NERC’s version 5 Critical Infrastructure Protection (CIP) rules include 10 standards, two of them new.
The commission’s conditional approval of version 5 came in the form of a Notice of Proposed Rulemaking. The commission will accept comments on the new rules for 60 days after their publication in the Federal Register.
The commission said NERC had not provided justification for setting a 24-month implementation period for High Impact and Medium Impact BES Cyber Systems, and a 36-month implementation period for Low Impact systems.
CIP version 3 (CIP-002-3 through CIP-009-3) will remain in effect until the effective date of version 5. Version 4 (CIP-002-4 through CIP-009-4) will not take effect as originally planned.
Version 5 requires registered entities to classify all of their Bulk Electric System (BES) facilities based on their impact on reliability. The Low, Medium or High impact categories replace the previous approach, in which facilities were either covered or not covered by CIP standards.
Reason for Change:
Version 5 adds new cybersecurity controls and extends the scope of the systems protected by them. Many of the changes were directed by the Commission in Order 706 (Jan. 18, 2008).
The shift to identifying and categorizing high, medium and low impact systems was based on a review of the National Institute of Standards and Technology (NIST) risk management framework for categorizing and applying security controls.
Impact:
Version 5 is comprised of 10 standards, one covering the categorization of assets and nine mitigating their risk of being compromised (see Highlights of CIP Version 5). It includes 15 newly defined terms, modifications to four existing terms and retires two terms: Critical Assets and Critical Cyber Assets.
Systems at all impact levels must be within a security zone that provides protection from outside influences using a posture of “mutual distrust.” No communications crossing the perimeter is trusted, regardless of where the communication originates.
To Be Determined:
The commission approved most of NERC’s proposals but said it may require NERC to change requirements that entities “identify, assess, and correct” deficiencies. The commission said it was concerned that the phrase was “unclear with respect to the compliance obligations it places on regulated entities and … too vague to audit and enforce compliance.”
The commission said it may require NERC to either change the language or provide details for how it would be applied and how compliance could be audited.
The commission also said NERC had not provided a “clear roadmap” for what operators of low impact facilities must do to achieve compliance.
NERC proposed an implementation period of 24 months for all but those regarding low impact systems, which would have 36 months to comply. The commission said NERC had not explained its rationale for the implementation plan and said it will order quicker compliance unless NERC or other commenters “provide reasonable justification” for the proposed time frame.
(For a full list of what’s included in CIP Version 5, click here.)