At the NERC
CIPC meeting last week in Louisville, KY, Tobias Whitney of NERC summarized the
main issues that the Standards Drafting Team will address in CIP version
7 (although the dreaded term “version 7” was not mentioned, of course).
Included in his slides was one that listed what FERC had mandated for the next
version when they approved CIP v6 in Order 822
in January. The items listed were[i]:
- Protection of transient electronic devices used at
low-impact bulk electric system cyber systems,
- Protections for communication network components
between control centers, and
- Refinement of the definition for Low Impact External
Routable Connectivity (LERC).
Being very
astute on these matters, I immediately noticed that one item had been left off
this list: protection of data in motion between control centers (you can find
my interpretation of what FERC ordered in the second post linked above). I
pointed this out to Tobias, and he admitted this was a mistake and said it
would be fixed.
Indeed, the website
for NERC’s new “Project 2016-02 Modifications to CIP Standards” also lists
three points as above, but one of them is now “Develop modifications to the CIP
Reliability Standards to require responsible entities to implement controls to
protect, at a minimum, communication links and sensitive bulk electric system
data communicated between bulk electric system Control Centers in a manner that
is appropriately tailored to address the risks posed to the bulk electric
system by the assets being protected (i.e., high, medium, or low impact).”
You’ll
notice that this point now includes both “communication links” (which I assume
means basically the same thing as “network components” in Tobias’ slides) and “sensitive
bulk electric system data communicated…” I believe this latter phrase addresses
what FERC was asking for in Order 822 when they stated “..we find that
additional measures to protect both the integrity and availability of sensitive
bulk electric system data are warranted.” I think it would be clearer if these
two items were in separate bullet points, but this does address what I brought
up at the CIPC meeting.
However, I
now realize that, in my post on Order 822, I identified five changes that were mandated, not
just four. The fifth one (also not mentioned by Tobias) is protection of “data
at rest” inside Control Centers. Unlike data in motion between Control Centers,
the mandate to protect data at rest was not hinted at in FERC’s NOPR
last summer. Yet FERC makes it clear they want these protections in the Order when
they say “NERC’s response to the directives in this Final Rule should identify
the scope of sensitive bulk electric system data that must be protected and
specify how the confidentiality, integrity, and availability of each type of
bulk electric system data should be protected while it is being
transmitted or at rest (my emphasis).”
As I stated
in my post on Order 822, this new mandate might well be the most important,
especially in terms of the amount of effort it will take to turn it into
requirements, and for NERC entities to comply with those requirements. This is
a whole new expansion of the scope of NERC CIP, but it has to be addressed.
After all, FERC wants it.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
These are NERC’s words, not mine. These three items are listed in the email
that NERC sent out last week which announced the CIP Technical Conference in
Atlanta on April 19. Since Tobias’ slides haven’t been released yet, I can’t
confirm they had this exact wording; however, I’m sure that substantively
it was the same.
No comments:
Post a Comment