Today, FERC
issued Order
843, approving CIP-003-7. The order has several notable features, which I’ll
address one-by-one.
The most
important feature is NERC’s revisions to the requirement for electronic access
controls at Low impact assets (and with that, retirement of the terms LERC and
LEAP. Gents, we hardly knew ye! There was endless debate about both of your
meanings, and now you’ve met your untimely end without ever having come into
effect. Requiescat in pacem). FERC
approved this “requirement” without ordering any further changes (as expected),
and they also approved the Implementation Plan (which is also as expected).
As I
discussed last
week, the fact that FERC approved CIP-003-7 today seems to assure that it
will come into effect on January 1, 2020.[i] And it
also means that the “requirements” for physical and electronic access controls
for Lows, found in Sections 2 and 3 of Attachment 1, will never come into
effect (although technically they won’t be retired until 1/1/20. But they’ll be
the living dead, since they will expire and be replaced by their CIP-003-7
equivalents on that date). So, as I said next week, September 1 of this year is
now just Saturday of Labor Day weekend, not the great D-Day when the “LERC/LEAP”
requirement becomes enforceable. Enjoy your long weekend!
The second
important feature of the Order – and one that is controversial, although not
unexpected since it was foreshadowed in FERC’s NOPR last October - is the new
requirement for Transient Cyber Assets used at Low impact assets. As I said[ii] at the
time, FERC had a problem with the language in Section 5.2, which deals with
Transient Cyber Assets owned by third parties (usually vendors coming into the
substation or generating station to maintain or modify code on their devices).
FERC’s
objection is that, while Section 5.2 provides a number of examples of steps the
entity could take to “mitigate the threat of malicious code” on third-party-managed
devices, they all start with the word “Review of”, followed by possible
mitigations the third party might have implemented. What 5.2 doesn’t say is
what the entity should do if the review turns up the finding that whatever
steps the third party is taking are inadequate; in theory, the NERC entity
could just decide to let the third party use their TCAs (usually laptops) at
the asset, and not be held in violation.
NERC assured
FERC that the entity would still be found in violation, since Section 5 itself
says the entity has to implement a plan “to achieve the objective of mitigating
the risk of the introduction of malicious code..” This argument certainly would
hold for Section 5.1 (for TCAs managed by the Responsible Entity), since all of
the options listed there are clearly mitigation options. But FERC obviously
doesn’t believe the argument holds for Section 5.2, since it just requires
review of the third-party’s mitigation measures. It doesn’t require the entity
itself to take any specific measures if that review reveals issues.
In practice,
I think it’s safe to say the NERC Regions would issue a violation if they found
an entity had allowed an infection to enter a substation from a third-party
TCA, even though their review of the third party had already found they had
deficient practices. But I agree with FERC that this really should be in the requirement
itself, not just be an implied requirement (there are way too many of those
already in CIP!).
Of course,
Section 5 of CIP-003-7 will still come into effect as written when the standard
does. But the CIP Modifications drafting team will soon need to start drafting
language to address FERC’s concern, followed by balloting and approval by NERC
and FERC. Of course, this revised standard will be CIP-003-8. The first v8 CIP
standard!
The last
important feature of the Order has to do with FERC’s statement in the NOPR that
they were considering ordering further electronic access controls on Low impact
BES Cyber Systems, such as passwords. To the uninitiated in the ways of CIP, it
might seem that ordering passwords in – let me check my calendar. Yes, it’s 2018!
- is hardly a radical move. And I’m sure there are very few Cyber Assets
anywhere in the Bulk Electric System that don’t have passwords. But to enforce
this requirement would mean that NERC entities with Low assets would have to maintain
an inventory of all Cyber Assets and BES Cyber Systems at Low assets. CIP
version 5 would never have been approved by the NERC ballot body in 2012 if it
hadn’t contained the provision in CIP-002-5.1 (stated twice there) that an
inventory of Low BCS isn’t required.
However,
this sacred principle has been maintained, since FERC decided not to order that
NERC develop a new requirement(s) for further electronic access controls for
Low BCS. Instead, FERC has ordered that NERC conduct a study of whether further
electronic access controls at Lows might be needed, following the
implementation of CIP-003-7. They want NERC to turn this study in to them 18
months after the effective date of the standard, or a little more than three years
from now. You might want to mark that date on your 2021 calendar.
There are a
few other features in the Order, but I’ll let you read those for yourselves. For
heaven’s sake, I can’t do everything
for you!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
Tom Alrich LLC can help you with NERC CIP issues or challenges like what is
discussed in this post. To discuss this, you can email me at the same address
or call me at 312-515-8996.
[i]
Since technically the Order isn’t effective until 60 days after it is published
in the Federal Registry, this could be pushed back to April 1, 2020 if the
Order isn’t published by the end of April. I don’t think that’s likely, though.
[ii]
Paragraphs 4 and 5 of the linked post discuss this issue and FERC’s reasoning.
No comments:
Post a Comment