The standards drafting team (SDT) for NERC’s Project 2016-02 is accepting comments through 8 p.m. March 22 on proposed changes to the ERO’s Critical Infrastructure Protection (CIP) reliability standards that are intended to “incorporate virtualization and future technologies.”
Ballot pools are being formed through Feb. 19, and initial ballots and nonbinding polls will be conducted March 12 to 22. NERC is conducting a separate ballot and poll for each of the affected standards, so entities must join the pools for all of the standards on which they wish to comment.
Broad Scope for Proposed Updates
NERC’s Standards Committee approved the posting at its meeting last week. (See NERC Seeks Faster Pace for Standards Postings.) The standard 45-day comment period was extended to 60 days because of the project’s scope, with proposed revisions to 11 standards:
-
-
- CIP-002-7 — Bulk electric system cyber system categorization
- CIP-003-9 — Security management controls
- CIP-004-7 — Personnel and training
- CIP-005-8 — BES cyber system logical isolation
- CIP-006-7 — Physical security of BES cyber systems
- CIP-007-7 — Systems security management
- CIP-008-7 — Incident reporting and response planning
- CIP-009-7 — Recovery plans for BES cyber systems
- CIP-010-5 — Configuration change management and vulnerability assessments
- CIP-011-3 — Information protection
- CIP-013-3 — Supply chain risk management
-
At last week’s meeting, NERC Manager of Standards Development Soo Jin Kim explained that the project had been “lying in wait for a little while” because of active comment periods involving some of the same standards; as a result of this delay, the SDT had more time than most teams to add more proposed changes to the inquiry.
“What we have before you today is work that has culminated after many months; the team has waited, and now they will put forth all of their modifications in this package before you today,” Kim said.
In addition to general commentary on proposed standards, the SDT posed 18 questions for industry respondents relating to specific changes. Significant updates include:
-
-
- modifications to CIP-002 and CIP-005 expanding their scope to encompass virtual machines;
- requirements regarding the types of software to be used when conducting vulnerability assessments before connecting physical or virtual cyber assets;
- mandatory confidentiality and integrity protections for data passing between multiple physical security perimeters;
- allowing cryptographic erasure in scenarios where BES cyber information “cannot be mapped to particular disks in virtualized storage”; and
- applying CIP exceptional circumstances, which allow utilities to temporarily waive certain CIP obligations, to additional requirements in CIP-004, CIP-006 and CIP-010.
-
The team also put forward for industry comment a number of new, modified or retired definitions for terms in NERC’s glossary, along with the implementation plan for the revised CIP standards and definitions. Under that plan, the standards and definitions will take effect on the first day of the first calendar quarter that is 24 months after their approval by FERC, unless an entity elects to implement them earlier. The SDT asked respondents to suggest an alternate effective date if preferred, along with an explanation of the work and time requirements to justify the change.
