Cyber Security Standards

Cyber Security Standards

Transition Guidance (Revised)

To: Regional Entities and Responsible Entities

From: NERC Compliance Operations

Date: DRAFT DATE: June 9, 2014

1.Introduction

As the CIP Reliability Standards have developed and matured, the overarching philosophy has been consistent: apply the appropriate cyber security measures to protect the reliable operation of the Bulk Electric System (BES).The transition to Version 5 Critical Infrastructure Protection (CIP) Reliability Standards (V5) does not mean that there is expected to be a single point in time when Responsible Entities will move from compliance with Version 3 CIP Reliability Standards (V3) to compliance with V5.Establishing compliance with V5 will be an ongoing process.

The “Effective Date” of V5 is April 1, 2014, which is based on the date that the V5 Standards were approved by FERC. Until the “compliance enforcement date” of April 1, 2016, compliance with V3 remains mandatory and enforceable, and will be assessed until the official V5 compliance enforcement date. However, during the transition period, there will be a flexible approach to the evaluation of V3 compliance.

This updatedCyber Security Standards Transition Guidance applies to Regional Entities and Responsible Entities. It providesguidanceand flexibility for implementing changes to achieve compliance with V5 without undue concerns regarding compliance status with V3. It explains how auditors will assesscompliance during the time between the issuance date of this revised Cyber Security Standards Transition Guidance and the enforcement date of V5 (“Transition Period”). Since additional changes are being drafted to the V5 Standards, this transition guidance document will be updated if necessary to reflect any changes that are approved by FERC.

This guidance supersedes previous Cyber Security Standards Transition Guidance.

2.Background

FERC Order 791 was issued on November 22, 2013, approving CIP Reliability Standards 002-5 through 011-1, with certain directives that were subsequently referred to a specially formed Standards Drafting Team (SDT) for resolution. For those issues not requiring action by the SDT, the Commission also approved NERC’s implementation plan allowing Responsible Entities to transition from compliance with the currently-effective CIP V3 Reliability Standards to compliance with the CIP V5 Reliability Standards. The Order also stated that Version 4 CIP Reliability Standards (V4) will never be mandatory and enforceable.

3.Newly Identified BES Cyber Systems

As per the release of this document, a Responsible Entity with newly identified systems and facilitiesshall begin implementing V5.A Responsible Entity that previously would have referred to the Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities[1] in CIP V3 or that has used the V5 Impact Ratings to identify new assets may move directly to compliance with CIP V5. This allows entities that will be implementing new systems or that have newly identified assets applicable to V5 a clear path without the added compliance requirements of V3 during the transition period. Any newly identified High or Medium Impact systems will be enforced as per the April 1, 2016 compliance enforcement date.

Responsible Entities that have assets identified by an acquisition or that have received a Registered Third-Party Designation (see below) will be providedthe latter of either a 12 calendar month implementation window from the time of notification in accordance with V5 Implementation Plan[2] or an implementation date of April 1, 2016 for any newly identified BES Cyber Systems.

• (Impact Rating 2.3) Each generation Facility that its Planning Coordinator or Transmission Planner designates, and informs the Generator Owner or Generator Operator, as necessary, to avoid an Adverse Reliability Impact in the planning horizon of more than one year.

• (Impact Rating 2.6) Generation at a single plant location or Transmission Facilities at a single station or substation location that are identified by its Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.

• (Impact Rating 2.8) Transmission Facilities, including generation interconnection Facilities, providing the generation interconnection required to connect generator output to the Transmission Systems that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the generation Facilities identified by any Generator Owner as a result of its application of Attachment 1, criterion 2.1 or 2.3.

4.Compliance during the Transition Period

Responsible Entities are expected to take the appropriate actions to become compliant with the V5 Standards by the compliance enforcement date, while maintaining compliance with the V3 Standards consistent with this Guidance Document.

Responsible Entities that previously identified their Critical Cyber Assets (CCAs) according to the bright-line criteria in V4 no longer have that approach available because of FERC’s Order approving V5. Thus, Responsible Entities that are not using a Risk Based Assessment Methodology to identify CCAs as directed by V3 must use the bright-line criteria that is described in CIP-002-5. A Responsible Entity that has been relying on V4 bright-line criteria for identifying its Critical Assets will be expected to update its process and associated documentation within 60 days of the publication date of this Transition Guidance.

While the new CIP Reliability Standards designated as CIP-002-5 through CIP-011-1 represent a significant change from V3 in terms of applicability and breadth, many are “Mostly Compatible” (MC) with the language and expectations of the V3 requirements. In light of these similarities, Responsible Entities can move toward compliance with V5 requirements with confidence, understanding that Regional Entities will exercise discretion when assessingcompliance to V3 requirements during the transition period. If a Responsible Entity is satisfying a designated V5 requirement, it will be considered to also be meeting the “MC” V3 requirement.

5.Transition Period Audits

During the transition period, the Compliance Monitoring and Enforcement Program (CMEP) will continue to be the guiding directive for the conduct of CIP audits. CMEP documents such as the “Actively Monitored List” will be updated for consistencywith this Transition Guidance.

For those Responsibility Entities without V3 Critical Assets or Critical Cyber Assets, Regional Entitieswill forgo scheduled audits for CIP Standards until the requirements for Low Impact BES Cyber Systems are formally approved and the Implementation Date has been determined.A Regional Entity can use other monitoring methods such as Spot Checks, Self-Certifications, outreach, etc. in lieu of off-site audits for entities without V3 Critical Assets or Critical Cyber Assets.

Beginning on August 1, 2014, Responsible Entities with CIP audits scheduled to occur before April 1, 2016, will be expected to notify their Regional Entityregarding which of these circumstances applies to them for the upcoming audit:

1. The Responsible Entity has begun the early adoption process for V5 and if so,which V5 requirements to assess during the audit, or
2. The Responsible Entitywill demonstrate compliance with V3 without regard to the V5 requirements.

The notification process will begin when the Regional Entity sends a Request for Information (RFI) to the Responsible Entity 45 days prior to the normal 90-day audit notification letter (i.e., 135 days before audit). The RFI will include the spreadsheet with the requirements and compliance expectations listed in the Compatibility Tables. The Responsible Entity will return the completed spreadsheet to the Region within 15 days of receipt.

The “Compatibility Tables[3]” show the requirements from V5 that have been deemed as “mostly compatible” with a V3 counterpart. This comparison is intended to help Responsible Entities maintain adequate protection of BES assets as they move from compliance with V3 to compliance with V5 of the CIP Reliability Standards.For each V3 requirement that maps to V5 and that has been identified as “mostly compatible”, the Responsible Entity can declare if they comply with V5. If so, V5 will be the initial basis of review for that requirement. Any deficiencies noted during an audit will be addressed from the perspective of compliance with V3.

An additional consideration regarding the declaration of compliance with V5 is the “in progress” state of implementation; e.g., multiple locations or facilities that are not at the same stage of V5 implementation. In that case, the declaration sent to the Regional Entity should define by category, location, etc. where V5 or V3 requirements should apply.

During an audit, an entity found to be compliant with the declared V5 requirement will also be considered compliant with the “MC” V3 requirement without further review. If an entity is found to be non-compliant with a declared V5 requirement, the auditors will revert to a V3 review for the requirement in question. Any potential findings and enforcement action will apply if the Responsible Entity is not compliant with the V3 requirement during the audit period.Auditors may offer recommendations for V5 compliance; however, no formal violations will be issued for V5 requirements during the transition period.

6.V5 Implementation Study

Six Responsible Entities participated in a study to voluntarily implement the V5 Standards prior to the enforcement date of April 1, 2016. One goal of the study was to identify processes, tools, and other guidancefor achieving compliance with V5 requirements. While lessons learned and related information from the study are expected to be helpful and informative, they are also intended to clarify areas that some Registered Entities may find challenging. Helpful information,such as “Lessons Learned,” is available at the V5 Implementation Study page at NERC’s website.

7.Technical Feasibility Exceptions (TFEs)

In general, TFEs will align with the overall transition process from V3 to V5 and will be considered in the context of the underlying requirement(s).

For TFEs pertaining to issues that were also TFEs in V3, the transition processwill be limited to updating the appropriate references as well as refining the applicable mitigation plans. In the meantime, updates and changes can be submitted as necessary via a Material Change Report (MCR).

V5 TFEs pertinent to V3 TFEs
V5 / V3
CIP-005-5 R2.3 / CIP-005-3 R2.4
CIP-007-5 R1.1 / CIP-007-3 R2.3
CIP-007-5 R4.3 / CIP-007-3 R6.4
CIP-007-5 R5.6 / CIP-007-3 R5.3.3

Table 6.1

If a system or device is unable to meet strict compliance with a V5 requirement that has no associatedTFE per V3, a TFE request will be necessary. Specific instructions pertaining to V5 TFE procedures will be part of the next update to Appendix 4D of NERC’s Rules of Procedure. Until that update, a Responsible Entity should contact the Regional Entity for guidance regarding those V5 TFEs.

V5 TFEs not associated with V3 TFEs
CIP-005-5 / CIP-006-5 / CIP-007-5 / CIP-010-1
R1.4 / R1.3 / R5.1 / R1.5
R2.1 / R5.7 / R3.2.
R2.2

Table 6.2

Existing TFEs that are no longer applicable per V5 requirementswill be considered terminated upon the final release of this document.

V3 TFEs superseded when V5 is Implemented
CIP-005-3 / CIP-006-3 / CIP-007-3
R3.1 / R1.1 / R3.2
R4
R5.3
R 5.3.1
R 5.3.2
R6

Table 6.3

Cyber Security Standards Transition Guidance (Revised)1

[1]

[2]“ Implementation Plan for Version” 5

[3] Insert link for Compatibility Table