The Much-Anticipated CIP Version 5 Final Rule Released by FERC
At the FERC Commission meeting on November 21, 2013, the Commission approved the CIP version 5 Standards that addresses the cyber security of the bulk electric system. As stated in the FERC final rule, these standards are an improvement over the current effective CIP version 3 Standards. CIP version 5 requires the industry to adopt new controls and expands the scope of systems that are protected by the CIP standards. The Commission also approved definitions associated with the CIP Standards and directed NERC to make modifications to CIP version 5 and submit informational filings back to FERC.
One of the key decisions, as requested by the ERO, was the Commission’s approval to allow registered entities to transition from currently-effective CIP version 3 Standards to compliance with CIP version 5 Standards. The CIP version 4 approved Standards will not become effective. CIP version 3 will remain in effect until the effective date of CIP version 5. The Commission also approved the implementation plan and effective dates proposed by NERC.
Some of the key highlights from the FERC Order:
- The CIP version 5 Standards identify and categorize BES Cyber Systems using a new methodology based on whether a BES Cyber System has a Low, Medium, or High Impact on the reliable operation of the bulk electric system. At a minimum, a BES Cyber System must be categorized as a Low Impact asset. Once a BES Cyber System is categorized, a responsible entity must comply with the associated requirements of the CIP version 5 Standards that apply to the impact category.
- The CIP version 5 Standards also include 12 requirements with new cyber security controls, which address Electronic Security Perimeters (CIP-005-5), Systems Security Management (CIP-007-5), Incident Reporting and Response Planning (CIP-008-5), Recovery Plans for BES Cyber Systems (CIP-009-5), and Configuration Change Management and Vulnerability Assessments (CIP-010-1).
- The Commission directs NERC to remove language found in 17 requirements in the CIP version 5 Standards that requires responsible entities to implement the requirements in a manner to “identify, assess, and correct” deficiencies. We support NERC’s move away from a “zero tolerance” approach to compliance, the development of strong internal controls by responsible entities, and NERC’s development of standards that focus on the activities that have the greatest impact on Bulk-Power System reliability. However, the Commission is concerned that the proposed language is overly-vague, lacking basic definition and guidance that is needed, for example, to distinguish a successful internal control program from one that is inadequate.
Note the Commission response to the “identify, assess, and correct”
“We would prefer approaches that would not involve the placement of compliance language within the text of the Reliability Standards to address these issues. We understand that NERC has inserted the “identify, assess, and correct” language into the CIP Reliability Standard requirements to move its compliance processes towards a more risk-based model. With this objective in mind, we believe that a more appropriate balance might be struck to address the underlying concerns by developing compliance and enforcement processes that would grant NERC and the Regional Entities the ability to decline to pursue low risk violations of the Reliability Standards. Striking this balance could be accomplished through a modification to the Compliance Monitoring and Enforcement Program. We believe that such an approach would: (1) empower NERC and the Regional Entities to implement risk-based compliance monitoring techniques that avoid zero defect enforcement when appropriate; (2) allow the Commission to retain oversight over the enforcement of Reliability Standards; and (3) ensure that all Reliability Standards are drafted to be sufficiently clear and enforceable.”
- The Commission directs NERC to develop modifications that address security controls for Low Impact assets. The adoption of the Low Impact BES Cyber Asset category will expand the protections offered by the CIP version 5 Standards to additional assets that could cause cyber security risks to the bulk electric system. Specifically, categorizing BES Cyber Systems based on their Low, Medium, or High Impact on the reliable operation of the bulk electric system, with all BES Cyber Systems being categorized as at least Low Impact, offers more comprehensive protection of the bulk electric system. However, the CIP version 5 Standards do not require specific controls for Low Impact assets nor do they contain objective criteria from which to judge the sufficiency of the controls ultimately adopted by responsible entities for Low Impact assets. The Commission directs that NERC develop modifications to the CIP version 5 Standards to address this concern. While NERC may address this concern by developing specific controls for Low Impact facilities, it has the flexibility to address it through other means, including those discussed below.
- The Commission directs NERC to submit an informational filing one year from the effective date of this Final Rule that assesses, based on the survey results, whether the BES Cyber Asset definition will, with the 15- minute parameter, cover the assets that are necessary to ensure the reliable operation of the Bulk-Power System.
- Commission directs NERC to create a definition of communication networks and to develop new or modified Reliability Standards that address the protection of communication networks. The Commission also directs its staff to include the issue of protecting the nonprogrammable components of communications networks in the staff-led technical conference discussed herein.
For more information:
Trey Kirkpatrick is Vice President of Energy and Utilities for AssurX, Inc., a leading provider of energy and utility enterprise compliance management solutions.