NERC’s proposed virtualization-related updates to its critical infrastructure protection standards are headed for another round of revisions after an extended public comment period revealed widespread industry skepticism about the planned changes.

Comments for Project 2016-02 (Modifications to CIP standards) closed on Monday following a 60-day posting. (See NERC Seeks Faster Pace for Standards Postings.) NERC’s Standards Committee voted to extend the standard 45-day comment period because of the scope of the project, with revisions proposed for 11 standards:

• CIP-002-7 — Bulk electric system cyber system categorization
• CIP-003-9 — Security management controls
• CIP-004-7 — Personnel and training
• CIP-005-8 — BES cyber system logical isolation
• CIP-006-7 — Physical security of BES cyber systems
• CIP-007-7 — Systems security management
• CIP-008-7 — Incident reporting and response planning
• CIP-009-7 — Recovery plans for BES cyber systems
• CIP-010-5 — Configuration change management and vulnerability assessments
• CIP-011-3 — Information protection
• CIP-013-3 — Supply chain risk management

At January’s Standards Committee meeting, NERC Manager of Standards Development Soo Jin Kim explained that the standard development team (SDT) had more time than usual to add changes to the proposal because the project had been “lying in wait” because of active comment periods involving some of the same standards. As a result, the team decided to “put forth all of their modifications in [the same] package.”

Industry Warns of SDT Overreach

Project 2016-02 began in response to FERC Order 822, which directed NERC to modify the CIP standards to:

• provide mandatory protection for transient devices used at low-impact BES cyber systems based on their risk to BES reliability;
• require responsible entities to implement controls protecting communication links and sensitive BES data communicated between control centers; and
• provide “needed clarity” to the definition of low-impact external routable connectivity.

Proposed updates include expanding the scope of CIP-002 and CIP-005 to apply to virtual machines, new requirements for the type of software to be used in vulnerability assessments before connecting physical or virtual cyber assets, and mandatory confidentiality and integrity protections for data passing between physical security perimeters. The team also put forward a number of new, modified or retired definitions for terms in NERC’s glossary, along with the implementation plan.

However, none of the proposed standards met the two-thirds segment-weighted threshold required for approval. Results ranged from 53.26% for CIP-009-7 to 26.30% for CIP-005-8.

A common criticism among industry stakeholders was that the team seemed to have focused on numerous small details involving virtualization and cloud devices while not paying the same amount of attention to how those pieces fit together into a broader whole. In a comment endorsed by several other respondents, the Midwest Reliability Organization’s NERC Standards Review Forum said the current standards “could be revised more efficiently to … ensure the virtualization security objectives are met, reduce the impact to entities’ programs and provide greater clarity to auditors.”

The Tennessee Valley Authority pushed on this theme as well, arguing that in trying to encompass all situations, the SDT may have inadvertently bound the new requirements to particular software and hardware architectures. In the rapidly changing world of technology, these specifications could rapidly become obsolete, TVA said.

“[We support] an approach that embraces innovative technologies that enhance security and reliability, [but] the proposed changes are myopic in requiring differentiation in virtualization technologies supporting [computer], network and storage resources,” TVA said. “These distinctions are becoming increasingly indistinguishable as virtualization technologies evolve. Modern standards should make no distinctions in the treatment thereof, so as not to preclude adoption of emergent technology.”

While other respondents were more understanding of the need for detail, worries remained about the level of complexity in the new standards, reflected in the proliferation of language dealing with various types of access and control systems, broken down further into virtual and physical versions. Duke Energy suggested that the team either pursue further revisions to ensure “a coherent approach to compliance,” or pare back the changes in the interest of consistency with prior terminology.

“SDT’s approach solves certain problems with virtualization, but in doing so, creates discrepancies in how the standards are applied between traditional and newer technologies,” Duke said. “The creation of additional ‘device types’ while not resolving the overall inconsistency in treatment of devices … may confuse entities and auditors.”