Thursday, March 28, 2013

EnergySec Welcomes NERC CIP Virgin Utilities with Version 4 Briefing

Titled "Get Ready for Version 4" the deck linked at the end of my words has some great and helpful info in it, not just for utilities transitioning from version 3, but for brand new utilities who for the first time come under the tender embrace of the CIPs. To them, all of us in the community say, "Welcome aboard !!!"

An all-star energy and security team, including Steve Parker, new President of the Energy Sector Security Consortium (EnergySec), and Honeywellers Tom Alrich and Donovan Tindill, shared some sobering, cold, hard, urgent facts. Those from Tom Alrich were particularly rich:

  • Some have asked whether 4/1/2014 is the Compliant or Auditably Compliant date. These are CIP V1 terms – 4/1/2014 is the Compliant and Auditably Compliant date for Version 4. This means you have to have everything for compliance in place on that date, and includes all policies, procedures and technologies in CIP-003 through CIP-009
  • There are some who believe that assets identified by the V4 criteria are “newly identified” under V4 – thus they have 6-24 more months to comply after 4/1/2014. They are wrong: NERC and the Region Entities are in agreement on this
Donovan Tindill was no slouch either. Ensure you ingest a few of his lessons learned, like:
  • Cyber Assets not previously inventoried need budgeted >1 hour each!
  • Actual Site Inventory Labor: 11 sites, 1500 Cyber Assets = 2,200 hours
  • Site inventory can uncover >30% more assets than originally thought!
  • Existing network drawings >2 years old cannot be trusted, easier to start over with both logical and physical cable tracing
  • 50% of equipment is non-IT traditional infrastructure and is not easily recognized nor is information you need to collect and report easily collected
OK, I don't want to steal too much more of their thunder, so without further delay or obfuscation, you can see the whole deck by clicking HERE. You realize April 1st 2014 is less than 53 weeks away right? Good luck!


Tom Alrich said...

Thank you for your comments, Andy!
I do want to point out that the recording is also available here:

Tom Alrich

Dale W. said...

Tom, I am still very confused by all of this. Using the implementation Plan located on Nerc's website here: ,Using Category 1 Scenario on page six and then referencing Table 2 milestone 1 on page 11 leaves me beleiving that an entity with a newly identified asset does have 24 months. This is so confusing and likely to lead to many a sleepless night. Dale W.