By Holden Mann

The standard drafting team working on expanding options for entities to manage bulk electric system cyber information (BCSI) (Project 2019-02) is focusing on resolving overlaps both within the affected standards and with other ongoing projects. It hopes to post the proposed standard for final ballot by July 2020.

Participants at this week’s SDT meeting in Phoenix took aim at several recurring themes in industry comments on the draft proposals for standards CIP-004-7, covering cybersecurity personnel and training, and CIP-011-3, covering information protection. One of the most pressing topics of discussion was the perception that the project was expanding beyond its original remit; this was amplified by the SDT for Project 2019-03, which expressed concern that 2019-02 might touch on areas covered by its mandate to tackle cybersecurity supply chain risks, including revising CIP-013.

Supply Chain Conflict Ironed out

“We have … met several times with the CIP-013 team. I think we have a way forward on how to [address] any duplication with our standards and CIP-013 risk assessment,” said SDT Chair John Hansen, of Exelon.

The conflict between the teams centers on language in CIP-011-3 concerning cloud storage providers that might be used by responsible entities. Under the most recent proposal, the standard would require entities to perform initial risk assessments of vendors when they first contracted with them and follow-on assessments every 15 months. However, the proposal for CIP-013-2 also includes a requirement for entities to perform risk assessments on third-party service providers, leading to fears of contradiction between the two standards.

In a compromise, the 2019-02 SDT agreed to remove the language mandating risk assessments and replace it with a requirement that entities “implement one or more documented BES cyber system information risk management method(s)” to address data governance and rights management; protection of relevant cyber information; data sovereignty and transformation; physical and personnel security; certification; and business agreements. Members of the team for 2019-03 said the change would make the two standards complementary.

“My first gut reaction here is that this is something that might be in combination with what’s in CIP-013. In CIP-013, you’re actually looking at the vendor, but with [2019-2] you’re … doing risk management on … how are they going to protect your data,” Tony Hall of LG&E and KU said. “To me this seems completely different than what we saw the first time, so I give you guys credit for that.”

Team Seeks Clarity on Location Requirements

Other changes to CIP-011-3 in response to industry comment include removing requirements for processes to “authorize access to BES cyber system information based on need” and to “identify applicable BES cyber system information storage locations.” These requirements were originally part of the proposal for CIP-004-7 but were moved to CIP-011-3 because the SDT felt they focused on information security. However, after reviewing industry feedback, team members decided to keep them with the personnel- and training-focused CIP-004 for the sake of clarity.

“It might have been a small misstep for us when we added the BCSI location section to [CIP-011-3],” said Vice Chair Josh Powers, of SPP. “It seemed to conflict with what we were trying to do. It made sense, probably, at the time, but I think it does run into the philosophical difference [with] where we’re headed.”

The drafting team plans to make further modifications to the proposal at its next in-person meeting March 17-19 and submit the proposal for quality review by the beginning of April. Once quality review is completed, the standard will be posted for additional comment from May 7 to June 21, with the final ballot in July. NERC’s Board of Trustees will consider the proposal for adoption at its meeting on Aug. 19 in Vancouver, Canada.