NERC opened 45-day comment periods last week for proposed reliability guidelines on winter weather readiness and supply chain procurement, as well as on planned changes to its Critical Infrastructure Protection (CIP) standards.
Comments will be accepted on the reliability guidelines through 5 p.m. Sept. 21 and through 8 p.m. Sept. 21 for the CIP standards. In addition, ballots for the standards and implementation plan, along with nonbinding polls for associated violation risk factors and severity levels, will be conducted Sept. 11 to 21.
NERC Adds Detail to Winter Guideline
The proposed changes to the winter weather guideline were developed during the regular three-year review process for NERC reliability guidelines. The guideline is currently in its second version, approved in July 2017.
Updates in the most recent draft guideline include replacing references to the Operating, Planning and Critical Infrastructure Protection committees with the new Reliability and Security Technical Committee (RSTC), along with adding detail to the existing guideline’s recommendations for evaluating the readiness of critical components.
New to the recommendations is a clear deadline for finishing winter-related inspections, repairs and upgrades by the local first frost date as set by the National Oceanic and Atmospheric Administration. The guideline also adds lubricants, batteries, uninterruptible power supply systems, and heat tracing and ventilation systems to the list of components that utilities should check for winter readiness.
The winter reliability guideline is separate from the proposed cold weather standard currently under development by NERC (Project 2019-06). Some industry stakeholders have questioned the need for mandatory standards on the grounds that the existing guidelines should be sufficient, but NERC representatives have pointed to ongoing issues with cold weather as a reason for continuing the project. (See Cold Weather SDT Planning February Posting.)
“Out of the past 12 years, there have been six blackouts [from extreme cold] — that is a problem. … Obviously, the NERC guidelines may not be enough,” NERC Senior Standards Developer Jordan Mallory said at a meeting of the SAR drafting team in January.
Draft Supply Chain Guidelines Use Broad Strokes
NERC’s proposed supply chain procurement language guideline was developed under the Critical Infrastructure Protection Committee but moved to the RSTC following the merger of the technical committees. The guideline focuses on helping organizations implement effective controls in procurement agreements to prevent exposing themselves to cyberattacks through equipment purchases.
“Regulators have challenged the levels of rigor regarding risk management practices that organizations claim to have attained,” the guideline says. “Remedies applied through the inclusion of targeted controls in the procurement of cyber systems, components, maintenance and related services can assist in the development of a ‘risk-based’ approach to cybersecurity.”
Currently the guideline is in its first draft, so it lacks specific measures for entities to adopt. Instead, the document focuses on broader principles that utilities can follow in their contracts with suppliers, such as identifying cybersecurity risks that might be in play with a particular vendor and specifying audit mechanisms and metrics to ensure vendors are complying with needed changes.
However, the guideline does incorporate links to documents from organizations, including the Energy Sector Control Systems Working Group and the Utilities Technology Council, with more detailed examples of procurement language.
Project 2019-02 Nears Completion
The comment and balloting period for reliability standards CIP-004-7 and CIP-011-3 are hoped to be the last for Project 2019-02, which is focused on clarifying requirements to access bulk electric system cyber system information (BCSI) and establishing guidelines for encryption or other methods to protect such information.
Both standards saw relatively few changes from the last posting: In the case of CIP-004-7, the only significant change is the addition of a new requirement that responsible entities “implement one or more documented access management program(s) for [BCSI]” along with a table defining what such programs must consist of. Changes to CIP-011-3 include clarifying requirements for the reuse and disposal of BES cyber assets and for the components of entities’ information protection programs.
The latest posting also incorporates language previously agreed between the teams for Project 2019-02 and Project 2019-03 to address concern about potential overlaps between their projects. The conflict centered on risk assessments for cloud storage providers, which both groups saw as their domain; however, earlier this year the team for Project 2019-02 agreed to leave specific risk assessment language to the other team and keep its focus on broader questions of risk management. (See CIP Teams Compromise on Cloud Risk Assessment.)