At the NERC CIPC meeting last week in Louisville, KY, Tobias Whitney of NERC summarized the main issues that the Standards Drafting Team will address in CIP version 7 (although the dreaded term “version 7” was not mentioned, of course). Included in his slides was one that listed what FERC had mandated for the next version when they approved CIP v6 in Order 822 in January. The items listed were[i]:
- Protection of transient electronic devices used at low-impact bulk electric system cyber systems,
- Protections for communication network components between control centers, and
- Refinement of the definition for Low Impact External Routable Connectivity (LERC).
Being very astute on these matters, I immediately noticed that one item had been left off this list: protection of data in motion between control centers (you can find my interpretation of what FERC ordered in the second post linked above). I pointed this out to Tobias, and he admitted this was a mistake and said it would be fixed.
Indeed, the website for NERC’s new “Project 2016-02 Modifications to CIP Standards” also lists three points as above, but one of them is now “Develop modifications to the CIP Reliability Standards to require responsible entities to implement controls to protect, at a minimum, communication links and sensitive bulk electric system data communicated between bulk electric system Control Centers in a manner that is appropriately tailored to address the risks posed to the bulk electric system by the assets being protected (i.e., high, medium, or low impact).”
You’ll notice that this point now includes both “communication links” (which I assume means basically the same thing as “network components” in Tobias’ slides) and “sensitive bulk electric system data communicated…” I believe this latter phrase addresses what FERC was asking for in Order 822 when they stated “..we find that additional measures to protect both the integrity and availability of sensitive bulk electric system data are warranted.” I think it would be clearer if these two items were in separate bullet points, but this does address what I brought up at the CIPC meeting.
However, I now realize that, in my post on Order 822, I identified five changes that were mandated, not just four. The fifth one (also not mentioned by Tobias) is protection of “data at rest” inside Control Centers. Unlike data in motion between Control Centers, the mandate to protect data at rest was not hinted at in FERC’s NOPR last summer. Yet FERC makes it clear they want these protections in the Order when they say “NERC’s response to the directives in this Final Rule should identify the scope of sensitive bulk electric system data that must be protected and specify how the confidentiality, integrity, and availability of each type of bulk electric system data should be protected while it is being transmitted or at rest (my emphasis).”
As I stated in my post on Order 822, this new mandate might well be the most important, especially in terms of the amount of effort it will take to turn it into requirements, and for NERC entities to comply with those requirements. This is a whole new expansion of the scope of NERC CIP, but it has to be addressed. After all, FERC wants it.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] These are NERC’s words, not mine. These three items are listed in the email that NERC sent out last week which announced the CIP Technical Conference in Atlanta on April 19. Since Tobias’ slides haven’t been released yet, I can’t confirm they had this exact wording; however, I’m sure that substantively it was the same.