NERC CIP Low Impact RequirementsThe July 1 effective date for High and Medium Impact Bulk Energy System (BES) Cyber Systems is rapidly approaching, causing Registered Entities and Regional Entities to now shift their focus toward meeting the Low Impact BES Cyber System (BCS) requirements.

This will be the first in a series of articles covering those requirements, what Burns & McDonnell has experienced in helping Registered Entities in their implementations, and information being provided by NERC and the Regional Entities as part of their outreach efforts.

What to Expect

Over the next few week, I’ll cover a variety of topics related to NERC CIP requirements, including:

  • Culture change due the implementation of the CIP Standards, especially for Entities new to the CIP Standards and how the current culture can impact implementation of the Standards
  • Defining what Policies, Plans and Procedures are, and what should they contain
  • Inventory of facilities with Low Impact BCS and methods of approach to demonstrate that they comply with several of the Standards requirements
  • Configuration information required for several of the Standards requirements and potential issues experienced during the collection process
  • What have other Entities done to implement these requirements while facing budget and resource constraints

Important Dates to Note

One of the initial items to understand about these requirements is the enforcement dates for Low Impact BCS summarized below:

July 1, 2016

  • CIP-002-5.1, R1 & R2 — BCS Impact Determination, Review and Approval
  • CIP-003-6, R3 & R4 — Identification of CIP Senior Manager and Delegations

July 15, 2016

  • Self-Certification for CIP-002-5.1

April 1, 2017

  • CIP-003-6, R1 Part 1.2 — Cyber Security Policies for Low Impact BCS
  • CIP-003-6, R2 Attachment 1, Section 1 — Cyber Security Awareness Plan
  • CIP-003-6, R2 Attachment 1, Section 4 — Cyber Security Incident Response Plan

September 1, 2018

  • CIP-003-6, R2 Attachment 1, Section 2 — Physical Security Controls Plan
  • CIP-003-6, R2 Attachment 1, Section 3 — Electronic Access Controls Plan

By now, Registered Entities should already have their CIP-005.1 BCS Impact Determination completed since the original enforcement date was April 1, 2016, which was moved to July 1 by FERC earlier this year.

One area which Burns & McDonnell has seen some client confusion is the identification of the CIP Senior Manager and Delegates and when that is to be enforced for Entities who only have Low Impact BCS, or never had a previous CIP Program implemented. As noted above it is July 1 and not the first Low Impact BCS date of April 1, 2017.

Additional Information to Keep in Mind

Over the next few months, I will try and provide industry references to Low Impact BCS, which start with the following:

  • The WECC will be conducting a CIP Low Impact Workshop May 25-26, 2016, in Salt Lake City, Utah.
  • Scott Mix from NERC has been presenting, “Auditing Low Impact BES Cyber Systems” at several Regional Workshops, with a link provided here for the ReliabilityFirst presentation on April 15, 2016.
  • Burns & McDonnell will have our second-annual Power Utility Security & Compliance Symposium August 8-9, 2016, which will cover several subjects related to Low Impact BCS.

Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.

by
Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.