I spent most of the last week travelling to or attending two regional meetings: SPP’s CIP Workshop in Little Rock and WECC’s Low Impact Workshop in Salt Lake City. Both meetings were very well run and quite informative. Below are some high points I took away from the SPP meeting. My next post will do the same for the WECC meeting.
Before I start that, I want to point out that you can find all of the presentations from the SPP meeting here. They are all in one big file, but it downloads pretty quickly. There will also be videos of the presentations; you will be able to find them here. The WECC presentations are here.
While all of the presentations at SPP were good, I got the most out of Scott Mix’s presentation on how NERC will audit for compliance with the Low impact requirements. I had seen him do this presentation at RF’s CIP workshop in April, but there were a lot of points he made at SPP that I didn’t remember from then (of course, it’s possible he had made some changes. I highly recommend watching the video when it’s available).
Scott first addressed the question whether a list of Low impact BES Cyber Systems is actually required, even though the requirements practically do back flips to say it isn’t. This is a huge issue (it was at the WECC workshop as well). I think Scott did a very good job of addressing this, and rather than try to summarize what he said, I’ll just refer you to his discussion starting on slide 4.
One of the main points of Scott’s presentation was that, when it comes to Low impact assets, the idea of randomly sampling them to decide what to audit goes out the window. Since Low impact assets vary widely in terms of their impact on the BES, the focus of Low impact audits will always be on the most important assets. One example of this has to do with 1500+MW plants that are called out in criterion 2.1. If the entity is claiming a plant is segmented so that there are no Medium impact BES Cyber Systems, that plant will definitely be visited during the audit. In a similar vein, Scott pointed out that a substation that has multiple lines but doesn’t meet criterion 2.5 will “get more attention” than one with just a single line.
He discussed three areas where both Lows and Mediums have requirements (starting on slide 39). For incident response plans and awareness programs, Scott suggested it’s probably a lot easier for entities that have both Medium and Low impact assets to just use the Medium procedures. That way, people who aren’t working with CIP day-to-day can just refer to a single procedure, rather than have to figure out whether an asset is Medium or Low impact. He also mentioned that “configuration and management” procedures may be similar for LEAPS (Low impact Electronic Access Points) as for EACMS containing EAPs (of course, EACMS and EAP only come into play for Mediums. An EAP is an interface, which is part of an EACMS).
While the remaining presentations were all good[i] (although I had to miss the half-day session on Wednesday to get to Salt Lake City for the WECC meeting), I want to call your attention to the last presentation of the day by Robert Vaughn and Shon Austin, who are both SPP auditors (starting on slide 242). It is titled “Observations from our CIP V5 Outreach Visits”, and it’s based on a set of visits they evidently did to SPP entities to review their preparedness for v5 compliance.
I’ll let you read their slides (and see the video when it’s available), but I’ll say now that their presentation seems to raise some serious questions about how prepared NERC entities will really be for CIP v5 on July 1 (although, since I wasn’t there for the presentation, I’ll admit it’s possible that their spoken words may mitigate what seems to be the purport of their slides – I’m looking forward to the video!). It looks like I may have to revise my April Fool’s Day post.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] Kevin Perry of SPP gave a presentation (starting on slide 225) entitled “Could CIP Standards have Prevented the Ukraine Attack?” I missed that, but I will definitely watch the video when it’s available.