Requirement R1.3 requires the responsibilities to be identified and applied, so the agreement may be one way to demonstrate compliance. Numerous Responsible Entities during the Small Group Advisory Sessions implemented agreements to help memorialize the identification of responsibilities of each Responsible Entity. Agreements may be forms of evidence that could help demonstrate coordination on security protection(s). The agreement’s terms and conditions, including how granular it may be, is subjective to the Responsible Entities.
No, an agreement does not have to be legally binding. However, it is the Responsible Entity's responsibility to comply with CIP-012 and to coordinate with others. Documenting agreements and ensuring those agreements outline each Responsible Entity’s responsibilities are key in demonstrating compliance with Part 1.3. Documentation, such as lists, diagrams, etc., may provide reasonable assurance of implementation of Part 1.3. Without such documentation, situational awareness and implementation of security protection(s) could be challenging. While not specifically required in the Standard, periodic reviews of those overarching policies and agreements is recommended. In addition, Responsible Entities should consider documenting the process or procedures to address when others may not comply with established agreements.
Secure Socket Shell (SSH) protocol may suffice depending on implementation (e.g. version, configuration, etc.). Responsible Entities must ensure their SSH implementation is documented within their plan(s), including how SSH mitigates the risks posed by unauthorized disclosure and unauthorized modification of RTA/RTm data while being transmitted between Control Centers.
The ERO Enterprise recommends the documented plan(s) are reviewed and approved on a periodic basis as an internal control, however it is not within the requirements of the Standard.
The Cyber Security – Communications Between Control Centers Implementation Guidance is referring to use of cabling as a form of physical protection to mitigate the risks posed by unauthorized disclosure and unauthorized modification of RTA/RTm data while being transmitted between Control Centers. The range of distance is subjective to the Responsible Entity’s assessment of risks and the security protection(s) to mitigate those risks.
The Standard is focused on protecting the confidentiality and integrity of RTA/RTm data, and the Responsible Entity is required to protect against the risks posed by unauthorized disclosure and unauthorized modification. Each Responsible Entity should identify those risks based on their environment (transmitting RTA/RTm) and implement the security protection(s) to address those risks and met the objective of the Reliability Standard.
Security protection(s) used to mitigate the risks posed by unauthorized disclosure and unauthorized modification of RTA/RTm data should have evidence to confirm the security objective of Requirement R1 has been met. Depending on the facts and circumstances of a Responsible Entity’s implementation, diagrams and IPSEC configurations may not be enough evidence to show compliance.
The Responsible Entities must be prepared to demonstrate the assessment determining how the Responsible Entity’s Inter-Control Center Communication Protocol (ICCP) communication link(s) are not transmitting RTA/RTm between Control Centers and therefore not applicable to CIP-012-1.
The CIP-012-1 Purpose states, "To protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers." From an evidentiary perspective, the ERO Enterprise recommends detailed R1 plans that include, but are not limited to: the risks identified; type of security protection(s), and where the security protections are applied; responsible party for security protection(s) implementation; and how the implemented security protection(s) mitigate the risks posed by unauthorized disclosure and unauthorized modification of RTA/RTm data. Diagrams may be helpful to show physical access controls, demarcations, Cyber Assets that are applying the security protection(s), and/or communication links. Responsible Entities may also consider providing configurations, logs, etc. of those devices implementing the security protection(s). In addition, detailed agreements outlining each Responsible Entity’s controls and responsibilities have also helped demonstrate meeting the security objective.
The NERC Glossary of Terms defines Controls Center, which includes the associated data centers. The ERO Enterprise would consider those as separate facilities.
RTA/RTm data identification assessments may not always be aligned between Responsible Entities. However, Responsible Entities that identify those devices within their CIP-012 program may protect the communication path, not just the RTA/RTm data on the communication path to ensure appropriate controls are deployed.
The ERO Enterprise recommends reviewing the definition of Control Center per the NERC Glossary of Terms. The definition includes associated data centers. A data center is considered a part of a Control Center.
The ERO Enterprise does not view ATF data as RTA/RTm. However, this does not preclude each Responsible Entity from protecting ATF data in the same manner as RTA/RTm data, especially if it is being communicated on the same pathway.
RTA/RTm data is defined in NERC Reliability Standards TOP-003 and IRO-010. Also, the data is agnostic to the protocol or media used. However, Responsible Entities may identify other RTA/RTm data specifications. For example, Responsible Entities may identify PMU data used for the State Estimator as RTA/RTm.
The term Control Center is defined in the NERC Glossary of Terms. The ERO Enterprise has no further definition or criteria for Control Centers.
home | account log-in/register | legal and privacy/trademark policy | site map | careers | contact us
Atlanta Office | 3353 Peachtree Road, NE Suite 600 North Tower, Atlanta, GA 30326 | 404-446-2560 Washington Office | 1401 H Street NW, Suite 410, Washington, DC 20005| 202-400-3000
Group Health Plan Transparency in Coverage Files*
*This link leads to the machine-readable files that are made available in response to the federal Transparency in Coverage Rule and includes negotiated service rates and out-of-network allowed amounts between health plans and healthcare providers. The machine-readable files are formatted to allow researchers, regulators, and application developers to more easily access and analyze data.