November 21, 2024
Changes to CIP-014 Receive FERC Approval
Standard Update Removes On-site Data Storage
Glen Canyon substation in Arizona. CIP-014-2 is intended to ensure that transmission substations are protected from physical attacks that could result in damage to the bulk electric system.
Glen Canyon substation in Arizona. CIP-014-2 is intended to ensure that transmission substations are protected from physical attacks that could result in damage to the bulk electric system. | foam, CC BY-SA 2.0, via Wikimedia Commons
|
FERC approved NERC's removal of language from CIP-014 requiring compliance evidence to be stored on site.

FERC on Thursday approved an update to NERC’s reliability standard on physical security, removing a requirement that is no longer needed (RD22-3).

The order puts into place a new standard, CIP-014-3, to replace the existing standard CIP-014-2. NERC’s Board of Trustees approved the new standard at its meeting in February. (See “Additional Approvals,” NERC Board of Trustees/MRC Briefs: Feb. 10, 2022.)

At issue is language in the “Compliance” section of CIP-014-2 that requires transmission owners and operators to retain “all evidence demonstrating compliance” with the standard at the relevant facilities. NERC told FERC in its filing that while this provision “presents challenges to effective and efficient compliance monitoring” because auditors must visit the sites in question to see the data, it was considered necessary in light of the sensitivity of this information.

That assessment has changed following the introduction of the Secure Evidence Locker (SEL), which went live alongside the Align Software Platform in March 2021 for the Texas Reliability Entity, the Midwest Reliability Organization and NERC, and for the rest of the ERO Enterprise in May of that year. (See ERO Align Tool Goes Live for NERC, MRO, Texas RE.)

NERC conceived of the SEL as a way to provide secure digital storage where confidential information collected as evidence can be kept separate from work papers managed through the Align tool. Regional entities are not required to use NERC’s SEL if they construct their own lockers, provided they meet certain reliability and security specifications provided by the ERO.

With the SEL available, NERC told FERC that entities no longer need to worry about CIP-014 evidence being mishandled because it can be stored in the same secure location as all other evidence in the compliance monitoring and enforcement program (CMEP). As a result, the ERO asked the commission to remove the requirement for on-site storage.

EEI Raises Security Concerns

The proposal did not go without criticism from industry; after NERC submitted the new standard to FERC in February, the Edison Electric Institute filed an objection with the commission. EEI reminded FERC that because of the “critical and highly sensitive nature” of the information documenting CIP-014 compliance, it is not widely available even within utilities and that stakeholders “go to great lengths to protect the identity of the assets and other sensitive information.”

The institute also said that, far from providing additional levels of security, the SEL added risk by aggregating sensitive information from across the industry in a single place that could be attacked by a malicious actor. It argued that the commission should allow registered entities “more flexibility … to select the most secure methods for providing CIP-014 compliance data.”

FERC rejected EEI’s argument, responding that the SEL is not a “novel and untested” idea; the commission cited NERC’s 2020 petition for funding the SEL, in which the ERO stated that at least two REs already used similar lockers to collect CIP-related evidence. FERC’s order noted that NERC already uses the SEL to store evidence for other CIP standards, indicating “that it is a well established and secure method of evidence review.” It also observed that all data stored in the SEL are encrypted, are not backed up and are destroyed as soon as the CMEP engagement is done.

The standard became effective immediately upon FERC’s approval.

CIPFERC & FederalNERC & Committees

Leave a Reply

Your email address will not be published. Required fields are marked *