My longtime
friend Trey Cross emailed me today about something that was mentioned in NERC’s
weekly Standards, Compliance and Enforcement bulletin: the initial performance
date for four CIP requirement parts is July 1, 2018. This means that, by that
date:
- At High impact Control Centers, recovery plans need to be
tested with an operational test. Per CIP-009 R2.3, this needs to be done
every 36 months.
- At High impact Control Centers, there needs to be an
active vulnerability assessment. Per CIP-010 R3.2, R3.2.1 and R3.2.2, this
also needs to be done every 36 months.
I verified
this by looking at NERC’s spreadsheet for CIP v5 effective dates (available here). Of
course, the requirements in question became effective on July 1, 2016, along
with the other CIP v5 requirements. But does this mean the entity has until
July 1, 2019 to perform these things for the first time? No, it doesn’t.
When CIP
version 1 was implemented, most entities assumed that the clock would start
running on periodic requirements (like these) on the effective date of the
requirement, yet some regions required that the vulnerability assessment be
performed before the effective date. Since the v1 standards never said anything
about initial performance dates, I doubt that any entities were give violations
for not finishing their SVAs on time, but after that snafu the drafting teams
always made sure to specify the “initial performance dates for periodic
requirements”. Of course, this was done in the case of CIP v5 and v6, so here
we are.
I would
think that almost all High Control Centers would have done this, but if not…hey,
you didn’t have anything else to do on weekends in June, did you?
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post. And if you’re a security vendor
to the power industry, TALLC can help you by developing marketing materials,
delivering webinars, etc. To discuss this, you can email me at the same
address.
We are getting ready to fulfill R2.3 and in some instances, we do not have a like for like device. Without disrupting the production environment, how can we fulfill this? Thank you in advance. Please email your response to david.levey@avangrid.com
ReplyDelete