Tuesday, April 5, 2011

No Jive: it's 5 (Version 5 of the NERC CIPs, that is)

You know, there's only so much you can do to enliven a discussion on the development of industry standards. Here at the SGSB we do our best to keep it interesting, but when you get right down to it, you've really got to have a major stake in this matter to give a ... hoot.

So if you're still reading, you must have a searing need to know more. Whether you're an outside observer or a utility employee or contractor on the inside, you must really care about the rules intended to help move utilities to become more secure. Else, you're a lost ESL student who happened upon this page and are even now trying to figure out what these words mean. In any case, let's proceed.

A few weeks ago I got the first few dispatches from the most recent NERC Standards Development Team (SDT) meetings and posted a few observations HERE.

Since then, some more info has become available that confirms, corrects, clarifies and/or expands upon the initial stuff. Here are a few of the more important updates focusing entirely on the emerging Version 5 (V5):
  • Re impact level classifications, practically speaking, there are only two levels: baseline and high-impact. The high-impact assets are divided into those at control centers and those at generation plants or substations. At any particular facility, there will be only two types of assets
  • As the effective date for V4 will be in 2013, it’s a good bet that V5 compliance won't be required until 2014
  • While bright-line criteria for risk methodology are a V4 addition, in V5 the criteria determine which cyber assets are high vs. baseline (see first bullet)
A more detailed account called "Version 5: The Fog Starts to Lift" is available at the Matrikon site. You'll have to register if you haven't already, but I think you'll find it's worth a few extra keystrokes.

Photo credit: J/K_lolz on Flickr.com

No comments: