Tuesday, January 11, 2011

NERC CIPs: Looking at Version 4 Red-lines and Headlines in early 2011

Back in December 2009, the CIP-002 version 4 draft was called "Cyber Security—BES Cyber System Categorization," and it and sought to break out T&D assets into High, Medium, and Low BES impact systems, as well as define violation levels built off of these categorizations.

Because of the increasingly interconnected and interdependent nature of grid assets in the emerging Smart Grid, regulated protection of the most important systems, while a good starting point, is far from mission complete. Hence, this draft included language that removed the bias towards the subset of systems deemed critical:
"Terms to be retired from the Reliability Standards Glossary of Terms once the standards that use those terms are replaced: Critical Assets, Critical Cyber Assets ..."
This was viewed as a relatively bold step forward at the time by advocates for more granular guidance across a broader range of systems, and as overwhelmingly too much work by asset owners who already felt CIP compliance activities were draining far too many cycles from their already maxed out employees.

A number of industry watchers and bloggers were pretty excited about version 4's new directions, with articles like "DRAFT NERC CIP-002-4 - A Turning Point for NERC CIPs?" and another "Big NERC CIP Changes Looming" foresaw:
"Every requirement will be auditable and not just addressable," and "there are no 'out of scope' bulk electric system assets."
Well, as you can imagine, debates ensued among the members of the standards development team and the language, one year later, is much less ambitious. As this December 2010 red-line copy reveals, CIP-002 version 4 retains its original name: "Cyber Security—Critical Cyber Asset Identification" and only a few things are set to change: 
  • The biggest change is that utilities are no longer responsible for identifying critical assets via their own risk based assessments. A new attachment takes care of that for them and brings badly needed uniformity to the process
  • A clear call-out that nuclear assets, regulated by the NRC, are definitely not in scope
  • A reworking of violation levels is now "to be developed later"
For folks who've followed the process, this seems like a lot of time consumed without very much to show for it, unless regulators and the regulated feel that preserving the grid security standards status quo is in everyone's best interests.

Also, just in from the grapevine, comes word that more is set to change than is revealed in the red-lines. Here's a few unconfirmed but likely items:
  • The terms "Electronic Security Perimeter" and "Physical Security Perimeter" are being retired
  • High, Medium and Low impacts, based on the total output of each registered facility, will return to CIP-002
  • All material black start facilities will be considered High impacts regardless of their generation capabilities
I want to keep the information on the SGSB as accurate and helpful as possible, but as an outsider to the standards development process, my view of what's coming next is far from perfect. So if any readers who've made it this far know more, or know different than what you've read here, please let me know and I'll update the post pronto.

No comments: