New cyber reliability standards add, change compliance requirements
by Lisa Meiman
At the end of May, a Western team completed the first phase of a major Westernwide effort to ensure compliance with the North American Electric Reliability Corporation’s newest set of Critical Infrastructure Protection cyber standards.
“CIP version 5 is more targeted and reflective of real threats to the system and the parts of the system that should be covered under reliability standards,” said CIP Compliance Manager John Work, who is leading the Critical Infrastructure Protection Version 5 Transition Team, or CV5TT.
The set of standards called CIP version 5, or CIP v5, dramatically increased the requirements for protecting the bulk electric system’s cyber assets by expanding the scope of eligible assets and adding 10 new reliability standards with which utilities must comply by specific dates set by the Federal Energy Regulatory Commission and NERC. “This new standard is going to affect eight out of 10 business units at Western,” said Work. “The only employees who won’t be impacted in some way are those that never require access to sensitive power system information or an operational field site.”
“As we progress and start looking at requirements, we have to ask ourselves ‘what roles and responsibilities might have to change?’” added Laurent Webber, who recently retired as Western’s Reliability Compliance Program Manager.
The team achieved the first, and most critical, new reliability standard, using quantitative “bright line” criteria defined by NERC to classify Western’s bulk electric system cyber assets into one of three tiers:
- High impact (such as control centers)
- Medium impact (such as major substations)
- Low impact (such as other substations and facilities)
The result of the exercise varied across regions with most seeing an uptick in medium- and high-impact cyber assets. Upper Great Plains saw the biggest change with an increased number of substation sites requiring new security measures. “We had really great participation from the team,” said Work. “At first, we felt there may be a lot of extra work if we included the assets previously excluded in earlier versions. But thanks to everyone’s effort, management support and existing available information, we moved much quicker than anyone expected, finishing the majority of phase 1 to identify applicable cyber systems a month earlier than the team realistically expected.”
At a meeting in Lakewood, Colorado, June 10-12, the team laid out an ambitious plan to complete phase 2 of the project in the next six months. Specifically, the team will:
- Determine what is required for compliance for each of the 10 new or changed CIP reliability standards
- Collaborate with subject matter experts and others impacted by the changed requirements
- Identify the timeline for compliance for each new reliability standard, which, under NERC’s set timeline, ranges from April 1, 2016 to April 1, 2018 Evaluate existing processes, plans and procedures to discover gaps
- Research opportunities to add common processes, plans and procedures across Western
At the end of the year, the team will propose a number of transition recommendations that will identify what will stay the same in Western’s Compliance program, what needs improvement and what needs to be added or removed to adhere to the new standards within the set deadlines.
“To meet CIP v5 we must do more,” said Work. “We will need to rely heavily on using common processes and tools for efficiencies. The more we can automate, the more we can free people up to do real work; and we’re more likely to focus on reliability rather than compliance paperwork.”
More changes to come
“When FERC approved NERC’s new set of standards in November 2013, it requested changes to the standards,” said Webber. “Changes will happen. We just don’t know when.”
In Order 791, FERC directed NERC to make four modifications to CIP v5, including to provide more specific requirements and compliance criteria for low-impact cyber systems. To meet the standard, utilities currently only have to address four areas of concern, and there are no criteria for NERC auditors to evaluate their effectiveness. The four areas are:
- Security awareness
- Physical security
- Remote access connections
- Incident response
FERC also asked NERC to develop new standards for “transient devices,” or mobile cyber assets such as laptops and thumb drives, and also communication networks. Finally, FERC required NERC to replace “overly vague” regarding a utility’s internal control program, or how a utility confirms compliance. NERC member utilities have until July 16 to comment on NERC’s proposed revisions.
Also waiting in the wings is CIP-014 that will change physical security requirements of the bulk electric system. The NERC Board of Trustees approved CIP-014 May 13 and plans to submit the standard to FERC for approval this summer. Western’s Office of Securement and Emergency Management is already preparing to conduct the assessments stated in the draft version.