As discussed earlier in this post, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Supply Chain project is underway. The Federal Energy Regulatory Commission (FERC) released its Notice of Proposed Rulemaking (NOPR) in which it proposes to approve CIP-013-1, CIP-005-6, and CIP-010-3. FERC also proposes to change the implementation plan from 18 months to 12 months, giving applicable registered entities less time to demonstrate compliance.

In addition, the same NOPR proposes to direct NERC to further modify CIP Standards to require protections for Electronic Access Control and Monitoring Systems (EACMS), Physical Access Controls (PACs), and Protected Cyber Assets (PCAs). Perhaps new Standard language will simply apply the same supply chain controls to these new device types. 

The FERC NOPR can be found here. The next step in the process is to allow for comments and then issue the FERC Order to approve the new Standards, which starts the implementation timeline.

PCS has begun helping its clients write procedures to address new CIP Supply Chain requirements, including the following:

  • Process for the procurement of BES Cyber Systems to identify and assess cyber security risk to the Bulk Electric System from vendor products or services resulting from: (i) procuring and installing vendor equipment and software; and (ii) transitions from one vendor to another vendor;
  • Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;
  • Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;
  • Notification by vendors when remote or onsite access should no longer be granted to vendor representatives;
  • Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity;
  • Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System;
  • Coordination of controls for (i) vendor-initiated Interactive Remote Access, and (ii) system-to-system remote access with a vendor(s);
  • Review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan at least once every 15 calendar months;
  • Determining active vendor remote access sessions (including Interactive Remote Access and system-to-system remote access);
  • Disabling active vendor remote access (including Interactive Remote Access and system-to-system remote access);
  • Prior to a change of operating system / firmware, software, or security patches, and when the method to do so is available to the Responsible Entity from the software source: (i) verify the identity of the software source; and (ii) verify the integrity of the software obtained from the software source.

Hurricane Harvey has revealed many things, not the least of which is the good that exists in humanity to rally to the aid of those impacted. Another item it has reminded us of is the impact of natural disasters on control centers. We wrote about flooding of the Oroville Dam previously and discussed the benefit of having geographically diverse BES Cyber Systems and control centers. However, most companies are not able to have their own geographically dispersed control centers because their territory is too small.

One possible solution is a reciprocal agreement with another company. You could make an agreement with another company that has a control center far enough away from yours that if there is a disaster you can use their control center or backup control center, and you agree to let them use yours if they experience a disaster. This solution is not simple, however. It takes setting up and coordination, such as setting up and maintaining your own servers or loading your operational control screens on their servers. It requires maintaining physical and electronic access lists. Also, reciprocal agreements are not required by NERC Standards. It's just an idea of something your company could explore in light of recent events.

Another idea is making sure technicians and operators who are needed during a disaster are able to and are willing to arrive at work. For the "able" aspect, an example would be if the planned disaster is a snow storm, do operators have a good snow vehicles at their home? For the "willing" aspect, consider how you would feel if your family wasn't taken care of and you were asked to come into work to help with a disaster. You would be hesitant, and even if you came into work your mind would be distracted. A possible solution is to identify key disaster personnel and ask them what they would need to have done for their family in order for them to feel good about leaving them. They may want to know their family has flashlights, enough food and water for X days, and all their kids made it home from school. Instead of having the operator or technician have to do all this on their own, your company could pre-assign disaster coordinators who would ensure flashlights, food, and water are at their home ahead of time. At the start of the disaster, the disaster coordinators would assure the operator they will handle everything for their family. The disaster coordinator would then coordinate with the family to ensure everyone was safe and had all the provisions they needed and then relay that information to the operator. This would allow technicians and operators to arrive at work quicker and do a better job knowing things were good at home. This system is also not required by NERC Standards. It's just an idea we can take from Hurricane Harvey.

If your company does implement controls above the requirements of NERC Standards, be sure to write about them in your procedures and RSAWs because Regional auditors will give you kudos for them at your next audit.

NERC CIP-002-5 is the starting point for determining which Cyber Assets need CIP protections. Entities are required to evaluate their Bulk Electric System (BES) assets according to Attachment 1. The attachment lists criteria for High, Medium, and Low BES Cyber Assets. Everything appears to be very straight forward, but what about Criteria 2.11? Does non-BES generation count towards the 1,500 megawatts (MW) threshold? NERC (unofficially) says it does.

Criteria 2.11 states: "Each Control Center or backup Control Center, not already included in High Impact Rating (H) above, used to perform the functional obligations of the Generator Operator for an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection."

The issue gets fuzzy in situations such as Control Centers that manage renewable generation because many solar and wind facilities do not have enough mega volt amps (MVA) to be BES facilities. The definition of BES generation is generation connected at at least 100 kilovolts (kV) with individual nameplate rating greater than 20 MVA or plant/facility aggregate nameplate rating greater than 75 MVA.

PCS has been taking the conservative approach that non-BES generation counts towards the 1,500 MW threshold. However, there has been some confusion throughout the industry. PCS had a recent phone conversation with a member of the CIP team at NERC regarding this topic. The member of NERC confirmed that non-BES generation counts and was surprised there was confusion about this. Unfortunately, the person at NERC declined to provide a written response to PCS' email, but based on the conversation with NERC, PCS suggests that entities that have Control Centers evaluate all generation within a single Interconnection, whether BES or non-BES, to see if the total is equal to or exceeding 1,500 MW.

The missing CIP-012 standard has now arrived - at least in development form. CIP-001 (sabotage) was retired. CIP-002 through CIP-011 still exist as well as CIP-014. CIP-013 (supply chain) is under development, and now CIP-012 is in the form of draft one. Initial ballot and comments are due September 11, 2017.

Requirement 1 states: "The Responsible Entity shall develop one or more documented plan(s) to mitigate the risk of the unauthorized disclosure or modification of data used for Operational Planning Analysis, Real-time Assessments, and Real-time monitoring while being transmitted between Control Centers. This excludes oral communications."

Controls can be one of the following:

  • Physically protecting the communication links transmitting the data;
  • Logically protecting the data during transmission; or
  • Using an equally effective method to mitigate the risk of unauthorized disclosure or modification of the data.

Requirement 1 also includes this note: "If the Responsible Entity does not have a Control Center or it does not transmit the type of data specified in Requirement R1 of CIP-012-1 between two Control Centers, the requirements in CIP-012-1 would not apply to that entity."

Requirement 2 is very simple, requiring entities to implement the above plan except during CIP Exceptional Circumstances.

Interestingly, this is the first CIP Standard to require controls for communications outside the Electronic Security Perimeter (ESP). Requirement 1 doesn't say between the Responsible Entity's Control Centers. It's between any Control Center - whether owned by the Responsible Entity or by another Responsible Entity. Therefore, this Standard will take more coordination with other entities than most CIP Standards. Entities will need to identify which Control Centers they communicate data with for Operational Planning Analysis, Real-time Assessments, and Real-time monitoring.

Operational Planning Analysis is defined by NERC as "An analysis of the expected system conditions for the next day’s operation. (That analysis may be performed either a day ahead or as much as 12 months ahead.) Expected system conditions include things such as load forecast(s), generation output levels, Interchange, and known system constraints (transmission facility outages, generator outages, equipment limitations, etc.)."

Real-time Assessments are defined by NERC as "An examination of existing and expected system conditions, conducted by collecting and reviewing immediately available data."

Real-time is defined by NERC as "Present time as opposed to future time. (From Interconnection Reliability Operating Limits standard.)"

The Implementation Plan for CIP-012-1 gives entities 12 months from approval.

There have been recent updates to NERC CIP Supply Chain Standard CIP-013-1, which is not yet approved but under development and subject to possible future changes and approval. The purpose of this project is to better protect BES Cyber Systems by implementing controls to reduce the risk of compromised vendor hardware and software. The following are the most important changes:

  1. Low Impact BES Cyber Systems escape! Draft 1 of CIP-013-1 had requirements for Low Impact BES Cyber Systems, but these have been removed in draft 2. While this would have been good for security, it didn't make sense to require Low Impact systems to implement these controls because industry uses a risk-based approach. Low Impact systems are Low Impact for a reason. They should have some controls but not the same as High and Medium Impact systems. High and Medium Impact systems must implement supply chain security still, however.
  2. Clarifying language was added to Requirement 2 that allows entities to follow a process rather than actually getting vendors to comply: "Note: Implementation of the plan does not require the Responsible Entity to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders). Additionally, the following issues are beyond the scope of Requirement R2: (1) the actual terms and conditions of a procurement contract; and (2) vendor performance and adherence to a contract." The Standard Drafting Team (SDT) on an update call gave the specific example of having a process to ask for supply chain controls when negotiating contracts, but it won't be a violation of CIP if vendors don't agree to those controls and they fall out of the contract during contract negotiations. They also said contract language would not be in the scope of an audit - just the process. Entities are only required to have a process to try to get controls into contract language. Therefore, success for this standard will be in having the right process that covers what it needs to but doesn't go too far, which is a similar approach to the Information Protection Program in CIP-011-2.
  3. Requirement 3 (software authenticity) was moved to a new Part in CIP-010-3, Part 1.6. A question was asked on the webinar of an example of validating software source. The SDT responded that one way was to check the SSL on a webpage and validating the SSL certificate has been issued to the vendor and is still valid. For automated patching systems, you can use the automated system specifications. If the system says validates the patch prior to making it available to you, you can rely on that process and don’t have to re-validate patches. If a patch is validated once, it can be distributed to multiple machines without having to validate again.
  4. Requirement 4 (vendor remote access) was moved to two new Parts in CIP-005-6, Parts 2.4 and 2.5.
  5. Implementation was changed from twelve (12) months to eighteen (18) months, which is great news for industry. We all have more time to get ready. However, remember with all the different business units that will be affected it's never too early to start.

Remember the SDT is under tight timelines due to the FERC Order. The Deadline for filing with FERC is September. That requires NERC Board adoption in August with 2nd formal commenting and balloting through June 15. It's time to comment and ballot. The development project page is found at http://www.nerc.com/pa/Stand/Pages/Project201603CyberSecuritySupplyChainManagement.aspx .

Our Services