NERC Critical Infrastructure Protection Initiatives

Critical Infrastructure Protection Standards Activities

The following standards related critical infrastructure protection activities are currently underway:

Project 2008-14 Cyber Security Violation Severity Levels – The purpose of this project is to propose Violation Severity Levels (VSLs) for the version 1 CIP-002 thru CIP-009 standards as directed in FERC Order 706.
Project 2008-06 Cyber Security Order 706 - The purpose of this project is to review each of the cyber security standards to ensure that they conform to the latest version of the ERO Rules of Procedure, including the Reliability Standards Development Procedure, to address the directives identified in FERC Order 706, and to issues identified by industry stakeholders. This project includes making conforming changes to violation risk factors and violation severity levels to align with modifications made to the requirements.
Development of a Technical Feasibility Exception (TFE) Procedure – NERC staff is drafting a Procedure for Requesting and Receiving a Technical Feasibility Exception to NERC Critical Infrastructure Protection Standards. The intent is to file this procedure as an amendment to the ERO Rules of Procedure.

Background

Project 2008-14 Cyber Security Violation Severity Levels
On August 7, 2008 the NERC Standards Committee appointed the drafting team for Project 2008-14 Cyber Security Violation Severity Levels. This drafting team was assigned the responsibility of proposing VSLs for the version 1 Cyber Security standards (CIP-002-1 through CIP-009-1). This drafting team is working in parallel with the Standard Drafting Team (SDT) for Project 2008-06 Cyber Security Order 706 is expected to coordinate the development of VSLs for the version 2 Cyber Security standards (CIP-002-2 through CIP-009-2).

Project 2008-06 Cyber Security Order 706
The SDT for Project 2008-06 Cyber Security Order 706 was appointed by the NERC Standards Committee on August 7, 2008 to develop revisions to the NERC Critical Infrastructure Protection (CIP) Reliability Standards on Cyber Security (CIP-002-1 through CIP-009-1). The SDT was assigned to review each of these cyber security standards to ensure that they conform to the latest version of the ERO Rules of Procedure, including the Reliability Standards Development Procedure, to address the directives identified in FERC Order 706, and to issues identified by industry stakeholders.

This suite of reliability standards covers a broad range of topics with respect to cyber security requirements as identified in:

CIP-002-1 Critical Cyber Asset Identification
CIP-003-1 Security Management Controls
CIP-004-1 Personnel & Training
CIP-005-1 Electronic Security Perimeter(s)
CIP-006-1 Physical Security of Critical Cyber Assets
CIP-007-1 Systems Security Management
CIP-008-1 Incident Reporting and Response Planning
CIP-009-1 Recovery Plans for Critical Cyber Assets

The SAR for this project indicates that the SDT will consider other cyber-security related standards, guidelines, and resources that are presently available and are followed by a variety of organizations. These organizations include the National Institute of Standards and Technology (NIST) Security Risk Management Framework, the NERC Critical Infrastructure Protection Committee (CIPC) Risk Assessment Guideline, the Department of Homeland Security (DHS), the Department of Energy (DOE), as well as various standards organizations such as the International Electrotechnical Commission (IEC), the International Society of Automation (ISA), the Institute of Electric and Electronic Engineers (IEEE), and others.

Multiphase Approach Strategy
In October 2008, the SDT agreed that due to the extensive scope and varying complexity of the issues and the work involved in making these revisions to the cyber security standards, a multiphase approach for revising this set of standards was needed and was therefore adopted.

The “Phase 1” revisions are limited to modifications to the cyber security standards (CIP-002-1 through CIP-009-1) to comply with the near term specific directives included in FERC Order 706 and 706A, and revisions that were not expected to invoke significant industry debate. The Phase 1 revisions address the directive in FERC Order 706 that the “… ERO modify the CIP Reliability Standards through its Reliability Standards development process to remove references to ‘reasonable business judgment’ before the compliance audits begin in 2009.” The more complex issues in this project, such as consideration of the applicable features of the National Institute of Standards and Technology (NIST) standard framework described in NIST 800-53 as well as the identification of what cyber equipment should be addressed by the CIP-003 through CIP-009 standards, will be addressed in subsequent phases of this project.

Violation Risk Factors
The SDT for Project 2008-06 Cyber Security Order is responsible for proposing Violation Risk Factors (VRFs) for the version 2 Cyber Security standards (CIP-002-2 through CIP-009-2) that are consistent with the modifications to any requirements in these standards. The only VRF that is proposed for modification is associated with the changes made in standard CIP-006-2.

Technical Feasibility Exception (TFE) Procedure
At the suggestion of the SDT for Project 2008-06 Cyber Security Order 706, NERC staff is proposing an amendment to the ERO Rules of Procedure which will provide Responsible Entities with a mechanism for requesting and receiving approval for an exception from the terms of certain requirements in the Cyber Security standards on the grounds of technical feasibility or technical limitations. Without this TFE procedure, each entity would have to submit a request for a variance, following the process outlined in the Reliability Standards Development Procedure.