Big NERC CIP Changes Looming

Article title
James Holler, Founder, Abidance Consulting

James Holler, Founder, Abidance Consulting

In less than a year the sweeping changes to the NERC CIP requirements will become effective. The changes will require that all registered facilities be considered, to some degree, a critical asset. There are going to be three levels of criticality when it comes to CIP – High, Medium & Low. According to NERC, the process and criteria currently being used today for identifying critical assets in the electric system are inadequate.  For example, the current system labels less than 5% of the existing generation facilities around the country to be critical assets, so NERC has identified a new approach in the new CIP-010-1 standard.

The scoping process in the existing CIP-002 standard calls for identification of critical bulk electric system assets, then the associated critical cyber assets.  In CIP-010, there are no “out of scope” bulk electric system assets; instead a categorized list of those assets and their related cyber systems is required.

NERC has decided to use the NIST 800-53 framework when they are developing the CIP requirements from now on. The National Institute of Standards and Technology (NIST) is the U.S. Government’s defacto standard for Information Technology Security. You can download a full copy here. NIST provides standards and technology to protect information systems against threats to the confidentiality of information, integrity of information and processes, and availability of information and services in order to build trust and confidence in Information Technology systems.

The NIST framework:

  • Provides a specification for minimum security requirements for information systems included in the CIP requirements using a standardized, risk-based approach.
  • Defines minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category that are included in the CIP requirements.
  • Identifies methods for assessing effectiveness of the CIP security requirements.
  • Brings the security planning process up to date with key standards and guidelines developed by your security team using the NIST framework.
  • Provides your security team with assistance in determining what needs to be done and in chronological order.
  • Evaluates security policies and technologies developed by your security team.

Major Changes
Be warned, there are many major changes coming. One of the most interesting is that CIP-002-2 through CIP-009-2 will be removed and replaced with CIP-010-1 and CIP-011-1. CIP-011-1 is almost 30 pages and combines CIP-003-2 through CIP-009-2 into a single requirement and includes new requirements as well. The following is a list of some of the major changes on the horizon:

  • Every requirement will be auditable and not just addressable. This means that you must complete all required tasks in the CIP requirements as they will pertain to you and not be a nice-to-have or addressable.
  • There is currently a 3-year review/audit cycle set up and because the BES does not change too much or too often that cycle is going to be shortened to be between 12 months and 24 months.
  • A new feature in CIP-011 is how the requirements are presented, which is based on applicability/impact on the reliable operation of the BES.  There are several subject areas identified in CIP-011, including: security governance and policy; personnel training, awareness, and risk assessment; physical security; electronic access control; etc.
  • Each requirement has several characteristics identified, and each requirement is assigned to one of the subject areas.
  • The need for more than paper evidence of compliance has lead to actual need to demonstrate compliance in the updated version of the CIP requirements. For example, current requirements call for paper demonstration rather than allow for actual demonstration of the protection system; the latter improves security and therefore an entity will have to demonstrate their compliance rather than state it.

There are many, many other updates, improvements and additions to the upcoming CIP requirements known as Version 4. It is my opinion that a registered entity may want to begin preparing now because the requirements may prove to be difficult to handle.

James Holler is founder of Abidance Consulting.

Showing 6 comments
  • Reply

    The changes effect not only utility operators, but the companies they do business with. As CIP-011 is implemented utilities will find that letting a contractor run the background check on employees and report the results isn’t going to meet the standard. Documentation that training requirements are being met will also become a major pain point for utilities.

  • Reply

    Rumor has it FERC was not too thrilled with the new CIP model for CIP010 and CIP011. Is there any confirmation they told the NERC drafting teams to tweak a few things or revisit their entire approach based on effect to the BES.

  • Reply

    JEFF – You are correct in that FERC has asked for more clarity. Earlier this morning the meeting with the Standards and Development Team (SDT) had us make a few modifications to CIP-002-4. CIP-010-1 and CIP-011-1 are still under development and are taking on the look of the PCI rules with the feel of the NIST 800-53 standards. These will be rolled out in a phased-in approach.

  • Reply

    STEVE – Here’s the deal…registered entities will now have to prove their compliance, not just state they are compliant. Don’t be surprised if an auditor asks you to show them, in real-time, how you verify that only those ports necessary for normal and emergency operations are open. This means a live test…or a “show me” demo. This is one of the primary reasons more and more clients are doing a total outsource of their compliance efforts to us.

  • Reply

    “For example, current requirements call for paper demonstration rather than allow for actual demonstration of the protection system…”

    This has been the issue with auditing for quite a while. Traditionally, auditors test for the existence of a policy, in some cases just taking someone’s word it exists, instead of testing the effectiveness of the written policy. Requiring someone to display effectiveness would be a tremendous step forward in security. Seems like that might be a tough one to pull off though. As a penetration tester I can’t tell you how many times a policy existed but was easily bypassed and/or the necessity for programs and services wasn’t stated. For example, allowing wholesale access to things like Facebook or whatever.

pingbacks / trackbacks

Leave a Reply

Quality Management Software
AssurX Quality + Compliance ManagementA single versatile system can improve quality, compliance and streamline workflow
Don't Miss A Post

Subscribe to our blog to receive an email when we publish new content.

Recent Posts
Quality and Compliance Systems for Every Enterprise
A single versatile system can improve quality, compliance and streamline workflow.