The CIP
Modifications Standards Drafting Team seems to have about eight different pots
cooking on the stove now. I wrote in July about their new
direction on virtualization – which by the way might in the process produce
some much-needed reform in the whole structure of the CIP standards; and if you
own a Control Center you are probably familiar with the current drafting and
balloting on CIP-012. But someone who follows what the SDT is doing much more
closely than I can is Mike Johnson.
Yesterday,
Mike put up two posts
related to the revised standards posted for comment and balloting by the SDT
earlier this week. The first post is about CIP-003-8 (yes, folks, just after
FERC approved CIP-003 version 7, now we’re up to version 8!). This is because,
when FERC approved
CIP-003-7, they pointed out that the new requirement for Transient Cyber Assets
used at Low impact assets just required, for TCA and RM owned by a third party
like a vendor, that the Responsible Entity review
the controls the third party had in place to prevent malware; it didn’t require
the RE to do anything if the review
revealed the third party didn’t have adequate controls in place to prevent
malware.
Of course,
the idea that any NERC entity (either a Responsible or an Irresponsible Entity)
would not take any action if they decided a particular vendor wasn’t doing a
good job to prevent their own devices from infecting the entity’s systems is
pretty far-fetched. But FERC wanted an abundance of caution, so they ordered
this deficiency be corrected. That was done by adding Section 5.2.2 to
Attachment 1, which reads “For any method used pursuant to 5.2.1, Responsible
Entities shall determine whether any additional mitigation actions are
necessary and implement such actions prior to connecting the Transient Cyber Asset.”
The second
post is about CIP-002-6. This might be surprising to those who haven’t been
following Mike’s blog closely. The original reason for amending CIP-002-5 was
to revise criterion 2.12 of Attachment 1, which specifies which Control Centers
owned by Transmission Owners should be classified as Medium impact. You may
know that this change was approved
by 93% of the ballots in May. So why does there need to be another ballot for
CIP-002-6? The reason is that, as Mike explains in his second post from
yesterday, it was announced in June that FAC-010-3 would be retired (no word on whether a gold watch
will be presented). One consequence of this is that two terms from that standard will be changed. Since those
terms are currently referred to in criteria 2.6 and 2.9 of Attachment 1, those criteria
needed to be changed to reflect this.
Mike also
provides some good advice on how to cast ballots (which he has included in
previous posts as well).
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. And if you’re a security vendor to the power industry, TALLC can help
you by developing marketing materials, delivering webinars, etc. To discuss any
of this, you can email me at the same address.
No comments:
Post a Comment