November 24, 2024

Highlights of CIP Version 5

CIP version 5 is comprised of 10 standards, one covering the categorization of assets and nine mitigating their risk of being compromised.

Categorization of risk

CIP–002–5 (BES Cyber System Categorization) will require entities to categorize all BES Cyber Systems according to impact that “loss, compromise, or misuse” of the systems could have on the reliable operation of the grid.

  • High Impact facilities, which include large control centers and backup centers that perform the roles of the Reliability Coordinator, Balancing Authority (for generation of 3,000 MW or more in a single Interconnection), Transmission Operator or Generator Operator.
  • Medium Impact facilities are generation and transmission facilities (similar to those identified as Critical Assets in CIP-002-4) and control centers not identified as Critical Assets in CIP-002-4.
  • Low Impact facilities are all other BES Cyber Systems. This establishes protections for systems not covered by CIP Version 4.
Risk mitigation
  • CIP-003-5 (Security Management Controls) requires that low impact systems implement policies for cybersecurity awareness, physical security, electronic access, and incident reporting. The commission ordered NERC to provide more detail on these requirements.
  • CIP-004-5 (Personnel and Training) requires programs for security awareness, cyber security training, personnel risk assessment, and access management.
    • Expands training requirements and adds identification of roles requiring training.
    • Includes rules for electronic interconnectivity and storage media;
    • Specifies that the seven-year criminal history check covers all locations where an individual has lived for six consecutive months or more, regardless of official residence; and
    • Requires companies to revoke access for terminated employees immediately, instead of within 24 hours. Also requires immediate revocation for those no longer needing access (e.g., transferred employees).
  • CIP-005-5 (Electronic Security Perimeter(s)), focuses more on discrete Electronic Access Points; requires two security measures for detecting malicious communications so that Cyber Assets do not lose all perimeter protection if one measure fails.
  • CIP-006-5 (Physical Security of BES Cyber Systems) requires a physical security plan to protect BES Cyber Systems; clarifies that high impact systems must have at least two physical access controls protecting security perimeters; increases testing from every three years to every two years.
  • CIP-007-5 (Systems Security Management) is modified to make the requirements less dependent on specific technology so that they will remain relevant for future technologies; increases and clarifies testing requirements.
  • CIP-008-5 (Incident Reporting and Response Planning) specifies incident response requirements, including one requirement to report cyber security incidents to NERC’s Electricity Sector Information Sharing and Analysis Center (ES‐ISAC) within one hour and another for after-action reviews.
  • CIP-009-5 (Recovery Plans for BES Cyber Systems) specifies requirements for recovery plans, including testing every 36 months.
  • CIP-010-1 (Configuration Change Management and Vulnerability Assessments) is a new standard that consolidates requirements from previous versions of CIP-003, CIP-005 and CIP-007; includes requirements to detect unauthorized modifications to BES Cyber Systems.
  • CIP-011-1 (Information Protection) is a new standard that consolidates the information protection requirements from previous versions of CIP-003 and CIP-007; includes requirements to prevent unauthorized access to BES Cyber System Information and specifies reuse and disposal provisions to prevent unauthorized dissemination of protected information.

Bulk Electric Systems (BES) Inclusions and Exclusions

  • I1 – Transformers with the primary terminal and at least one secondary terminal operated at 100 kV or higher unless excluded under Exclusion E1 or E3.
  • I2 – Generating resource(s) with gross individual nameplate rating greater than 20 MVA or gross plant/facility aggregate nameplate rating greater than 75 MVA including the generator terminals through the highside of the step-up transformer(s) connected at a voltage of 100 kV or above.
  • I3 – Black start Resources identified in the Transmission Operator’s restoration plan.
  • I4 – Dispersed power producing resources with aggregate capacity greater than 75 MVA (gross aggregate nameplate rating) utilizing a system designed primarily for aggregating capacity, connected at a common point at a voltage of 100 kV or above.
  • I5 – Static or dynamic devices (excluding generators) dedicated to supplying or absorbing Reactive Power that are connected at 100 kV or higher, or through a dedicated transformer with a high-side voltage of 100 kV or higher, or through a transformer that is designated in Inclusion I1.
Exclusions:
  • E1 – Radial systems: A group of contiguous transmission Elements that emanates from a single point of connection of 100 kV or higher and: a) Only serves Load. Or, b) Only includes generation resources, not identified in Inclusion I3, with an aggregate capacity less than or equal to 75 MVA (gross nameplate rating). Or, c) Where the radial system serves Load and includes generation  resources, not identified in Inclusion I3, with an aggregate capacity of non-retail generation less than or equal to 75 MVA (gross nameplate rating).
  • E2 – A generating unit or multiple generating units on the customer’s side of the retail meter that serve all or part of the retail Load with electric energy if: (i) the net capacity provided to the BES does not exceed 75 MVA; and (ii) standby, back-up, and maintenance power services are provided to the generating unit or multiple generating units or to the retail Load by a Balancing Authority, or provided pursuant to a binding obligation with a Generator Owner or Generator Operator, or under terms approved by the applicable regulatory authority.
  • E3 – Local networks (LN): A group of contiguous transmission Elements operated at or above 100 kV but less than 300 kV that distribute power to Load rather than transfer bulk-power across the interconnected system. LN’s emanate from multiple points of connection at 100 kV or higher to improve the level of service to retail customer Load and not to accommodate bulk-power transfer across the interconnected system. The LN is characterized by all of the following:
    • Limits on connected generation: The LN and its underlying Elements do not include generation resources identified in Inclusion I3 and do not have an aggregate capacity of non-retail generation greater than 75 MVA (gross nameplate rating);
    • Power flows only into the LN and the LN does not transfer energy originating outside the LN for delivery through the LN; and
    • Not part of a Flowgate or transfer path: The LN does not contain a monitored Facility of a permanent Flowgate in the Eastern Interconnection, a major transfer path within the Western Interconnection, or a comparable monitored Facility in the ERCOT or Quebec Interconnections, and is not a monitored Facility included in an Interconnection Reliability Operating Limit (IROL).
  • E4 – Reactive Power devices owned and operated by the retail customer solely for its own use.

What You Need To Know About CIP Version 5

NERC’s version 5 Critical Infrastructure Protection (CIP) rules include 10 standards, two of them new.

The commission’s conditional approval of version 5 came in the form of a Notice of Proposed Rulemaking. The commission will accept comments on the new rules for 60 days after their publication in the Federal Register.

The commission said NERC had not provided justification for setting a 24-month implementation period for High Impact and Medium Impact BES Cyber Systems, and a 36-month implementation period for Low Impact systems.

CIP version 3 (CIP-002-3 through CIP-009-3) will remain in effect until the effective date of version 5.  Version 4 (CIP-002-4 through CIP-009-4) will not take effect as originally planned.

Version 5 requires registered entities to classify all of their Bulk Electric System (BES) facilities based on their impact on reliability. The Low, Medium or High impact categories replace the previous approach, in which facilities were either covered or not covered by CIP standards.

NERC Critical Infrastructure Protection Violations 2008-2012
NERC Critical Infrastructure Protection Violations 2008-2012
Reason for Change:

Version 5 adds new cybersecurity controls and extends the scope of the systems protected by them. Many of the changes were directed by the Commission in Order 706 (Jan. 18, 2008).

The shift to identifying and categorizing high, medium and low impact systems was based on a review of the National Institute of Standards and Technology (NIST) risk management framework for categorizing and applying security controls.

Impact:

Version 5 is comprised of 10 standards, one covering the categorization of assets and nine mitigating their risk of being compromised (see Highlights of CIP Version 5). It includes 15 newly defined terms, modifications to four existing terms and retires two terms: Critical Assets and Critical Cyber Assets.

Systems at all impact levels must be within a security zone that provides protection from outside influences using a posture of “mutual distrust.” No communications crossing the perimeter is trusted, regardless of where the communication originates.

To Be Determined:

The commission approved most of NERC’s proposals but said it may require NERC to change requirements that entities “identify, assess, and correct” deficiencies. The commission said it was concerned that the phrase was “unclear with respect to the compliance obligations it places on regulated entities and … too vague to audit and enforce compliance.”

The commission said it may require NERC to either change the language or provide details for how it would be applied and how compliance could be audited.

The commission also said NERC had not provided a “clear roadmap” for what operators of low impact facilities must do to achieve compliance.

NERC proposed an implementation period of 24 months for all but those regarding low impact systems, which would have 36 months to comply.  The commission said NERC had not explained its rationale for the implementation plan and said it will order quicker compliance unless NERC or other commenters “provide reasonable justification” for the proposed time frame.

(For a full list of what’s included in CIP Version 5, click here.)

Cost Recovery Criteria OK’d

The Commission approved criteria for determining which NERC activities are eligible for cost recovery under section 215 of the Federal Power Act.

Reason for change:

A FERC audit issued last year recommended the development of the criteria.

Impact:

The criteria restrict funding to “statutory” activities such as those involving the development, monitoring and enforcement of reliability standards, along with related training.

FERC will use the criteria in approving NERC’s annual budgets. Expenses approved by FERC are eligible for cost recovery from end users.

The commission ruled that the proposed criteria were generally acceptable but required replacement of the term “involve or support” with the term “necessary or appropriate” as the basis for funding. The commission said the former term was too broad and provided no practical limitation on funding.

Cyber Asset Definitions

Programmable electronic devices and communication networks including hardware, software and data.

Bulk Electric System (BES) Cyber Asset

A cyber asset which, if lost, damaged or misused would within 15 minutes affect the reliable operation of the grid. Redundancy of affected facilities is not considered when determining adverse impact. The definition excludes assets connected to the grid for 30 consecutive days or less that are used for data transfer, vulnerability assessments, maintenance, or troubleshooting.

FERC OKs New Reliability Standards

Expanded Cybersecurity Focus

New Approach for Generators

WASHINGTON — The Federal Energy Regulatory Commission gave preliminary approval Thursday to a rewrite of cybersecurity rules and set a “bright line” requiring most facilities at 100 kV or higher to abide by them.

The commission issued four orders approving proposals by the North American Electric Reliability Corp. (NERC). Included were:

  • A new definition of transmission facilities covered by NERC reliability rules that upgrades the longstanding 100 kV threshold from a guideline to a directive. Regional discretion on the definition of Bulk Electric Systems (BES) is eliminated. (more)
  • Version 5 Critical Infrastructure Protection (CIP) standards, which replace the current “in or out” designations with a tiered approach which classify assets as high, medium or low impact. The commission said version 5’s improvements were important enough that companies now operating under CIP version 3 will skip CIP Version 4, due to take effect date, April 1, 2014, and transition directly to version 5. (more)
  • New rules for generator interconnections that will eliminate the need for most generators to register as transmission operators. (more)
  • Criteria for determining which NERC activities are eligible for cost recovery. (more)

New Reliability Rules for Generator Interconnections

The commission issued a Notice of Proposed Rulemaking for four new reliability standards addressing vegetation management and facility connection requirements for generator interconnection facilities (also known as generator tie lines).

Reason for Changes:

FERC had encouraged NERC to identify reliability standards specific to generator owners and operators with interconnection facilities including transmission lines. Eliminating the need for generators to register under the transmission function will allow them to focus on reliability standards specific to them, NERC said.

Impact:

  • FAC-001-1 requires a Generator Owner to publish facility connection requirements when it executes an agreement to evaluate the reliability impact of interconnecting a third party facility to its tie line.
  • FAC-003-3 requires a Generator Owner to perform vegetation management on its tie line.

Standards PRC-004-2.1a (Analysis and Mitigation of Transmission and Generation Protection System Misoperations) and PRC-005-1.1b (Transmission and Generation Protection System Maintenance and Testing) establish generation owners’ responsibility for the FAC requirements as they apply to tie lines.

In most cases, NERC said, these are the only reliability standards that apply to generator interconnection facilities. The changes do not affect the requirement that generators comply with other reliability standards unrelated to tie lines, such as those covering system restoration plans and notification of equipment failures.

Generators currently registered under transmission functions will have to apply to change their certifications under the NERC Rules of Procedure.

MRC Preview: Black Start Compensation; DR “Fatigue;” UTCs; CFTC Response on Agenda

Below is a summary of the issues scheduled to be brought to a vote at Thursday’s Markets and Reliability Committee meeting. Each item is listed by agenda number, description and projected time of discussion, followed by a summary of the issue and links to prior coverage in PJM Insider.

Rich Heidorn will be in Wilmington covering the votes. Sign up for his Twitter feed to get real-time alerts on when these issues come up for discussion, and see next week’s newsletter for a full report.

2. PJM MANUALS (9:10-9:20)

The committee will be asked for endorsements of changes to Manual 13: Emergency Operations related to the integration of East Kentucky Power Cooperative.

East Kentucky Coop to Join PJM

Tariff Changes OK’d for East Kentucky Integration

3.  SYSTEM RESTORATION STRATEGY SENIOR TASK FORCE (SRSTF) (9:20-9:50)
  • Transmission operators providing cranking paths for black start generators would recover capital costs over five years under a proposal by the System Restoration Strategy Task Force that the MRC will be asked to approve. The task force rejected an alternate proposal that would have extended capital recovery over the entire asset life.

MRC First Readings: Capital Cost Recovery for Black Start Generators

  • MRC will be asked to approve on first read a revised charter that will expand the scope of the task force’s work. The revised charter would include consideration of “back stop options.”
4. PROVISION OF E-TAG DATA TO ISOS, MMUS, AND FERC (9:50-10:00)

PJM needs to make revi­sions to the con­fi­den­tial­ity pro­vi­sions of its tar­iff to com­ply with FERC Order 771,  requir­ing pro­vi­sion of E-Tag data to Inde­pen­dent Sys­tem Oper­a­tors, Mar­ket Mon­i­tor­ing Units and FERC.

MRC First Readings: Provision of E-Tag Data

5. FREQUENCY CAPABILITY VERIFICATION (10:00-10:15)

Ken Carretta, of PSEG, will ask the MRC to endorse a problem statement exploring whether PJM has sufficient safeguards to ensure that Emergency Demand Response resources perform as needed.

PJM expects DR to be called on increasingly in the future due to declining installed generation reserve margins. That has led to concern by some that performance may suffer as a result of DR “fatigue.”

At MRC’s March 28 meeting, curtailment service providers said that there was no evidence of “fatigue” and alleged the proposal was anti­competitive. Carretta said reporting requirements that could result from the inquiry would be no more onerous than those for generators.

Cool Reception for DR “Fatigue” Study

Demand Response Calls Expected to Grow in 2014

6. UP-TO CONGESTION TRANSACTION ENHANCEMENT (10:15-10:40)

PJM delayed a vote on its proposal to limit Up-to Congestion (UTC) bids Feb. 28 when MRC members asked for a broader review to come up with a consensus definition of the bidding technique.

PJM is proposing the cap because high bid volumes can make it difficult for the RTO’s day ahead markets software to reach solutions. Although the proposal was supported by financial market players who are the predominant users of UTC, other members balked, calling for a broader review of the impact of UTCs, which have grown in popularity since their creation in 2000.

MRC will be asked to approve bid limits similar to those that apply to increment offers and decrement bids for inclusion in Manual 11. The proposed revisions also add the following definition of Up-To Congestion transactions to the OA and Tariff:

“A Market Participant may elect to submit in the Day-ahead Energy Market a form of Virtual Transaction that combines an offer to sell energy at a source, with a bid to buy the same megawatt quantity of energy at a sink where such transaction specifies the maximum difference between the Locational Marginal Prices at the source and sink. The Office of Interconnection will schedule these transactions only to the extent this difference in Locational Marginal Prices is within the maximum amount specified by the Market Participant.”

Facing Opposition, PJM Delays UTC Cap Pending Broader Review

7. APPLICATION OF FTR FORFEITURE RULES TO UP-TO CONGESTION TRANSACTIONS (10:40-11:00)

PJM will ask MRC approval to apply FTR forfeiture rules to Up-to Congestion transactions. The action will require changes to the OA, Tariff and PJM Manual 6: Financial Transmission Rights.

The rules are intended to prevent market participants from submitting virtual bids that boost the value of their FTRs.

On March 28, the MRC rejected PJM’s proposed tariff changes specifying how the FTR forfeiture rules are applied to increment offers and decrement bids.

PJM, Monitor in Stalemate on FTR Forfeiture Rule

8. COMMODITY FUTURES TRADING COMMISSION (CFTC) EXEMPTION ORDER (11:00-11:30)

PJM announced April 7 that it may deny trading privileges to as many as 55 small market participants if they are unable to qualify for the Dodd-Frank exemption approved by the Commodity Futures Trading Commission last month.

MRC will be asked to approve changes to the Operating Agreement and Tariff to comply with conditions in the CFTC order and to implement PJM’s response to it.

CFTC Approves Dodd-Frank Exemption for RTOs

PJM May Bar Some Financial Players from Trading; 55 Companies Affected by Response to CFTC Order

FERC Stands Firm on Reporting Requirements – UPDATE

By Rich Heidorn Jr.
PJM Insider

WASHINGTON – Large electric cooperatives and public power agencies must begin reporting their “surplus” power trades to the Federal Energy Regulatory Commission, the agency said today, standing firm on an order it issued in September.

The new reporting requirements apply to more than 50 cooperatives and public power agencies otherwise exempt from FERC authority that have “more than a de minimis market presence” – defined as more than 4 million MWh in annual wholesale sales.

The newly-affected entities must begin recording their transactions in Electric Quarterly Reports (EQRs) for the third quarter of 2013.

In denying a request for reconsideration, the commission also reiterated its requirement that all EQR filers begin including electronic tag (e-Tag) data in reporting their transactions.

Reason for change: 

Order 768, issued Sept. 21, is a response to Congress’ command in the 2005 Energy Policy Act to improve price transparency in wholesale electric markets.

The commission said the reporting requirements were necessary because non-public utilities are responsible for about 29% of wholesale sales in the 48 contiguous states (excluding ERCOT).  They represent 60% or more of sales within the Western Electric Coordinating Council (WECC), SERC Reliability Corp. and Florida Reliability Coordinating Council (FRCC) FERC said.

The American Public Power Association said the commission’s estimate overstates the role of non-public utilities, which it estimated at 19% of sales nationally. APPA said the data FERC used, from the Energy Information Administration’s (EIA’s) Form 861, are inaccurate because EIA reports a power marketer’s sales as being from a single region although it may make sales in several regions.

Impact:

The reporting requirements cover only “surplus” sales. Excluded from reporting are cooperative and joint agency sales to members or long-term, cost-based sales required by state or federal law.

The order may affect more than 40 public power utilities whose sales top 4 million MWh, according to data compiled by the American Public Power Association.  Among the largest agencies are several PJM members, including American Municipal Power, Inc., North Carolina Municipal Power Agency No. 1, Indiana Municipal Power Agency and WPPI Energy. (To help PJM market participants in their data gathering, the Market Settlements Reporting System (MSRS) provides reports formatted to match the EQR structure.)

About half of the 60 largest generation and transmission cooperatives also are likely to be covered by the new rule, according to a former FERC staff attorney who had analyzed the order’s impact.

FERC estimated in Order 768 that the rule would cover about 53 non-public utilities above the threshold.

The order also added new fields in the EQR for:

  • reporting the trade date and the type of rate;
  • identifying the exchange used for a sales transaction, if applicable;
  • reporting whether a broker was involved; and
  • reporting electronic tag (e-Tag) ID data.

It also standardized reporting of prices and quantities for energy, capacity and booked out transactions and requires entities to disclose whether they report their sales transactions to an index publisher.

The Commission did cut two requirements, eliminating reporting on time zones and Data Universal Numbering System (DUNS) information.

Industry Reaction:

The National Rural Electric Cooperative Association said that FERC overestimated the impact of its members on wholesale markets and that the EQR expansion would not improve transparency.

However, the Pennsylvania Public Utility Commission supported the reporting requirement, saying it will help its ability to monitor retail markets for anti-competitive behavior. Pennsylvania has 13 rural electric cooperatives and about 35 municipal electric utilities.

Market monitors for PJM, MISO, NYISO, ISO-NE SPP, and California ISO also supported the requirement. The monitors noted that the commission’s market-based rate program is based on “regulation through competition,” and is thus dependent on mitigating market power.

FERC contacts:

Maria Vouras, Office of Enforcement, (202) 502-8062, Maria.Vouras@ferc.gov
Christina Switzer, Office of the General Counsel, (202) 502-6379, Christina.Switzer@ferc.gov

PJM to Alter Practice on Billing Transfers

In response to recent bankruptcy court rulings, PJM will no longer incorporate billing line item transfers when calculating member credit requirements, RTO officials told the Market Implementation Committee last week.

A billing line item transfer allows a member to partially offset its accounts payable with a receivable owed them by another member. The netting of charges from these counterparty transactions are reflected in PJM’s invoices: one invoice increases by the same amount as the second decreases.

Reason for Change: Because PJM uses net invoice values in determining credit requirements, the practice can create a “three-party setoff” between PJM and the two members involved in the transfer. Recent bankruptcy court rulings have restricted the allowance of three-party setoffs, meaning PJM might be precluded from seizing assets in the event of a member bankruptcy.

Impact: PJM will continue to allow line item transfers but will exclude the netting from credit calculations in cases that could increase the RTO’s credit exposure. The change will be effective late in the second quarter. Recalculation of credit requirements will be prospective only.

PJM contact: Hal Loomis