Are you confused about what’s going on with NERC CIP-003? If not, you should be…

 

As seems to happen frequently when new CIP standards are being developed or existing ones are being revised by different drafting teams, the situation with CIP-003 is very confusing now. The "Modifications to CIP-003" drafting team (2023-04) recently posted for comment the link to the first draft of the new CIP-003-11. However, immediately below it they displayed the link to the first draft of CIP-003-12. At first glance, it might seem there will be two versions of CIP-003 in effect soon. Will NERC entities be allowed to choose which one they want to comply with?

Meanwhile, the "CIP Modifications" drafting team has also posted CIP-003-12 (which that team drafted), although they're not soliciting comments on that now. And if you’re not satisfied with just two new versions competing for your attention, there are also versions CIP-003-9, CIP-003-10, CIP-003-Y, and CIP-003-A. All of these are available on one of the two drafting teams’ websites and are still somewhere in the approval process. Isn’t choice wonderful?

Last week, I tried to make sense of all this. Below is what I came up with. Note that I’ve divided my comments into two sections: one describing what the “Modifications to CIP-003” SDT is doing and the other describing what the “CIP Modifications” SDT is doing. Spoiler alert: There will never be more than one version of a NERC Reliability Standard in effect at the same time, although that doesn’t tell us which of these versions will “win out”, or even whether the ultimate winner won’t be a different version like CIP-003-13 or CIP-003-14.

Do you have your scorecards ready? Here we go…the battle of the new CIP-003 versions!

Modifications to CIP-003 Standards Drafting Team:

1. CIP-003-9 was developed in response to questions that came up when CIP-013, the supply chain security standard, was developed starting in 2016. CIP-013 just applies to medium and high impact BES Cyber Systems. There was concern at the time (on the part of both NERC and Congressional staff members) that there needed to be some supply chain controls that applied to low impact BCS; a survey revealed that the most significant source of supply chain cybersecurity risk to low impact BCS was remote access by vendors. CIP-003-9 was drafted to address these concerns.
2. In 2021, the NERC Low Impact Criteria Review Team recommended revisions to CIP-003 to require controls for low impact assets to "authenticate remote users, protect the authentication information in transit, and detect malicious communications assets containing low impact BES Cyber Systems with external routable connectivity." The team recommended that these changes be added to CIP-003-9, which was already in development.
3. Before that could happen, in 2023 FERC approved CIP-003-9, with an implementation date of April 1, 2026. The FERC-approved standard includes what’s in CIP-003-8 (the current version, which came into effect in 2020) plus a new Section 6 in Attachment 1 (on page 23). That section requires "6.1 One or more method(s) for determining vendor electronic remote access; 6.2 One or more method(s) for disabling vendor electronic remote access; and 6.3 One or more method(s) for detecting known or suspected inbound and outbound malicious communications for vendor electronic remote access." 
4. The new CIP-003-11 consists of CIP-003-9 with language added to Attachment 1. Part of that language is just the vendor remote access language that was in Section 6 of Attachment 1 in CIP-003-9. The drafting team decided to move that into Section 3, where the other Electronic Access Controls are addressed.
5. The other part of the added language is what was developed to fulfill the 2021 recommendation in item 2 above; it was also added to Section 3. That addition reads, “3.1.3 Authenticate each user prior to permitting access to a network(s) containing low impact BES Cyber Systems, through which user-initiated electronic access applicable to Section 3.1 is subsequently permitted; 3.1.4 Protect user authentication information for user-initiated electronic access applicable to Section 3.1.3 while in transit between the Cyber Asset outside the asset containing low impact BES Cyber System(s) and the authentication system used to meet Section 3.1.3, or  the asset containing low impact BES Cyber System(s)”.
6. The fact that the entire set of language in CIP-003-9 has been incorporated into CIP-003-11 (and also into CIP-003-12. See below), along with the new language recommended by the Low Impact Criteria Review Team in 2021, is a sure indication that CIP-009 will not be implemented, even though it has been approved by FERC. In other words, when FERC approves either CIP-003-11 or CIP-003-12, they will also announce that CIP-003-9 will not be implemented.[i]
7. CIP-003-11 is just entering the comment period before its first ballot now. Most new or revised CIP standards have required at least 4 ballots before they've been approved by NERC; after that, a new standard goes to FERC, which can take 6-18 months to approve it. Finally, there's the implementation period, which will be 3 years (as it is in CIP-003-9). In other words, don't look for CIP-003-8 to be replaced for at least the next 5-6 years.[ii]

CIP Modifications SDT

Meanwhile, back at the ranch…

While all of this was going on, CIP-003-10 was drafted by the CIP Modifications Drafting Team, which is in the middle of the huge task of adding virtualization to all the CIP standards. The new CIP-003-12 is just a virtualized version of CIP-003-11. Since the virtualization standards (including CIP-003-12) won't come into effect until they all do, and since that day is probably still years away, I think most NERC entities should consider CIP-003-11 to be the next version of CIP-003 they’ll have to comply with. 

Are you a vendor of current or future cloud-based services or software that would like to figure out an appropriate strategy for selling to customers subject to NERC CIP compliance? Or are you a NERC entity that is struggling to understand what your current options are regarding cloud-based software and services? Please drop me an email so we can set up a time to discuss this!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

---

[i] There was one previous case where a complete set of CIP standards, “CIP version 4”, was approved by FERC, yet one year later FERC approved CIP version 5 and said v4 wouldn’t take effect. I remember that incident quite well. In fact, less than a month before FERC announced they would approve v5, I participated in a webinar sponsored by EnergySec (which drew about 600 attendees) entitled “Get Ready for CIP Version 4!” I call this my “Dewey beats Truman moment”. 

[ii] Final approval of CIP-003-11 might also be delayed because before it comes into effect, the CIP changes required to enable full use of the cloud will be developed and ready to come into effect; so, a new version (CIP-003-13?) may be required, that incorporates those changes.