November 28, 2024
NERC Committee Greenlights Shortened INSM Comments
Standards Committee Chair Todd Bennett, AECI
Standards Committee Chair Todd Bennett, AECI | NERC
|
NERC’s Standards Committee remains focused on meeting FERC’s deadlines, granting another waiver to authorize shortening the comment and ballot periods for the ERO’s proposed standard on internal network security monitoring. 

NERC’s Standards Committee remains focused on meeting FERC’s deadlines, granting another waiver at its meeting Feb. 21 to authorize shortening the comment and ballot periods for the ERO’s proposed standard on internal network security monitoring (INSM). 

FERC directed NERC in January 2023 to submit standards requiring utilities to implement INSM at certain grid cyber systems (all high-impact systems, and medium-impact systems with external routable connectivity) by July 9, 2024. (See FERC Orders Internal Cyber Monitoring in Response to SolarWinds Hack.) The standard is being developed under Project 2023-03. 

The approaching deadline for Project 2023-03 was already on the committee’s radar. At its August meeting, members used their authority under NERC’s Standards Processes Manual to authorize shortening the initial formal comment and ballot period from the standard 45 days to as few as 30, and shortening additional comment periods to as few as 20 days. (See NERC Committee Agrees to Shortened Standard Comments.) 

Since the August meeting, the standards drafting team has posted its proposed standard, CIP-007-X (Cybersecurity – systems security management), for an initial comment and ballot period, which ran from Dec. 14 to Jan. 17. The standard failed to pass, reaching only a 15.42% segment-weighted approval. 

Alison Oswald, NERC’s manager of standards development, told the committee that as a result of feedback received during this comment period, the SDT decided that rather than updating an existing standard, it would be best to create a completely new standard, CIP-015-1. This move did not require the committee’s approval, but the team did seek authorization to further shorten additional comment and ballot periods for the standard — after the next one, already scheduled to begin Feb. 27 and last for 20 days — to as little as 10 days. 

While attendees of the meeting had no objection to the request itself, they did request that NERC staff clarify a point of possible confusion: As Oswald explained, the decision to draft a new standard meant the comment period would be listed in NERC’s balloting system as an initial ballot, rather than a follow-up round. After Oswald confirmed that staff would do their best to make sure industry understood the issue, members voted unanimously to approve the shortened comment period. 

Ironically, before the committee authorized shortening the comment period for 2023-03, Oswald had informed it that the initial ballot period for another project — Project 2022-03 (Energy assurance with energy-constrained resources) — had been inadvertently extended. 

The ballot pools for this project were to be opened Jan. 25, the day the comment period began, with ballot pools to be closed Feb. 23 and voting to conclude March 11. Oswald explained that the project’s administrator mistakenly opened the ballot pools three days early on Jan. 22. Because 50 pool members had already joined by the time the mistake was discovered, the team decided to leave the pool open and close it on the scheduled closing day, bringing the matter to the committee’s attention as required by the SPM. 

In a final standards action, the committee voted to approve changing the definition of “Automatic generation control” in NERC’s glossary to fix grammatical issues. The errors were discovered by the team for Project 2022-01 (Reporting ACE definition and associated terms), which was completed last week when NERC’s Board of Trustees approved its proposed glossary changes. 

As NERC Manager of Standards Development Jamie Calderon explained, the SPM states that correcting such errors does not require industry ballot if the Standards Committee agrees that the change “does not change the scope or intent of the associated reliability standard” or impact end users. Members again voted unanimously to approve the update. A NERC spokesperson confirmed that the newest definition will not require a separate vote by the board and will be submitted to FERC with the other definitions approved last week.

CIPSC

Leave a Reply

Your email address will not be published. Required fields are marked *