Big NERC CIP Changes Looming
In less than a year the sweeping changes to the NERC CIP requirements will become effective. The changes will require that all registered facilities be considered, to some degree, a critical asset. There are going to be three levels of criticality when it comes to CIP – High, Medium & Low. According to NERC, the process and criteria currently being used today for identifying critical assets in the electric system are inadequate. For example, the current system labels less than 5% of the existing generation facilities around the country to be critical assets, so NERC has identified a new approach in the new CIP-010-1 standard.
The scoping process in the existing CIP-002 standard calls for identification of critical bulk electric system assets, then the associated critical cyber assets. In CIP-010, there are no “out of scope” bulk electric system assets; instead a categorized list of those assets and their related cyber systems is required.
NERC has decided to use the NIST 800-53 framework when they are developing the CIP requirements from now on. The National Institute of Standards and Technology (NIST) is the U.S. Government’s defacto standard for Information Technology Security. You can download a full copy here. NIST provides standards and technology to protect information systems against threats to the confidentiality of information, integrity of information and processes, and availability of information and services in order to build trust and confidence in Information Technology systems.
The NIST framework:
- Provides a specification for minimum security requirements for information systems included in the CIP requirements using a standardized, risk-based approach.
- Defines minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category that are included in the CIP requirements.
- Identifies methods for assessing effectiveness of the CIP security requirements.
- Brings the security planning process up to date with key standards and guidelines developed by your security team using the NIST framework.
- Provides your security team with assistance in determining what needs to be done and in chronological order.
- Evaluates security policies and technologies developed by your security team.
Be warned, there are many major changes coming. One of the most interesting is that CIP-002-2 through CIP-009-2 will be removed and replaced with CIP-010-1 and CIP-011-1. CIP-011-1 is almost 30 pages and combines CIP-003-2 through CIP-009-2 into a single requirement and includes new requirements as well. The following is a list of some of the major changes on the horizon:
- Every requirement will be auditable and not just addressable. This means that you must complete all required tasks in the CIP requirements as they will pertain to you and not be a nice-to-have or addressable.
- There is currently a 3-year review/audit cycle set up and because the BES does not change too much or too often that cycle is going to be shortened to be between 12 months and 24 months.
- A new feature in CIP-011 is how the requirements are presented, which is based on applicability/impact on the reliable operation of the BES. There are several subject areas identified in CIP-011, including: security governance and policy; personnel training, awareness, and risk assessment; physical security; electronic access control; etc.
- Each requirement has several characteristics identified, and each requirement is assigned to one of the subject areas.
- The need for more than paper evidence of compliance has lead to actual need to demonstrate compliance in the updated version of the CIP requirements. For example, current requirements call for paper demonstration rather than allow for actual demonstration of the protection system; the latter improves security and therefore an entity will have to demonstrate their compliance rather than state it.
There are many, many other updates, improvements and additions to the upcoming CIP requirements known as Version 4. It is my opinion that a registered entity may want to begin preparing now because the requirements may prove to be difficult to handle.
James Holler is founder of Abidance Consulting.