the nuggets I have pulled from the 150-page document (a few pointed out to me by other CIP specialists). I’ll comment on these at a later date but for now, enjoy the snippets.

Version 4 and the Implementation Plan

“The Commission approves NERC’s proposal to allow responsible entities to transition from compliance with the currently-effective CIP version 3 Standards to compliance with the CIP version 5 Standards.  Thus, CIP-002-4 through CIP-009-4 will not become effective, and CIP-002-3 through CIP-009-3 will remain in effect until the effective date of the CIP version 5 Standards.”

– paragraph 9

“..we are persuaded by the majority of commenters that the 24-month implementation period for High and Medium Impact BES Cyber Systems and the 36-month implementation period for Low Impact BES Cyber Systems are reasonable.”

paragraph 171

Identify, Assess and Correct Language

“…the Commission is concerned that the proposed language is overly-vague, lacking basic definition and guidance that is needed, for example, to distinguish a successful internal control program from one that is inadequate.  Alternatively, NERC may propose modifications that address the Commission concerns, discussed below, regarding the ambiguity and enforceability of the “identify, assess, and correct” language.  The Commission directs NERC to submit a proposal for Commission approval within one year from the effective date of this Final Rule….”

– paragraph 4

“…the Commission concludes that the “identify, assess, and correct” language, as currently proposed by NERC, is unclear with respect to the obligations it imposes on responsible entities, how it would be implemented by responsible entities, and how it would be enforced.  Accordingly, we direct NERC, pursuant to section 215(d)(5) of the FPA, to develop modifications to the CIP version 5 Standards that address our concerns.”

– paragraph 67

“…Language in a requirement that could be subject to multiple interpretations raises the specter of inconsistent application and enforcement, which could result in risks to Bulk-Power System reliability.  Therefore, as a fundamental expectation, NERC must strive to develop clear and unambiguous Reliability Standards.”

– paragraph 68

We believe, however, that it may be more appropriate for NERC to achieve these goals by articulating defined goals in the compliance and enforcement process and identifying clear expectations that would justify the exercise of enforcement discretion. “

– paragraph 73

“With this objective in mind, we believe that a more appropriate balance might be struck to address the underlying concerns by developing compliance and enforcement processes that would grant NERC and the Regional Entities the ability to decline to pursue low risk violations of the Reliability Standards.  Striking this balance could be accomplished through a modification to the Compliance Monitoring and Enforcement Program.”

paragraph 75

Low Impact BES Cyber Systems (Assets)

“…the CIP version 5 Standards do not require specific controls for Low Impact assets nor do they contain  objective criteria from which to judge the sufficiency of the controls ultimately adopted by responsible entities for Low Impact assets.  As discussed below, we direct that NERC develop modifications to the CIP version 5 Standards to address this concern.”

– paragraph 5

We believe that NERC can effectively address this concern in a number of ways, including:  (1) requiring specific controls for Low Impact assets, including subdividing the assets into different categories with different defined controls applicable to each subcategory; (2) developing objective criteria against which the controls adopted by responsible entities can be compared and measured in order to evaluate their adequacy, including subdividing the assets into different categories with different defined control objectives applicable to each subcategory; (3) defining with greater specificity the processes that responsible entities must have for Low Impact facilities under Reliability Standard CIP-003-5, Requirement R2; or (4) another equally efficient and effective solution. “

– paragraph 108

“…Thus, NERC indicates that, while not necessarily in the form of a discrete list, an entity must have the ability to identify the nature and location of all Low Impact assets that it owns or controls for audit and compliance purposes.”

– paragraph 112

Transient Electronic Devices

“…we direct NERC, pursuant to section 215(d)(5) of the FPA, to develop requirements that protect transient electronic devices (e.g., thumb drives and laptop computers) that fall outside of the BES Cyber Asset definition.”

– paragraph 6

“…relying on a single security control to protect information systems is contrary to the fundamental cyber security concept of defense-in-depth, which the Commission continues to believe is the most appropriate way to address cyber security.  A transient device introduced directly into a system bypasses most of the protection provided by the layers of security controls provided by the CIP Reliability Standards.  It cannot be assumed that anti-malware programs are completely effective in detecting, removing, and blocking malware, especially when they are commonly thwarted by the introduction of zero-day attacks.”

– paragraph 134

“While we agree that it would be overly-burdensome to include transient devices in the BES Cyber Asset definition, we agree with Encari and KCP&L that there is a gap in the CIP version 5 Standards regarding transient devices, and these devices pose a risk to BES Cyber Assets that is not addressed in an adequately robust manner in the CIP version 5 Standards. “

–  paragraph 135

15-minute Criteria

“…we direct NERC to conduct a survey of responsible entities during the CIP version 5 Standards implementation periods to determine the number of assets, by type, that fall outside the definition of BES Cyber Asset because the assets do not satisfy the ‘15-minute’ parameter…”

– paragraph 6

“Based on the survey data, NERC should explain in an informational filing the following:  (1) specific ways in which entities determine which Cyber Assets meet the 15 minute parameter; (2) types or functions of Cyber Assets that are excluded from being designated as BES Cyber Assets and the rationale as to why; (3) common problem areas with entities improperly designating BES Cyber Assets; and (4) feedback from each region participating in the implementation study on lessons learned with the application of the BES Cyber Asset definition.  The informational filing should not provide a level of detail that divulges CEII data.  This filing should also help other entities implementing CIP version 5 in identifying BES Cyber Assets.”

– paragraph 124

The Commission directs NERC to submit the informational filing one year after the effective date of this Final Rule.  Based on the information in the informational filing, the Commission may revisit whether the BES Cyber Asset definition should include the 15-minute parameter.”

paragraph 125

Protection of Communication Networks

“…directs NERC to create a definition of communication networks and to develop new or modified Reliability Standards that address the protection of communication networks.”

“…directs its staff to include the issue of protecting the nonprogrammable components of communications networks in the staff-led technical conference discussed herein.”

paragraph 7

we remain concerned that a gap in protection may exist, as the CIP version 5 Standards do not address security controls needed to protect the nonprogrammable components of communications networks.  We observe that a number of other information security standards, including NIST SP 800-53 and ISO 27001, address the protection of communication mediums, for instance in NIST SP 800-53 Rev 3, security control PE-4 includes examples of protecting communication medium including:  (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays.”

paragraph 149

Control Center Definition

“…we clarify that the phrase “generation Facilities at two or more locations” refers to control centers that control two or more geographically dispersed generation units as opposed to assets associated with two or more units at one generation plant.”

“…under Reliability Standard CIP-002-5, responsible entities must categorize generation operator Control Centers as High, Medium, or Low Impact based on facility ratings.”

paragraph 141

Stacy Bresler, Managing Partner | The Anfield Group

 / No Comments  / in General

Post a Comment

Your email address will not be published. Required fields are marked *

*