NERC CIP-002-5 is the starting point for determining which Cyber Assets need CIP protections. Entities are required to evaluate their Bulk Electric System (BES) assets according to Attachment 1. The attachment lists criteria for High, Medium, and Low BES Cyber Assets. Everything appears to be very straight forward, but what about Criteria 2.11? Does non-BES generation count towards the 1,500 megawatts (MW) threshold? NERC (unofficially) says it does.

Criteria 2.11 states: "Each Control Center or backup Control Center, not already included in High Impact Rating (H) above, used to perform the functional obligations of the Generator Operator for an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection."

The issue gets fuzzy in situations such as Control Centers that manage renewable generation because many solar and wind facilities do not have enough mega volt amps (MVA) to be BES facilities. The definition of BES generation is generation connected at at least 100 kilovolts (kV) with individual nameplate rating greater than 20 MVA or plant/facility aggregate nameplate rating greater than 75 MVA.

PCS has been taking the conservative approach that non-BES generation counts towards the 1,500 MW threshold. However, there has been some confusion throughout the industry. PCS had a recent phone conversation with a member of the CIP team at NERC regarding this topic. The member of NERC confirmed that non-BES generation counts and was surprised there was confusion about this. Unfortunately, the person at NERC declined to provide a written response to PCS' email, but based on the conversation with NERC, PCS suggests that entities that have Control Centers evaluate all generation within a single Interconnection, whether BES or non-BES, to see if the total is equal to or exceeding 1,500 MW.

There have been recent updates to NERC CIP Supply Chain Standard CIP-013-1, which is not yet approved but under development and subject to possible future changes and approval. The purpose of this project is to better protect BES Cyber Systems by implementing controls to reduce the risk of compromised vendor hardware and software. The following are the most important changes:

  1. Low Impact BES Cyber Systems escape! Draft 1 of CIP-013-1 had requirements for Low Impact BES Cyber Systems, but these have been removed in draft 2. While this would have been good for security, it didn't make sense to require Low Impact systems to implement these controls because industry uses a risk-based approach. Low Impact systems are Low Impact for a reason. They should have some controls but not the same as High and Medium Impact systems. High and Medium Impact systems must implement supply chain security still, however.
  2. Clarifying language was added to Requirement 2 that allows entities to follow a process rather than actually getting vendors to comply: "Note: Implementation of the plan does not require the Responsible Entity to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders). Additionally, the following issues are beyond the scope of Requirement R2: (1) the actual terms and conditions of a procurement contract; and (2) vendor performance and adherence to a contract." The Standard Drafting Team (SDT) on an update call gave the specific example of having a process to ask for supply chain controls when negotiating contracts, but it won't be a violation of CIP if vendors don't agree to those controls and they fall out of the contract during contract negotiations. They also said contract language would not be in the scope of an audit - just the process. Entities are only required to have a process to try to get controls into contract language. Therefore, success for this standard will be in having the right process that covers what it needs to but doesn't go too far, which is a similar approach to the Information Protection Program in CIP-011-2.
  3. Requirement 3 (software authenticity) was moved to a new Part in CIP-010-3, Part 1.6. A question was asked on the webinar of an example of validating software source. The SDT responded that one way was to check the SSL on a webpage and validating the SSL certificate has been issued to the vendor and is still valid. For automated patching systems, you can use the automated system specifications. If the system says validates the patch prior to making it available to you, you can rely on that process and don’t have to re-validate patches. If a patch is validated once, it can be distributed to multiple machines without having to validate again.
  4. Requirement 4 (vendor remote access) was moved to two new Parts in CIP-005-6, Parts 2.4 and 2.5.
  5. Implementation was changed from twelve (12) months to eighteen (18) months, which is great news for industry. We all have more time to get ready. However, remember with all the different business units that will be affected it's never too early to start.

Remember the SDT is under tight timelines due to the FERC Order. The Deadline for filing with FERC is September. That requires NERC Board adoption in August with 2nd formal commenting and balloting through June 15. It's time to comment and ballot. The development project page is found at http://www.nerc.com/pa/Stand/Pages/Project201603CyberSecuritySupplyChainManagement.aspx .

Among other items, NERC CIP-007-6 Requirement 5 contains requirements for protecting CIP computer systems by securing shared accounts.

Part 5.2 states, "Identify and inventory all known enabled default or other generic account types, either by system, by groups of systems, by location, or by system type(s)."

Part 5.3 states, "Identify individuals who have authorized access to shared accounts." These two requirements can be accomplished manually, such as in a spreadsheet, or they can be done through a technical solution. Typical data points to capture are a) system name, b) account name, c) individual who has authorized access, and d) access start date.

Part 5.6 states, "Where technically feasible, for password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months." For most systems, this can be enforced through user account settings. However, this is simply not available on some systems. In these cases, Subject Matter Experts must manually change passwords. Escalated task reminder systems can be used to prompt action. The technical shared account system can also be used to run reports of password ages.

Further, CIP-004-6, Part 5.5 requires Responsible Entities to "change passwords for shared account(s) known to the user within 30 calendar days." This requirement causes a lot of work when a System Administrator leaves a company because there may be dozens of shared accounts for which the password needs to be changed. However, technical solutions exist where a report can show which passwords a person actually accessed while working there. For example, an entity may choose to use a software solution to identify shared accounts and require users to use that program to get the shared account password. Shared account passwords would not be known without accessing them through the software solution. That program could then log who accessed passwords and when. If the person was terminated or no longer needed access and only accessed 14 of the 24 passwords, only those 14 would need to be changed while the other ones would not.

Each Responsible Entity is unique and should implement the controls that fit their needs, which could be a combination of various methods. Further, careful consideration should be made so evidence of performing required controls can be easily demonstrated to internal and external auditors. Proven Compliance Solutions helps its clients with these and other CIP challenges. Please contact us for further information.

NERC and the Regions require that the initial CIP-003-6 Low Impact Cyber Security Incident Response exercise be completed by April 1, 2017. Proven Compliance Solutions (PCS) helped its clients perform these by facilitating table top exercises. The result was better understanding of Incident Response Plans and improved inter-departmental communication for the entities.

Performing exercises often reveals lessons learned. Also, performing exercises keeps procedures fresh in the mind of Subject Matter Experts (SME) who may have to follow procedures late at night or on weekends when they may not expect to do so.

PCS has found the most difficult thing for entities to do is to plan a meaningful scenario. Often the scenario is scheduled with appropriate SMEs who arrive at the meeting and look to the meeting organizer for what to do next. They read through the Incident Response Plan and talk through a few light scenarios. While this could be considered compliant if proper notes are documented to capture the exercise, the value increases if realistic, involving scenarios are planned in advance.

To plan scenarios, entities could ask themselves the following questions:

  • Which business units and SMEs should participate?
  • What are our attack vectors? How might an attacker actually affect our CIP systems?
  • Is the attack just electronic or will it have a physical security component?
  • At what point should the scenario require communication from the person/group who sees it to the Incident Response Team?
  • At what point should the Incident Response Team notify the Electricity Information Sharing and Analysis Center (E-ISAC)?
  • Will CIP systems need to be contained, eradicated, and restored?

The same exercise performed for CIP-003-6 can also be used for CIP-008-5 for High/Medium Impact systems if the same Incident Response Plan and response teams are used.

With a meaningful scenario, entities get more value from the Incident Response exercise. If your entity did not complete a Low Impact exercise by April 1, it is best to complete one right away and file a report with your region. PCS can assist entities with these efforts.

Recent events of the Oroville Dam flooding, which cause hundreds of thousands of people to be evacuated and impacted several utility companies, reminds us all of the importance of Cyber Asset Recovery Plans. NERC CIP-009-6 Requirement 1 mandates registered entities with High and Medium impact Bulk Electric System (BES) Cyber Systems to implement recovery plans, including the following (among others):

  • Conditions for activation of the recovery plan(s)
  • Roles and responsibilities of responders
  • One or more processes for the backup and storage of information required to recover BES Cyber System functionality

 The recent disruptions bring to mind that conditions for activating recovery plans can be varied and surprising. Registered entities are expected to create a table or list of different types of events or magnitude of loss. A table could be designed as follows:

BES Cyber System Impact Actions
Loss of backup system Investigate and Recover
Loss of primary system Automatic Failover, Investigate, and Recover
Loss of primary and backup system Investigate and Recover


Recent events also highlight the benefits of geographically dispersed BES Cyber Systems. For example, if your data center suddenly becomes submerged by water, it would be critical to operations to have another data center to fail over to that was not underwater.

Another tip is to have recovery plans available to those with a role in the plan at their homes and in a way that would be easily transportable. Consider the following:

  • Do Subject Matter Experts (SME), the people charged with bringing systems back online, have access to recovery plans from their homes? Ideas include encrypted thumb drives and paper copies stored in safe locations (perhaps a safe). Both are transportable.
  • How can we allow SMEs to restore BES Cyber Systems if they can't get to the office? Good VPN security and practice can help with this. Consider having SMEs work from home one day a month to test remote administration and find recommendations for improvement.
  • How can we help SMEs feel more comfortable leaving their families during a disaster? Interviewing SMEs and asking them will reveal interesting information. Perhaps minimal food storage and a backup radio can make all the difference.

There are many ways registered entities can comply with NERC CIP-009-6, and Proven Compliance Solutions helps its clients find the best solution. Please contact us for further information.

Our Services