As I detailed in my previous posts on the Electronic Access Control and subsequent posting on the proposed modifications, the Standard Drafting Team (SDT) charged with working on the FERC-ordered Low Impact External Routable Connectivity (LERC) modifications has released its proposed definition changes for industry comment and balloting. In this latest installment, I will provide some additional details from those documents.

Modification Main Points

In my earlier posts I began outlining the primary modifications made to the LERC definition in order to provide further clarity as ordered by FERC as well as the removal of the Low Impact BES Cyber System Electronic Access Point (LEAP) definition. The best method to understand the full scope of these modifications is to review the redlined versions of the new definitions and proposed new CIP-003-7 Standard. While it’s important to thoroughly read all of these documentations, I’ve highlighted a few key aspects of these documents for easier consumption.

New Definition

The proposed definition redline indicates modifying LERC to become “Low Impact External Communication,” updating the definitions text and retiring the previous LEAP definition.

CIP-003-7

In the newly proposed Standard CIP-003-7 redline, the significant modifications begin on page 7 of the PDF document, including:

  • Page 7 — change of the LERC text to read “Communication”
  • Pages 15–16 — removal of LEAP from the Violation Severity Levels (VSL)
  • Page 22 — update to the Physical Security Controls and Electronic Access Controls requirements due to the removal of LEAP
  • Page 24 — changes to the measures for the Physical Security Controls and Electronic Access Controls due to the LERC modifications and LEAP removal
  • Page 26 — clarification defining “BES asset” usage within CIP-003-7
  • Pages 29–30 — guidance on Attachment 1, Section 2 — covering physical security controls — and Section 3 — focused on electronic access controls
  • Page 30 — a clarified definition on determining LERC
  • Page 31 — further information on determining a BES asset boundary
  • Pages 32–43 — guidance on determining electronic access controls, including includes nine new concepts diagrams
  • Page 43 — guidance on insufficient access controls
  • Pages 44–50 — CIP-003-6 concept diagrams that were replaced in the proposed CIP-003-7

I recommend Entities carefully review the concept diagrams to see how they match-up with their environment and if there are questions as to how they might fit into your specific condition, contact the SDT for clarification.  The diagrams include nine examples of possible access controls to assist Entities in determining how to implement the requirements, so they will not cover all possibilities and are not intended to be the only answers for implementing access controls.

Implementation Plan

The Implementation Plan indicates an effective date of Sept. 1, 2018 for the modifications based on FERC approval and an effective date of the Commission’s order by Dec. 31, 2017. The earlier Implementation Plans for CIP-003-5 and CIP-003-6 remain in place for specific sections as noted in the new plan, and CIP-003-6 would be retired immediately prior to CIP-003-7’s effective date.

Comment & Ballot Periods

The industry comment period is open until 8 p.m. EST on Sept. 6, 2016 — in addition to the ballot pool formed for Registered Entities that’s open until Aug. 19. Initial ballots will be held between Aug. 26 and Sept. 6. You can provide your comments using the electronic form as noted in the voting section of the project page. I encourage all Registered Entities to review the modifications in order to determine the potential impacts to their environment as well as provide input on concerns for the SDT to consider.

Additional Information

On Aug. 16, 2016, the SDT will host a webinar covering the proposed modifications. During this event, SDT will present the modifications and hold a Q&A session for the industry. Several of the Regions have indicated that they will also have sessions to review the proposed modifications, and in some cases, compile unified comments for their Entities. For more information on when these sessions will be scheduled, please refer to each of the Regions’ websites.

Upcoming articles in this series will cover any additional modification information as it becomes available, but in the meantime check out the following posts to help in your Low Impact BCS research and implementation efforts:

Introduction to NERC CIP Low Impact Requirements

Cultural Change

Policy, Plans, Processes and Procedures

Inventory or Not

Security Awareness & Incident Response

Electronic Access Controls

Physical Security Controls

Electronic Access Controls, Proposed Modifications

by
Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.