NERC CIP-012-1 Has Arrived

The missing CIP-012 standard has now arrived - at least in development form. CIP-001 (sabotage) was retired. CIP-002 through CIP-011 still exist as well as CIP-014. CIP-013 (supply chain) is under development, and now CIP-012 is in the form of draft one. Initial ballot and comments are due September 11, 2017.

Requirement 1 states: "The Responsible Entity shall develop one or more documented plan(s) to mitigate the risk of the unauthorized disclosure or modification of data used for Operational Planning Analysis, Real-time Assessments, and Real-time monitoring while being transmitted between Control Centers. This excludes oral communications."

Controls can be one of the following:

  • Physically protecting the communication links transmitting the data;
  • Logically protecting the data during transmission; or
  • Using an equally effective method to mitigate the risk of unauthorized disclosure or modification of the data.

Requirement 1 also includes this note: "If the Responsible Entity does not have a Control Center or it does not transmit the type of data specified in Requirement R1 of CIP-012-1 between two Control Centers, the requirements in CIP-012-1 would not apply to that entity."

Requirement 2 is very simple, requiring entities to implement the above plan except during CIP Exceptional Circumstances.

Interestingly, this is the first CIP Standard to require controls for communications outside the Electronic Security Perimeter (ESP). Requirement 1 doesn't say between the Responsible Entity's Control Centers. It's between any Control Center - whether owned by the Responsible Entity or by another Responsible Entity. Therefore, this Standard will take more coordination with other entities than most CIP Standards. Entities will need to identify which Control Centers they communicate data with for Operational Planning Analysis, Real-time Assessments, and Real-time monitoring.

Operational Planning Analysis is defined by NERC as "An analysis of the expected system conditions for the next day’s operation. (That analysis may be performed either a day ahead or as much as 12 months ahead.) Expected system conditions include things such as load forecast(s), generation output levels, Interchange, and known system constraints (transmission facility outages, generator outages, equipment limitations, etc.)."

Real-time Assessments are defined by NERC as "An examination of existing and expected system conditions, conducted by collecting and reviewing immediately available data."

Real-time is defined by NERC as "Present time as opposed to future time. (From Interconnection Reliability Operating Limits standard.)"

The Implementation Plan for CIP-012-1 gives entities 12 months from approval.

Our Services