What’s the SDT up to nowadays?

The CIP Modifications Standards Drafting Team seems to have about eight different pots cooking on the stove now. I wrote in July about their new direction on virtualization – which by the way might in the process produce some much-needed reform in the whole structure of the CIP standards; and if you own a Control Center you are probably familiar with the current drafting and balloting on CIP-012. But someone who follows what the SDT is doing much more closely than I can is Mike Johnson.

Yesterday, Mike put up two posts related to the revised standards posted for comment and balloting by the SDT earlier this week. The first post is about CIP-003-8 (yes, folks, just after FERC approved CIP-003 version 7, now we’re up to version 8!). This is because, when FERC approved CIP-003-7, they pointed out that the new requirement for Transient Cyber Assets used at Low impact assets just required, for TCA and RM owned by a third party like a vendor, that the Responsible Entity review the controls the third party had in place to prevent malware; it didn’t require the RE to do anything if the review revealed the third party didn’t have adequate controls in place to prevent malware.

Of course, the idea that any NERC entity (either a Responsible or an Irresponsible Entity) would not take any action if they decided a particular vendor wasn’t doing a good job to prevent their own devices from infecting the entity’s systems is pretty far-fetched. But FERC wanted an abundance of caution, so they ordered this deficiency be corrected. That was done by adding Section 5.2.2 to Attachment 1, which reads “For any method used pursuant to 5.2.1, Responsible Entities shall determine whether any additional mitigation actions are necessary and implement such actions prior to connecting the Transient Cyber Asset.”

The second post is about CIP-002-6. This might be surprising to those who haven’t been following Mike’s blog closely. The original reason for amending CIP-002-5 was to revise criterion 2.12 of Attachment 1, which specifies which Control Centers owned by Transmission Owners should be classified as Medium impact. You may know that this change was approved by 93% of the ballots in May. So why does there need to be another ballot for CIP-002-6? The reason is that, as Mike explains in his second post from yesterday, it was announced in June that FAC-010-3 would be retired (no word on whether a gold watch will be presented). One consequence of this is that two terms from that standard will be changed. Since those terms are currently referred to in criteria 2.6 and 2.9 of Attachment 1, those criteria needed to be changed to reflect this.

Mike also provides some good advice on how to cast ballots (which he has included in previous posts as well).

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.