Today, FERC issued Order 843, approving CIP-003-7. The order has several notable features, which I’ll address one-by-one.
The most important feature is NERC’s revisions to the requirement for electronic access controls at Low impact assets (and with that, retirement of the terms LERC and LEAP. Gents, we hardly knew ye! There was endless debate about both of your meanings, and now you’ve met your untimely end without ever having come into effect. Requiescat in pacem). FERC approved this “requirement” without ordering any further changes (as expected), and they also approved the Implementation Plan (which is also as expected).
As I discussed last week, the fact that FERC approved CIP-003-7 today seems to assure that it will come into effect on January 1, 2020.[i] And it also means that the “requirements” for physical and electronic access controls for Lows, found in Sections 2 and 3 of Attachment 1, will never come into effect (although technically they won’t be retired until 1/1/20. But they’ll be the living dead, since they will expire and be replaced by their CIP-003-7 equivalents on that date). So, as I said next week, September 1 of this year is now just Saturday of Labor Day weekend, not the great D-Day when the “LERC/LEAP” requirement becomes enforceable. Enjoy your long weekend!
The second important feature of the Order – and one that is controversial, although not unexpected since it was foreshadowed in FERC’s NOPR last October - is the new requirement for Transient Cyber Assets used at Low impact assets. As I said[ii] at the time, FERC had a problem with the language in Section 5.2, which deals with Transient Cyber Assets owned by third parties (usually vendors coming into the substation or generating station to maintain or modify code on their devices).
FERC’s objection is that, while Section 5.2 provides a number of examples of steps the entity could take to “mitigate the threat of malicious code” on third-party-managed devices, they all start with the word “Review of”, followed by possible mitigations the third party might have implemented. What 5.2 doesn’t say is what the entity should do if the review turns up the finding that whatever steps the third party is taking are inadequate; in theory, the NERC entity could just decide to let the third party use their TCAs (usually laptops) at the asset, and not be held in violation.
NERC assured FERC that the entity would still be found in violation, since Section 5 itself says the entity has to implement a plan “to achieve the objective of mitigating the risk of the introduction of malicious code..” This argument certainly would hold for Section 5.1 (for TCAs managed by the Responsible Entity), since all of the options listed there are clearly mitigation options. But FERC obviously doesn’t believe the argument holds for Section 5.2, since it just requires review of the third-party’s mitigation measures. It doesn’t require the entity itself to take any specific measures if that review reveals issues.
In practice, I think it’s safe to say the NERC Regions would issue a violation if they found an entity had allowed an infection to enter a substation from a third-party TCA, even though their review of the third party had already found they had deficient practices. But I agree with FERC that this really should be in the requirement itself, not just be an implied requirement (there are way too many of those already in CIP!).
Of course, Section 5 of CIP-003-7 will still come into effect as written when the standard does. But the CIP Modifications drafting team will soon need to start drafting language to address FERC’s concern, followed by balloting and approval by NERC and FERC. Of course, this revised standard will be CIP-003-8. The first v8 CIP standard!
The last important feature of the Order has to do with FERC’s statement in the NOPR that they were considering ordering further electronic access controls on Low impact BES Cyber Systems, such as passwords. To the uninitiated in the ways of CIP, it might seem that ordering passwords in – let me check my calendar. Yes, it’s 2018! - is hardly a radical move. And I’m sure there are very few Cyber Assets anywhere in the Bulk Electric System that don’t have passwords. But to enforce this requirement would mean that NERC entities with Low assets would have to maintain an inventory of all Cyber Assets and BES Cyber Systems at Low assets. CIP version 5 would never have been approved by the NERC ballot body in 2012 if it hadn’t contained the provision in CIP-002-5.1 (stated twice there) that an inventory of Low BCS isn’t required.
However, this sacred principle has been maintained, since FERC decided not to order that NERC develop a new requirement(s) for further electronic access controls for Low BCS. Instead, FERC has ordered that NERC conduct a study of whether further electronic access controls at Lows might be needed, following the implementation of CIP-003-7. They want NERC to turn this study in to them 18 months after the effective date of the standard, or a little more than three years from now. You might want to mark that date on your 2021 calendar.
There are a few other features in the Order, but I’ll let you read those for yourselves. For heaven’s sake, I can’t do everything for you!
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. To discuss this, you can email me at the same address or call me at 312-515-8996.
[i] Since technically the Order isn’t effective until 60 days after it is published in the Federal Registry, this could be pushed back to April 1, 2020 if the Order isn’t published by the end of April. I don’t think that’s likely, though.
[ii] Paragraphs 4 and 5 of the linked post discuss this issue and FERC’s reasoning.