NERC CIP-003-7: An Introduction
By David Bisson
On April 19th, 2018, the U.S. Federal Energy Regulatory Commission approved Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7. This ruling gave affected organizations a period of approximately two years to demonstrate compliance with the new standard.
Prior to the January 1, 2020 deadline, organizations must realize the full extent of their responsibilities under the updated standard. This blog post will lay the groundwork by providing background and a high-level overview of CIP-003-7. A subsequent blog post will cover the significant differences between CIP-003-6 and CIP-003-7 and address various actions that organizations can take to achieve compliance with CIP-003-7.
Background of CIP-003-7
Before organizations can explore the intricacies of CIP-003-7, they first need to understand the CIP controls more generally. This story begins with the mission of the North American Electric Reliability Corporation (NERC).
Although NERC was first established in the 1960s, it was formed as a Corporation on March 28, 2006 prior to the Standards becoming mandatory. NERC is a not-for-profit international regulatory authority tasked with safeguarding the reliability and security of the electric grid for the United States, Canada and northern parts of Mexico. One of the ways NERC works to protect North America’s electric grid is by developing enforceable Reliability Standards. Formulated by a risk-based approach, the Standards provide guidance on how organizations can ensure the reliability of North American bulk power systems.
There are currently 14 different categories of Reliability Standards leveraged by NERC. One of those categories is CIP. This set of almost a dozen protocols, including CIP-003, helps Responsible Entities specifically identify and protect Bulk Electric System (BES) Cyber Systems. One of those standards, CIP-002-5.1a, explains that these computer systems “if rendered unavailable, degraded, or misused would within 15 minutes adversely impact the reliable operation of the BES.”
If an organization fails to comply with any of the enforceable CIP standards, they may be subject to significant monetary penalties. These fines can reach $1 million dollars per day, per violation. On February 28, 2018, for instance, NERC imposed a $2.7 million fine on an unidentified electric utility for having violated CIP standards pertaining to the exposure of BES Cyber System Information, a fancy term for sensitive data.
NERC identifies the purpose of CIP-003-7 as the need “to specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems (BCSs) against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).” The standard applies to Balancing Authorities, Generator Owners, Generator Operators, Interchange Coordinators, Interchange Authorities, Reliability Coordinators, Transmission Operators and Transmission Owners. It also covers Distribution Providers that own various facilities and systems, like underfrequency Load shedding (UFLS), undervoltage Load shedding (UVLS) systems, certain Special Protection Systems (SPSs) or Remedial Action Schemes (RASs) and Cranking Paths that meet specific switching requirements.
Responsible Entities can achieve compliance with the security management controls specified under CIP-003-7 by working to fulfill the specific requirements outlined below:
Requirement 1: Receive Approval for Cyber Security Policies
Organizations need CIP Senior Manager approval for one or more cyber security policies every 15 calendar months. These policies must address various issues including physical security, incident reporting, recovery plans, personnel and training, Electronic Security Perimeters (ESPs) including interactive remote access, system security management, configuration change management and vulnerability assessments, information protection, and declaring and responding to CIP Exceptional Circumstances for High and Medium Impact BCSs, as discussed in CIP-004 through CIP-011. For Low Impact BCSs, the policies must address cyber security awareness, electronic access controls, physical security controls, incident response, malicious code risk mitigation for removable media and transient cyber assets, and declaring and responding to CIP Exceptional Circumstances.
Requirement 2: Implement a Cyber Security Plan
In the event that the company maintains Low Impact BCSs, Responsible Entities need to implement at least one documented cyber security plan to address the security of those assets, specifically the sections and criteria prescribed in Attachment 1 of CIP-003-7. Entities, however, are not required to maintain an inventory or list of BCSs, BES Cyber Assets (BCAs), or authorized users.
This plan will need to consist of five specific elements per Attachment 1 of CIP-003-7: cyber security awareness, physical security controls, electronic access controls, an incident response plan and mitigation measures for transient assets/removable media. These elements will receive further discussion in our subsequent blog post.
Requirement 3: Identify a CIP Senior Manager
All Responsible Entities must identify a CIP Senior Manager by name. They must also ensure that any changes to the CIP Senior Manager are documented within 30 calendar days of that change
Requirement 4: Use Formalized Processes to Delegate Responsibility
Responsible Entities shall develop documented processes through which the CIP Senior Manager, where allowed by the CIP Standards, can delegate authority for specific actions. Those processes must specify the name and title of each delegate, the specific actions to which they’ve been delegated, and the date of the delegation. The processes must also include the CIP Senior Manager’s approval for those delegated actions and associated delegates. Similar to Requirement 3 above, any changes to these delegated actions or the corresponding delegates must be updated and documented within 30 days of the change.
Working Towards Compliance With CIP-003-7
The four requirements and five sections within Attachment 1 identified above are essential elements of every Responsible Entity’s efforts to achieving compliance with CIP-003-7. To succeed in this compliance journey, organizations need to make every effort to avoid potential pitfalls, while keeping certain best practices in mind. These elements, in addition to the primary changes between CIP-003-6 and CIP-003-7, will serve as the featured subject of a subsequent blog post.
In the meantime, it’s advisable that Responsible Entities begin organizing any forthcoming compliance work towards CIP-003-7 and other standards into a formalized compliance program. These programs must be scalable, flexible and manageable so as to highlight updates, evaluate the progress of each compliance-driven effort and document each new implementation measure. Learn how ITEGRITI can help your Entity organize their CIP-003-7 compliance program by clicking here.