NERC CIP V5 continues to form up since the first ballot failed to pass even as much of the industry incrementally focuses more on CIP V4. The NERC approved V4 adds up to a rather straightforward application of CIP V3, plus prescriptive bright-line criteria to determine facilities in scope (instead of owner developed risk based assessment methodology permitted prior). NERC CIP V5 is a whole new ball game.
Lastest on NERC CIP V5 - Proposed Changes
Honeywell-Matrikon's [in]Security Culture Blog and webcasts continue offering solid insights for organizations focusing on where CIPs are heading, addressing related compliance challenges. From the Jan 30th posting SDT Meeting updates – Or, an informal open letter, Tom Alrich provides his opinions regarding the direction on a set of key V5 draft issues:
- Inventory for Low-Impact Assets
- First draft would require an inventory of all assets for compliance. This is in conflict with the SDT's intent and should be resolved in the next draft.
- Asset Identification
- First draft has a fatal flaw of requiring review of all assets to identify BES reliability Operation Services supported. Next draft should return back to the approach of starting with facility identification before going deeper to supporting assets- a much more feasible and reasonable methodology.
- DPs and LSEs
- To only be included if they have one or more systems meeting the bright-line criteria.
- TO Control Centers
- Transmission operators (TOPs) already on the hook, no need to also burden transmission owners.
- Blackstart Plants
- First draft's direction of raising all to Medium Impact would be counterproductive to reliability. Generators have a choice on whether or not to participate in regional blackstart plans and the cost of CIP compliance significantly exceeds typical financial benefit. Many anticipate large withdrawal of blackstart units nationwide from plans, some say this is already happening. A compromise proposed would assign blackstart to Low impact if no external routable or dialup connectivity is used.
- Power Plant Thresholds - 1500 MW
- Right now very few plants meet this threshold for cyber assets given multiple industrial control systems, not a single cyber system, typically supports production. Many see it likely FERC will decide to lower this threshold given increasing concerns about having sufficient bulk electric assets addressed.
2/23 Update - A simple thought experiment: "How much of the Bulk Electric System would remain available if all related facilities not in the scope of NERC CIPs or Nuclear (NEI 08-09) were taken out of service?
Honeywell-Matrikon's latest post by Tom Alrich explains more - Version 5: About those Large Plants…. (2/23): ".. The main question is whether FERC will be pleased with 7.2 percent of non-blackstart generating units being part of a plant that will be a Medium Impact facility under CIP Version 5 or a Critical Asset under Version 4."
- NERC Project 2008-06 Cyber Security Order 706 Project Site
- click "Version 5 CIP Standards" activity
- NRC RG 5.71 Cyber Security Programs for Nuclear Facilities
- NEI 08-09 addresses related NRC Order expectations for 10 CFR 73.54 Protection of digital computer and communication systems and networks
- Honeywell-Matrikon Webcasts - CIP Version 5 replays include:
- Proactive Payoff: Getting Ready for NERC CIP V5
- CIP Version 5: A Whole New Ball Game