The comment period has ended for modifications to the Critical Infrastructure Protection Version 5 Standards — also known as CIP V5. The North American Electric Reliability Corp. (NERC) and other industry stakeholders had until Sept. 21, 2015, to submit comments to the Federal Energy Regulatory Commission (FERC) Notice of Proposed Rulemaking (NOPR) on Docket RM15-14-000.
For those who work in the power utility industry, you know how important it is to stay current on these standards. To help you navigate these comments and understand the potential impact on your business, I’ve combed through the 35 comments submitted by NERC (PDF) and summarized them here. Since most of the NOPR was directed at NERC, my summary is focused on its response, as well as any recurring themes presenting in other comments.
Supply Chain Management
NERC and most commenters supported FERC’s attention to supply chain vulnerability but cautioned that creating such a standard or modification to the existing standards cannot be accomplished quickly. Many indicated that holding outside vendors accountable to any NERC standards on the supply chain is outside FERC’s jurisdiction under the Federal Power Act. Several commenters detailed how the existing V5 standards provide many protections from the supply chain, and that with some modifications, the standards could cover most vulnerabilities. It was almost unanimous that any supply chain standard or modification to the current standards cannot be done in a short time, and sufficient stakeholder input must be collected before any work is started.
Inter-Control Center Communications
NERC and most other commenters support FERC’s comment that control-center-to-control-center communications play a critical role in maintaining Bulk Electric System (BES) reliability. NERC wasn’t against modifications as long as they didn’t adversely impact reliability and considered the risk levels of varied control centers covered by the standards. Many other comments expressed concern that FERC indicated all control centers for all risk levels (High, Medium and Low). They want FERC to clarify where these protections should be placed and to make sure they fit the risks and cover areas individual Entities can control.
Remote Access Protections
Nearly all commenters indicated that FERC should hold off any modifications to the current standards on Interactive Remote Access (IRA) until the industry has fully implemented the V5 standards and understands how they are working. Most agree a change to the standard before it is fully implemented and measured would not be appropriate.
Transient Devices at Low Impact BES assets
NERC’s response indicates the proposed protections for transient devices at just High and Medium Impact BES Cyber Systems (BCS) is appropriate and, based on standard drafting team (SDT) work, the implementation of the transient device standard on Low Impact BCS would be overly burdensome to Entities when compared to the associated risks. NERC also addressed FERC’s comment that malware introduced by a transient device would be able to propagate to other facilities. NERC said the required electronic access controls for Low Impact BCS would help prevent this, and the protections in place at High and Medium Impact BCS would reduce the risk of propagation. Most other comments had the same input and indicated that the standards, as written, should be implemented and then measured to determine if there are areas of improvement.
Definition of LERC
NERC commented that the definition of Low Impact External Routable Connectivity (LERC) was sufficiently clear and provided additional information on the intended definitions of “direct” and “indirect.” NERC also indicated that if the NOPR comments or questions from stakeholders during implementation showed evidence of confusion, NERC would correct the condition, potentially by modifying the definition through standard development processes. Industry comments ranged from accepting the definition as adequate to needing clarification. Many commenters agreed the lack of an Electronic Security Perimeter or similar setup for Low Impact BCS will create a security risk.
Proposal to Approve the Modifications
Almost all responses expressed a desire for FERC to approve the modifications so they become effective before Dec. 31, 2015, to avoid a delay in implementation, slated for April 2016 and 2017.
While it’s difficult to determine exactly how FERC will proceed, I believe the common thread of the input will persuade FERC to approve the modifications as they are, putting them into effect by Dec. 31, 2015, allowing the industry to move forward with the progress that has been made.
Additionally, I anticipate that NERC will be ordered to continue reviewing possible supply chain management modifications to the CIP standards. To some degree, this has already started with the FERC Technical Conference set for Jan. 28, 2016.
Finally, I believe FERC will allow the transient device and IRA standards to stand as written but require NERC to study the implementations and report back.
It’s more difficult to determine a direction for LERC. If FERC wants the standards to be implemented without delay and reduce industry burden due to uncertainty, it will need to approve the definition as written. But FERC could require NERC to either study the implementations and adjust as it has indicated in its comments, reporting back to FERC within a specified time period. Or, it could require NERC to make modifications based on what FERC believes is a security gap — which was also addressed in several industry comments and is also my belief — with those modifications provided to FERC in one or more years for approval.
If you have questions about NERC’s comments or cybersecurity in general, I’d be happy to talk to you. Comment below or connect with me on LinkedIn.
Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.