Sunday, December 7, 2008

Clock is Ticking for First Round of Pending Changes to NERC CIP Standards
- Comments due Jan 5th

Driven by Cyber Standards Final Rule - FERC Order 706, the first revision to NERC CIPs addressing cyber security requirements for bulk electric operations is out for review and comments by Jan 5th, 2009. This round of changes include removal of significant amount of wiggle room based on "business judgement", includes explicit senior management approval of risk methodology (not just critical assets lists), background checking must be completed before permitting access (not in parallel), and tightens up timeframe requirement for addressing security issues among other changes.
  • "Emphasis on Order 706 directive for NERC to address revisions to the CIP standards considering applicable feature of the NIST Security Risk Management Framework among other resources. "
  • While this process with NERC CIPs may seem difficult, at least there is the benefit of continuity. Congressional testimony last year and this year raised serious questions about NERC's ability to be an effective ERO for FERC - NERC Aurora handling and arguably misleading testimony creating much of this pain, NERC still not out of the woodshed. Last year testimony also suggested getting rid of CIPs and starting fresh based more on NIST standards as recommended by Mr. Joe Weiss (jump to 2:12:50 for his opening comments in video):
    - “The Cyber Threat to Control Systems: Stronger Regulations are Necessary to Secure the Electric Grid.” - Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Oct 17th, 2007 (video/submittals)
Better buckle up, this is just the first round of Order 706 driven changes.
  • "The SDT met on October 6–8, 2008 and because of the extensive scope and varying complexity of the issues and work in these revisions, the team decided on a multiphase approach for revising this set of standards. This posting of the cyber standards for industry comment only relates to Phase I of the project. "
More:
- Cyber Security (Project 2008-06 Site) - The Cyber Security SDT posted its first draft of revised Cyber Security standards (CIP-002-1-CIP-009-1) for a 45-day public comment period starting November 21, 2008 and ending on January 5, 2009. Both clean and redline versions (zip files) are available for download and review.
- Revised NERC CIP standards out for 45 day comment period, Digital Bond 11/24/2008
- Cyber Standards Final Rule - FERC Order 706, NERC Workshop Presentation (informative 72 slides), 5/13/2008
- Drafted Changes Summary, NERC Comment Form

No comments: