8/28: In preparing for our V5 webinar last week, I realized there is another problem in CIP-002-5, so I've modified what I'm submitting to FERC. That post is here.
Following is the exact text I submitted to FERC on June 24, 2013, in response to the request for comments in the April NOPR for NERC CIP Version 5.
I have found many problems with the wording of CIP-002-5, and have decided to rewrite the problematic parts (including the requirements and parts of Attachment 1).
Note: At this point I submitted the full text of the following three posts (since I'm told FERC doesn't like to see links in the comments). I will spare you all that verbiage here, but you're encouraged to read these if you haven't done so already.
http://tomalrichblog.blogspot.com/2013/05/my-comments-to-ferc-on-cip-version-5.html
Note: At this point I submitted the full text of the following three posts (since I'm told FERC doesn't like to see links in the comments). I will spare you all that verbiage here, but you're encouraged to read these if you haven't done so already.
http://tomalrichblog.blogspot.com/2013/05/my-comments-to-ferc-on-cip-version-5.html
The following are changes I propose to CIP-002-5, based on the reasons discussed in these posts:
1. Change to Section 4.2
I propose to insert the following definition of Asset. It can be inserted either in Section 4.2 or in the CIP Version 5 Definitions document:
An Asset is a Control Center or a group of one or more Facilities at a single location.
2. Replacement of Requirement R1
I propose to replace CIP-002-5 R1 with the following four requirements:
R1. Each responsible Entity shall:
R1.1 Implement a process that considers each of the following Assets or Facilities for purposes of Requirement R2:
i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources;
iv.Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements;
v.Special Protection Systems that support the reliable operation of the Bulk Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.
R1.2 Develop a list of its Assets or Facilities including each type listed in R1.1.
R2. Each Responsible Entity shall identify its High, Medium and Low impact BES Assets or Facilities in parts 1.1 through 1.3:
2.1 Using the criteria in Attachment 1, Section 1, identify its High impact Assets or Facilities;
2.2 Using the criteria in Attachment 1, Section 2, identify its Medium impact Assets or Facilities;
2.3 After removing High and Medium impact Assets or Facilities from the list of Assets or Facilities developed in R1.2, identify the remaining Assets or Facilities as Low impact.
R3. The Responsible Entity shall identify BES Cyber Assets associated with each High, Medium and Low impact Asset or Facility. Only BES Cyber Assets located at a High impact BES Asset shall be considered to be associated with the High impact BES Asset. All BES Cyber Assets associated with an Asset or Facility shall be classified with the impact level of that Asset or Facility.
R4. The Responsible Entity shall identify BES Cyber Systems from groupings of one or more BES Cyber Assets.
3. Renumber and Change CIP-002-5 R2
Because of the above changes, CIP-002-5 R2 needs to be renamed to CIP-002-5 R5, along with adding the italicized phrases:
R5. The Responsible Entity shall:
2.1 Review the identifications in Requirements R1-R4 and all their parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve the identifications required by Requirements R1-R4 and all their parts at least once every 15 calendar months, even if it has no identified items in Requirement R1.
4. Changes to Attachment 1
I propose that the phrases at the beginning of each of the three sections of Attachment 1 (for identifying High, Medium and Low impact Assets respectively) be replaced with the following. Note that I am not proposing any changes to the criteria themselves and have not reproduced them here:
1. High Impact Rating (H)
Assets or Facilities that meet one or more of the following criteria are High impact:
(followed by existing criteria 1.1 – 1.4)
2. Medium Impact Rating (M)
Assets or Facilities that meet one or more of the following criteria, and are not included in Section 1 above, are Medium impact:
(followed by existing criteria 2.1 – 2.13)
3. Low Impact Rating (L)
Assets or Facilities meeting the applicability qualification in Standard Section 4, which are not included in Sections 1 or 2 above, are Low impact:
(followed by the same list of types of assets as in CIP-002-5 Attachment 1 part 3)
No comments:
Post a Comment