Two 30-day informal comment periods are open through 8 p.m. Eastern, Monday, March 13, 2017, for stakeholders to provide feedback on the Standard Drafting Team’s (SDT’s): (1) approach and draft language developed to address the Federal Energy Regulatory Commission (FERC or the Commission) directive regarding Communication Networks; and, (2) proposal for modifying additional requirements within certain CIP standards to include the provision for CIP Exceptional Circumstances. To minimize the number of posted documents, the SDT included everything in a single document for each issue with the suggested approach and draft language preceding the questions.
Final ballots for the following concluded 8 p.m. Eastern, Wednesday, February 8, 2017:
1. CIP-003-7(i) - Cyber Security – Security Management Controls
2. CIP-003-7(i) Implementation Plan
3. Transient Cyber Asset (TCA) - Proposed revised definition
4. Removable Media - Proposed revised definition
Final ballots for CIP-003-7 - Cyber Security – Security Management Controls and the CIP-003-7 Implementation Plan concluded 8 p.m. Eastern, Monday, December 19, 2016.
All voting results can be accessed via the links below. The standard, implementation plans, and definitions will be submitted to the Board of Trustees for adoption and then filed with the appropriate regulatory authorities.
The Version 5 Transition Advisory Group (V5 TAG) transferred issues to the Version 5 SDT that were identified during the industry transition to implementation of the Version 5 CIP Standards. Specifically, the issues that the SDT will address are:
· Cyber Asset and BES Cyber Asset Definitions
· Network and Externally Accessible Devices
· Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP) Obligations
On January 21, 2016, FERC issued Order No. 822 Revised Critical Infrastructure Protection Reliability Standards. In this order, FERC approved revisions to version 5 of the CIP standards and also directed that NERC address each of the Order 822 directives by developing modifications to requirements in CIP standards and the definition of Low Impact External Routable Connectivity (LERC), or the SDT shall develop an equally efficient and effective alternative. To address concerns identified in Order 822, the Commission directed the following:
· Develop modifications to the CIP Reliability Standards to provide mandatory protection for transient devices used at Low Impact BES Cyber Systems based on the risk posed to bulk electric system reliability.
· Develop modifications to the CIP Reliability Standards to require responsible entities to implement controls to protect, at a minimum, communication links and sensitive bulk electric system data communicated between bulk electric system Control Centers in a manner that is appropriately tailored to address the risks posed to the bulk electric system by the assets being protected (i.e., high, medium, or low impact).
· Develop a modification to provide the needed clarity, within one year of the effective date of this Final Rule, to the LERC definition consistent with the commentary in the Guidelines and Technical Basis section of CIP-003-6.
Standard(s) Affected – CIP-002-5.1, CIP-003-6, CIP-004-6, CIP-005-5, CIP-006-6, CIP-007-6, CIP-008-5, CIP-009-6, CIP-010-2, CIP-011-2
The SDT will modify the CIP family of standards (or develop an equally efficient and effective alternative) to:
• Address issues identified by the CIP V5 TAG;
• Address FERC directives contained in Order 822; and
• Address requests for interpretations as directed by the NERC Standards