NERC Raises Stakes with ‘New Direction’ for CIP Standards
Complying with regulatory requirements might just have gotten a lot tougher for those involved in producing and protecting the nation’s power supply.
At its meeting on April 13–16, 2010, NERC decided it will be retiring the existing CIP standards and replace them with new ones starting at CIP-010. Since this announcement, NERC has tabled CIP-010 and CIP-011 until next year and are now focusing on CIP-002-4.
That sounds innocent enough, right?
Not so fast. “It’s a huge and significant change,” warns AssurX expert Paul Fricke. He’ll be leading a summit on NERC and power grid compliance issues later this month in Chicago. A highlight of that seminar will be a presentation by big power firm PG&E. Company exec Thomas Bilbo will explain how PG&E is developing an enterprise compliance management system using CATSWeb as the backbone. Areas covered include: internal and external compliance requirements/commitments, the connections with business processes, and the controls/methods/evidence to ensure compliance.
“We want feedback from industry about how these changes will impact them, and how we can help them to better handle these changes,” Paul says.
NERC’s latest moves mean, among other things, that regulated entities will have to track their self-certification tasks much more effectively.
CIP-010-1 establishes the foundation for a shift from identification of system elements to a focus upon the systems.
The draft standard requires BES Cyber Systems to be indentified and categorized in terms of impact (High, Medium, and Low) as well as identifying the systems essential functions. The functions and categorizations are outlined in the draft CIP-010-1 Reliability Standard.
CIP-011-1 establishes an array of baseline cyber security requirements, which must be applied to protect the BES Cyber Systems identified and categorized in CIP 010-1 according their impact category.
So instead of a relatively vague set of rules, we’re looking at far more specific requirements in table format. “This will set the requirements in terms of low impact, medium and high,” Paul notes. For example, high impact system requirements, the new regulations might require action to be taken in a specific amount of time, say an hour or four hours, where in the past it may have been days or not even specified, Paul adds.
The comment period for this ended in June, and Paul says industry did weigh in with comments, but he also worries that industry may underestimate how much time and other resources this new bar for compliance may require.
“CIP-002-4 gets closer to where CIP-010-1 is going,” Paul notes. It seems to be a smaller step to clearly require classification of Critical Assets, but does not leap to BES System identification and classification…yet, he adds.
ASSURX NERC RESOURCE CENTER