A Few Current NERC CIP V5 (Version 5) Projects
For a municipal electric utility in the Midwest, N&ST has overhauled the technical and procedural V3 controls cognizant of V5 requirements as it prepares for its CIP audit later in 2014. For example, documentation has been updated to use V5 terms, such as EACMS, PACS, and EAP, where possible. The CIP-003-3, R4 information protection program and CIP-007-3, R7 redeployment / disposal program have been unified and updated to accommodate both V3 and V5. A similar approach has been applied to the CIP-003-3, R6 and CIP-007-3, R1, mindful of the integration of change control and configuration management in CIP-010-1. Access management has been more closely unified to address physical access, logical access, and access to information about Cyber Assets. Based upon the large number of areas in need of remediation, N&ST and the Entity agreed that implementing controls for V3 compliance that are mindful and ready of V5 is the most prudent path. While the effort may be greater to update controls mindful of both versions of the Standards, this approach will reduce the level of effort needed to be auditably compliant on April 1, 2016.
For a GO/GOP TO/TOP in the Northeast, N&ST has reviewed the Entity’s existing V3 controls for its control centers, transmission substations, and single generation facility to identify the gaps between those controls and the V5 requirements. The assessment did not address changes in vocabulary, such as BES Cyber System, or timelines, such as once every fifteen calendar months rather than annually. There were deliverables for the engagement. The first was a workbook that aligned the V3 and V5 requirements along with N&ST’s observations, recommendations for compliance, and suggestions to more easily demonstrate compliance during an on-site audit. The second was a written report containing the same information, but also listed strengths and weaknesses organized by both program (CIP-002-3, R1 or CIP-007-3, R1) and by business unit. The report concluded with a roadmap to detail the amount of time and resources required to address the areas requiring changes to meet the V5 requirements.
For a GO/GOP TO/TOP in the Midwest, N&ST is supporting the Entity’s CIP program through staff augmentation. A gap analysis of the existing V3 controls against the V5 requirements was performed during the early 2014. N&ST is participating in the development of specific remediation plans, including the activities and the output, the identification of staffing requirements and gaps, and the determination of required capital investments. A major concern migrating towards V5 is the impact that the determination by another Entity that a transmission substation contains Medium Impact BES Cyber Systems due to the power levels and number of lines at that transmission substation, such as three or more 345 kV lines, where one of those lines terminates at a transmission substation of N&ST’s client and is the only high-voltage line at a substation that would otherwise be classified as containing only Low Impact BES Cyber Systems. The equipment that terminates the circuit are likely to be deemed essential, forcing a change in the designation of the Cyber Assets to be Medium Impact. N&ST is working with the Entity to develop a strategy to review its transmission substations and develop plans to implement appropriate controls.
** NEW 6/12/2014
N&ST recently completed assisting a large recipient of DoE Smart Grid grant money in various areas. Activities included restructuring and rewriting the Cyber Security Policy (CSP), tracking compliance with the CSP, and updating materials about the CSP for annual DoE reviews of the organization’s Smart Grid Initiatives. Based upon feedback from the DoE, the organization developed a risk analysis approach based on the NIST 800-30 framework. N&ST conducted assessments for each initiative. The use of some shared infrastructure across the efforts facilitated the process and highlighted the areas of risk unique to each project. DoE was pleased at the use of the NIST approach to managing risk.
For a utility supplying both electric power and natural gas to customers, the organization contracted for N&ST to perform a risk assessment of the latter infrastructure. In the absence of industry-specific cyber security requirements, the CIP Version 3 requirements were used as the assessment criteria of its gas operations. There was no expectation the CIP terminology would appear in any of the documentation and was not cited as an area for improvement. A challenge was determining the key components and facilities to support the managed delivery of gas in comparison to the models used by the electric power industry. The use of a common framework enabled management to better understand the risks of its two separate energy delivery operations.
** NEW 6/25/2014
N&ST is currently augmenting the staff of an Entity not subject to the V3 Standards still in the evaluation process to select its energy management system and core network technologies. Most of the effort to date has been in developing security best practices in the areas of policy, standards, and processes. Once specific equipment is purchased, N&ST will update the materials to reflect the V5 requirements to reflect those platforms and devices.
For an Entity building wind farms, N&ST has recently started assisting the efforts to develop a CIP V5 program. To date, most efforts have focused on providing insight into the Standards and developing templates.