Every week, the North American Electric Reliability Corporation (NERC) releases a “Standards, Compliance and Enforcement” bulletin. These documents contain important information with regard to NERC’s Reliability Standards. That includes the Critical Infrastructure Protection (CIP), a suite of measures designed to help organizations secure their bulk assets and thereby support the operability of North America’s bulk electric system.
It’s imperative that organizations keep up with these bulletins so that they might modify their compliance efforts accordingly. Towards that end, here is a roundup of the key security updates, including news surrounding CIP, that NERC made over the course of Q1 2021.
| Date of Bulletin | Overview of Update | Description of Update |
| 12/21/20 | An assessment finds that an evolving resource mix is changing the reliability, security and resilience landscape | The 2020 Long-Term Reliability Assessment found that there is enough capacity to meet electricity demand over the next 10 years. Even so, it found that some developments including the continued growth of distributed energy resources (DER) and the retirement of conventional generation are changing the way the grid is planned and operated. In some areas, there could be inadequate supply for serving electricity demand. |
| 12/21/20 | NERC submits filings concerning the CIP Standards to FERC | On December 14, 2020, NERC submitted a petition of approval to FERC for the proposed Reliability Standards CIP-013-2, CIP-005-7 and CIP-010-4 addressing Supply Chain Cyber Security Risk Management. It also submitted an informational compliance filing that contained a status update on standards development projects relating to the CIP Reliability Standards. |
| 12/21/20 | NERC takes action on order that cites need for possible modifications to the CIP Reliability Standards | During its monthly open meeting, NERC took an action on an order regarding virtualization and cloud computing services. The order required NERC to submit an informational filing that evaluates the need for possible modifications to the CIP Reliability Standards concerning virtualization and cloud computing. |
| 12/28/20 | CIP-008-6 enters into effect on January 1, 2021 | NERC explained that CIP-008-6, “Incident Reporting and Response Planning,” was slated to take full effect on January 1, 2021. |
| 01/04/21 | NERC opens registration for its 2021 RISC Reliability Leadership Summit | At the end of January, NERC and the Reliability Issues Steering Committee (RISC) opened registration for the 2021 RISC Reliability Leadership Summit. This event traditionally gathers dozens of industry leaders, federal officials and others together to discuss security risks, critical infrastructure interdependencies and other factors confronting the grid. |
| 01/11/21 | ERO Enterprise extends the expansion and deferment of on-site activities for the Self-Logging Program through mid-2021 | The Electric Reliability Organization (ERO) Enterprise extended the temporary expansion of the Self-Logging Program as well as the deferral of on-site activities through June 30, 2021. It implemented this measure to help registered entities log instances of non-compliance while minimizing the risks associated with their response to COVID-19. |
| 01/11/21 | NERC schedules team conference call on the topic of modifying the CIP-012 standard | On its Standards calendar, NERC revealed that it had scheduled a team conference call to discuss draft modifications to CIP-012, a standard which helps to secure communications between command centers. That call took place on January 14, 2021. |
| 01/19/21 | NERC schedules two additional team conference calls on the topic of modifying CIP-012 | Under Project 2020-04, NERC scheduled two additional team conference calls to discuss draft modifications to CIP-012 on January 21, 2021 and January 26, 2021. |
| 02/01/21 | NERC publishes agenda of the Technology and Security Committee for the Board of Trustees’ quarterly meeting | According to an agenda published by NERC, the Technology and Security Committee intended to discuss the Align tool and the ERO Secure Evidence Locker (ERO SEL), among other items, during the Board of Trustees’ quarterly meeting scheduled for February 3, 2021. |
| 02/08/21 | NERC proposes revisions to section 1003 of its Rules of Procedure (ROP) | In accordance with FERC’s Order on Compliance Filings, NERC proposed revisions to section 1003 of its Rules of Procedure (ROP). This section deals with NERC’s infrastructure security program. The organization went on to say that it intended to submit those changes to the Board of Trustees for approval during their meeting in May 2021. |
| 02/08/21 | NERC published new proposed Implementation Guidance documents concerning three of the CIP Standards. | NERC posted proposed Implementation Guidance documents for CIP-005-7 (R3) “Electronic Security Perimeters,” CIP-010-4 (R1) “Configuration Change Management and Vulnerability Assessments” and CIP-013-2 “Supply Chain Risk Management Plans.” |
| 02/08/21 | Board of Trustees address emerging reliability and security risks during first meeting of 2021 | During its first meeting of the year, NERC’s Board of Trust accepted a framework to address known and emerging reliability and security risks affecting registered entities. It also welcomed two new Board members. |
| 02/08/21 | NERC submits notice of withdrawal for CIP-002-6 | In early February, NERC submitted a notice of withdrawal on the proposed CIP-002-6 Standard to FERC. |
| 02/08/21 | NERC creates webinar series to discuss modifications made to several CIP Standards | In Project 2016-02, the Modifications to CIP Standards drafting team created a two-part industry webinar series to discuss modifications made to Standards CIP-002 through CIP-011 as well as CIP-013. |
| 02/16/21 | NERC schedules GridEx VI for mid-November, 2021 | Every two years, NERC and the Electricity Information Sharing and Analysis Center (E-ISAC) hold a GridEX security exercise that simulates a cyber and physical attack on the North American electricity grid. The sixth iteration of this exercise series is planned for November 16-17, 2021, with registration now open for Lead Planners and Planners. |
| 02/16/21 | The Modifications to CIP Standards drafting team announces part I of its industry webinar series | NERC scheduled the first part of the webinar series covering recent modifications made to the CIP Standards for February 23, 2021. |
| 02/22/21 | NERC schedules a Modifications to CIP-012 conference call | As part of Project 2020-04, NERC arranged a team conference call to discuss modifications made to the CIP-012 standard. |
| 03/01/21 | NERC announces the 10th iteration of GridSecCon | NERC and Texas RE announced that they will be holding the 10th instance of GridSecCon on October 19-20, 2021. This event, which will be held virtually this year, brings cyber and physical leaders together to participate in training sessions, discuss lessons learned and share effective mitigation practices. |
| 03/01/21 | NERC publishes slide presentations and recordings for CIP Standards webinars | NERC announced that it had published the streaming webinar and slide presentation for the first part of the Modifications to CIP Standards Outreach webinar. It also said that it posted the same resources for the Update on CIP Standards webinar. |
| 03/08/21 | The Reliability and Security Technical Committee approves the scope of the Security Working Group at its quarterly meeting | On March 2nd, the Reliability and Security Technical Committee (RSTC) approved the scope of the Security Working Group (SWG). That scope includes supporting industry efforts to mitigate emergent risks confronting the electricity grid. |
| 03/08/21 | NERC publishes slide presentation and recording for second part of CIP Standards modifications webinar | NERC posted the slide presentation and the recording for the second part of the Modifications to CIP Standards Outreach webinar. |
| 03/08/21 | NERC posts revised ERO Enterprise CIP Evidence Request Tool (ERT) | NERC published a revised version of the ERO Enterprise CIP Evidence Request Tool (ERT). This resource helps entities with their CIP compliance monitoring engagements. |
Check back next quarter for another roundup of security-related updates. In the meantime, you can review NERC’s full list of bulletins here.
