CIP version 5 is comprised of 10 standards, one covering the categorization of assets and nine mitigating their risk of being compromised.
Categorization of risk
CIP–002–5 (BES Cyber System Categorization) will require entities to categorize all BES Cyber Systems according to impact that “loss, compromise, or misuse” of the systems could have on the reliable operation of the grid.
- High Impact facilities, which include large control centers and backup centers that perform the roles of the Reliability Coordinator, Balancing Authority (for generation of 3,000 MW or more in a single Interconnection), Transmission Operator or Generator Operator.
- Medium Impact facilities are generation and transmission facilities (similar to those identified as Critical Assets in CIP-002-4) and control centers not identified as Critical Assets in CIP-002-4.
- Low Impact facilities are all other BES Cyber Systems. This establishes protections for systems not covered by CIP Version 4.
Risk mitigation
- CIP-003-5 (Security Management Controls) requires that low impact systems implement policies for cybersecurity awareness, physical security, electronic access, and incident reporting. The commission ordered NERC to provide more detail on these requirements.
- CIP-004-5 (Personnel and Training) requires programs for security awareness, cyber security training, personnel risk assessment, and access management.
- Expands training requirements and adds identification of roles requiring training.
- Includes rules for electronic interconnectivity and storage media;
- Specifies that the seven-year criminal history check covers all locations where an individual has lived for six consecutive months or more, regardless of official residence; and
- Requires companies to revoke access for terminated employees immediately, instead of within 24 hours. Also requires immediate revocation for those no longer needing access (e.g., transferred employees).
- CIP-005-5 (Electronic Security Perimeter(s)), focuses more on discrete Electronic Access Points; requires two security measures for detecting malicious communications so that Cyber Assets do not lose all perimeter protection if one measure fails.
- CIP-006-5 (Physical Security of BES Cyber Systems) requires a physical security plan to protect BES Cyber Systems; clarifies that high impact systems must have at least two physical access controls protecting security perimeters; increases testing from every three years to every two years.
- CIP-007-5 (Systems Security Management) is modified to make the requirements less dependent on specific technology so that they will remain relevant for future technologies; increases and clarifies testing requirements.
- CIP-008-5 (Incident Reporting and Response Planning) specifies incident response requirements, including one requirement to report cyber security incidents to NERC’s Electricity Sector Information Sharing and Analysis Center (ES‐ISAC) within one hour and another for after-action reviews.
- CIP-009-5 (Recovery Plans for BES Cyber Systems) specifies requirements for recovery plans, including testing every 36 months.
- CIP-010-1 (Configuration Change Management and Vulnerability Assessments) is a new standard that consolidates requirements from previous versions of CIP-003, CIP-005 and CIP-007; includes requirements to detect unauthorized modifications to BES Cyber Systems.
- CIP-011-1 (Information Protection) is a new standard that consolidates the information protection requirements from previous versions of CIP-003 and CIP-007; includes requirements to prevent unauthorized access to BES Cyber System Information and specifies reuse and disposal provisions to prevent unauthorized dissemination of protected information.