This is part 2 in a series of posts designed to get you and your organization up to speed on the changes that the Nerc CIP v5 updates will bring about. You can find the first post in this series, Are You Ready for NERC CIP Version 5? Part One: CIP 002-5, by clicking here
As of April 1, 2016, the North American Electric Reliability Corporation, along with the Federal Energy Regulatory Commission, expects all electric reliability organizations to implement the newest version of its Critical Infrastructure Protection reliability standards. So, what does that mean exactly for the overseers of our country's most valuable physical and virtual grid-connected assets?
In this ongoing series on NERC CIP Version 5, we'll be breaking down the facets of these updated standards, paying particular attention to those regarding change management. In our first blog post, we tackled CIP 002, which dealt primarily with categorizing bulk energy systems and understanding their power, as well as their limits. With CIP 003, we're not only going to dive a little deeper into the network of virtual and physical assets comprising the U.S. energy grid, but the cybersecurity management systems protecting them and holding operators accountable for configuration changes that impact cyber infrastructure functionality, as well as policies pertaining to "authorized unescorted physical access" to BES cyber systems, according to the NERC.
Is it Time for our 15-Month BES Cyber System Review Already?
Although NERC CIP reliability standards holistically address the need for greater transparency into BES asset management, CIP 003 begins by establishing minimal cybersecurity policies audit every 15 months for good measure.
Each ERO's CIP Senior Manager - a role CIP 003 also helps define - will be tasked with approving cybersecurity operations in place for all its medium- and high-impact BES cyber systems by collecting and reviewing relevant documentation on CIPs 004 through 011, including "CIP Exceptional Circumstances." Supporting evidence for approvals may vary at the EROs discretion, but can consist of historical performance records or past reviews.
Although this seemingly has little to do with IT change management directly, these reviews force EROs to take a hard look at internal processes related to the integrity of its change management processes as they related to securing configuration integrity.
The Low Down on Low-Impact BES Cyber System Security
Improvements to NERC CIP 003 reflected in version 5 include language changes to more specifically target low-impact BES cyber assets. As EROs manage low impact configuration change, what firewalls prevent unauthorized access?
To start, as NERC explained in its CIP 003 outline, requirements calling for security measures surrounding "External Routable Connectivity" have been exchanged for the terms "external routable protocol paths" and "Dial-up Connectivity." This is more than simply NERC flexing its diverse vocabulary - "External Routable Connectivity," by the organization's own assessment, doesn't meet requirements handed down by FERC's Order No. 761, as this term does not adequately cover low impact BES cyber systems and security authentication best practices for changes.
Furthermore, EROs must not only select and implement incident response plans should security be compromised in low-impact cyber assets, but test whatever plans they choose every three years "through a paper drill, tabletop exercise or a response to an actual Reportable Cyber Security Incident." Again, these additional security measures aim to reinforce comprehensive change management strategies.
Next time, we'll delve into CIP 005 and what Electronic Security Perimeters surrounding BES cyber systems can do to further strengthen ERO change management, as well as preserve the national electrical grid.