FERC NOPR NERC CIP Version 5

Nick Santora | July 17, 2015

On July 16th, 2015 the Federal Energy Regulatory Commission (FERC) issued a Notice Of Proposed Rulemaking (NOPR) to approve the CIP V5 Standards modifications.The NOPR included several directives, discussion points, comments, and a new Reliability Standard to be developed. We highlighted most of the NOPR so you don’t need to skim through 50+ pages of the actual NOPR!

Directives met by NERC
  1. Eliminating the “identify, assess, and correct” language in 17 of the CIP version 5 Standard requirements;
  2. Providing enhanced security controls for Low Impact assets;
  3. Providing controls to address the risks posed by transient electronic devices;(e.g., thumb drives and laptop computers)
  4. Addressing in an equally effective and efficient manner the need for a NERC Glossary definition for the term “communication networks.”
3 major directives relating to NERC CIP
  1. The first is to require protections for communication network components and data communicated between all bulk electric system Control Centers.
  2. FERC is requesting comment on the sufficiency of the security controls incorporated in the current CIP Reliability Standards regarding remote access used in relation to bulk electric system communications.
  3. Finally, FERC is directing NERC to develop requirements relating to supply chain management for industrial control system hardware, software, and services.

Low Impact Assets

So what’s happening with Low Impact Assets? As you know FERC has some issues with the objective criteria in CIP-003 for Low Impact Assets and requested that NERC modify the standards. Well FERC approved CIP-003-6 which includes the objective criteria for Low Impact Assets.

Low Impact Assets Requirements
  1. Mandatory reinforcement of cyber security awareness practices at least once every 15 calendar months. This can also be the same quarterly program used in High and Medium Security Awareness programs.
  2. Mandatory physical access controls to the asset or locations of the Low Impact BES Cyber Systems within the asset and Low Impact BES Cyber System Electronic Access Points, if any.
  3. Mandatory electronic access point protection to permit only necessary inbound and outbound bi- directional routable protocol access and mandatory authentication for all dialup connectivity that provides access to the Low Impact BES Cyber System.
  4. Specific information to be included in incident response plans.

Transient Cyber Assets

FERC approved the sufficiency NERC has used to protect Transient Cyber Assets. They approved the modifications based on the reliability impact including adding transient cyber assets to the NERC CIP Training requirements in CIP-004.

Transient Cyber Assets Security Objectives
  1. Device authorization
  2. Software authorization
  3. Security patch management
  4. Malware prevention
  5. Unauthorized use

What else is happening with Lows?

FERC is directing NERC to provide more information on the analysis of burden towards expanding the applicability of Reliability Standard CIP-010-2 to transient devices at Low Impact BES Cyber Systems. They stated it was not clear from the information in the record on why this “was unnecessary.” Depending on the information that comes back from this assessment, FERC may direct NERC to address the potential reliability gap by developing a solution, which could include modifying the applicability section of CIP-010-2, Requirement R4 to include Low Impact BES Cyber Systems, that effectively addresses, and is appropriately tailored to address, the risks posed by transient devices to Low Impact BES Cyber Systems.

Communication Networks

FERC is directing NERC to develop a modification to proposed Reliability Standard CIP-006-6 to require responsible entities to implement controls to protect, at a minimum, all communication links and sensitive bulk electric system data communicated between all bulk electric system Control Centers. This includes communication between two (or more) Control Centers, but not between a Control Center and non-Control Center facilities such as substations. FERC also seeks comment on other logical controls for the latency issues associated with encryption. FERC also is seeking comment on the steps needed to improve remote access protections and any adoption of additional security controls would provide a substantial reliability benefit.

Supply Chain Management Standard

FERC directed a new or modified Reliability Standard be developed to support Supply Chain Management. The reliability goal should be to create a forward-looking, objective-driven standard that encompasses activities in the system development life cycle: from research and development, design and manufacturing stages (where applicable), to acquisition, delivery, integration, operations, retirement, and eventual disposal of the Registered Entity’s information and communications technology and industrial control system supply chain equipment and services. The standard should support and ensure security, integrity, quality, and resilience of the supply chain and the future acquisition of products and services.

Again, as stated in the NOPR, this standard will take quite some time to develop and take effect. So we probably won’t see this become mandatory and enforceable for at least a few years. NIST SP 800-161 may be used as a reference in the development of objectives for this standard.

The following 9 topics could potentially be a baseline for what we might see in development of the new NERC Supply Chain Management standard:

  1. Access Control Policy and Procedures
  2. Security Assessment Authorization
  3. Configuration Management
  4. Identification and Authentication
  5. System Maintenance Policy and Procedures
  6. Personnel Security Policy and Procedures
  7. System and Services Acquisition
  8. Supply Chain Protection
  9. Component Authenticity.

So what’s next?

FERC approved the CIP V5 implementation plan provided by NERC. They also had additional comments on Low Impact External Routable Connectivity and some additional comments and directives throughout the NOPR. What the NOPR does clarify is that the dates moving toward CIP V5 compliance are real and approaching quickly. Low Impact assets also have a confirmed future to look towards with the approved requirements and implementation plan for CIP-003. NERC has some work to do to quantify the analysis of some decisions called out in the NOPR. I highly recommend that you take a deep look at the NOPR to understand all of the very specific directives and challenges ahead.

If you have any questions on transitioning to NERC CIP V5 contact Curricula today.

Author: Nick Santora
  • Nick Santora

CISSP, CISA, Chief Executive Officer of Curricula.