Update 2/6/2016: FERC filed a notification on Feb. 5, 2016 indicating the comment period for this motion will end Feb. 12, 2016. This unusually short comment period indicates they will issue a quick ruling.
Update 2/5/2016: On Feb. 4, 2016, the Trade Associations filed a motion with FERC to delay the enforcement date for CIP Version 5 modifications approved under Order 791 from Apr. 1, 2016 to July 1, 2016 to coincide with the enforcement date of the Version 5 modifications approved under order 822. If FERC approves this request – and we believe they will – the Version 5 standards CIP-003-5, CIP-004-5, CIP-006-5, CIP-007-5, CIP-009-5, CIP-010-1, and CIP-011-1 will be retired without ever going into effect, being replaced with the version approved under Order 822. The administrative burden to the industry of having two CIP Standards going into effect within three (3) months of each other will be avoided.
We’ve been keeping close tabs on the latest developments involving modifications to the Critical Infrastructure Protection (CIP) Version 5 Standards. And on Jan. 21, 2016, the Federal Energy Regulatory Commission (FERC) issued its final ruling (Order 822) on the Notice of Proposed Rulemaking (NOPR) for the modifications to CIP V5. Here’s a quick look at what was approved and what we expect to happen next:
FERC approved modifications to seven standards: Security Management Controls (CIP-003-6), Personnel and Training (CIP-004-6), Physical Security of BES Cyber Systems (CIP-006-6), Systems Security Management (CIP-007-6), Recovery Plans for BES Cyber Systems (CIP-009-6), Configuration Change Management and Vulnerability Assessments (CIP-010-2), and Information Protection (CIP-011-2). The approval also included the implementation plan, violation risk factor and violation severity level assessments.
At the same time, FERC directed the North American Electric Reliability Corp. (NERC) to:
- Develop modifications to implement mandatory protection of transient cyberassets at Low Impact BES Cyber Systems (BCS) based on risks to the reliability of the bulk electric system (BES).
- Develop modifications to implement protections on the communications and sensitive bulk electric system data between all BES intra (same Entity) and inter (different Entities) Control Centers (high, medium and low) according to the risk posed to the BES under CIP-006.
- Develop modifications to the definition of Low Impact External Routable Connectivity (LERC) to reflect the commentary in the CIP-003-6 Guidance and Technical Basis section.
- Conduct a comprehensive study that identifies the strengths of the CIP Version 5 remote access controls and risks posed by remote access-related threats and vulnerabilities.
Supply Chain Management
FERC deferred any decision on Supply Chain Management controls, as noted in the July 2015 NOPR, until after the technical conference, which recently wrapped up. I’ll update you on this as I learn more.
Timing for the modifications and study on Order 822 indicates the remote access control study should be provided to FERC within one year of the implementation of the CIP V5 standards for High and Medium Impact BCS (April 1, 2017), and modification to the definition of LERC should be provided within one year of the effective date of Order 822. No date was specified for the modifications to Low Impact BCS transient cyberassets and protection of communications between Control Centers.
Per the approved implementation plan, most standards go into effect July 1, 2016, with a few exceptions:
- CIP-006-6 Requirement R1, Part 1.10 will be effective April 1, 2017.
- Low Impact BCS covered under CIP-003-6 Requirement R1, Part 1.2 and Requirement R2 will start April 1, 2017.
- CIP-003-6 Attachment 1 Sections 2 and 3 will begin Sept. 1, 2018.
One thing that could potentially affect the implementation dates is that Order 822 gives interested parties the option to submit a request to align the implementation dates of certain CIP Reliability Standards. Footnote 82 of the document suggests this could be done to lessen the burden of implementing two versions of the CIP Reliability Standards within a short period of time. This could result in two possible scenarios: The current April 1, 2016 date (for the Standards previously approved under Order 791) could be pushed back to July 1. Or Order 822 could be enforceable on April 1, 2016.
This is a topic that continues to unfold, so be sure to stay tuned in to the blog for the latest developments as they occur. And in the meantime, if you have specific questions about the approved modifications or cybersecurity in general, I’d be happy to talk with you. Comment below or connect with me on LinkedIn.
Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.