By Ernie Hayden CISSP CEH, Managing Principal – Energy Security, Verizon Global Energy & Utility Practice
On November 7, 2011, the North American Electric Reliability Corporation (NERC) published the revised Critical Infrastructure Protection (CIP) standards Version 5. You can view the new proposed CIP revisions here.
Essentially this new version includes CIP-002 to CIP-009 plus two new CIPs CIP-010 and CIP-011. NERC has also issued a revised set of NERC glossary definitions. Finally, they have included a proposed implementation plan. These documents are up for a formal 60-day comment period through to Friday, January 6, 2012.
Some key changes in these new Version 5 documents include:
-
CIP-002, Version 5, requires the categorization of Bulk Electric System (BES) cyber systems according to a “bright line” criteria. Of note, this is different from the original CIP-002 requirements issued several years ago where the utilities could use some judgment when declaring critical assets. Now, the “bright line” criteria is very specific and allow for less interpretation as to whether an asset is critical or not. The “bright line” criteria also mandates that the different critical cyber assets be identified as “High Impact” and “Medium Impact” on the Bulk Electric System. (You can get more at this link.)
-
Because of the changes to CIP-002 and the new “bright line criteria” then CIP-003 through CIP-011 are impacted on their implementation due to the new list of defined critical assets and critical cyber assets.
-
CIP-010 is a new standard focused on Configuration Management and Vulnerability assessments previously defined across several CIP standards in Versions 1 through 4.
-
CIP-011 is a new standard that defines Information Protection and Media Sanitization requirements previously defined across several standards in Versions 1-4.
Besides these two new CIP standards and the new Version 5 changes, the Implementation Planis especially important. The first key point is that the Version 5 standards shall become effective no sooner than 18 months after approval. One NERC document states that the Version 5 standards shall “…become effective on the later of January 1, 2015 or the first calendar day of the seventh calendar quarter after the date of the order providing applicable regulatory approval.” (Whew!)
Additionally, because the new “bright line” criteria now delineate “High Impact” and “Medium Impact” systems, the utility is obligated to implement the new changes with “High Impact” systems being implemented faster than “Medium Impact assets.
Overall, these changes are both subtle and substantial. There are new terms being injected into the process where “Critical Cyber Assets” are no longer defined but instead referred to as BES Cyber Systems. And, of course, the bright line criteria are a step change in how assets are identified and categorized.
If you are working with electric utilities, transmission operators, and companies that generate and/or buy and sell electricity on the North American electric grid I’d suggest you take time to read these revised documents and recognize that electric grid system cybersecurity is continuing to evolve.
This blog was also posted on Think Forward.
There are no comments for this entry.