Every week, the North American Electric Reliability Corporation (NERC) releases a “Standards, Compliance and Enforcement” bulletin. These documents contain important information on NERC’s Reliability Standards. Those include the Critical Infrastructure Protection (CIP), a suite of measures designed to help organizations secure their bulk assets and support the operability of North America’s bulk electric system.
Organizations need to keep up with these bulletins so that they can modify their compliance efforts accordingly. Towards that end, here is a roundup of the key security updates, including news surrounding CIP, that NERC made over the course of Q2 2021.
Date of Bulletin | Overview of Update | Description of Update |
03/15/21 | Comment period opened for proposed revisions to Section 1003 of NERC’s Rules of Procedure | Per FERC’s Order on Compliance Filings related to NERC’s Five-Year Performance Assessment, NERC proposed revisions to Section 1003 of its Rules of Procedure (ROP). That section pertains to NERC’s infrastructure security program including the operation of its Electricity Information Sharing and Analysis Center (E-ISAC). |
03/22/21 | Nomination period opened for Project 2021-03 – CIP-002 Transmission Owner Control Centers | NERC announced a period during which it accepted standard drafting team (SDT) nominations for its Project 2021-03 – CIP-002 Transmission Owner Control Centers (TOCC). It stated in its announcement that participants would need to work an average of 15 hours a week. That workload would include two virtual meetings, outreach efforts, and potential side projects. |
03/22/21 | CIP-013-2, CIP-005-7, and CIP-010-4 approved | In a letter order dated March 18, 2021, the Federal Energy Regulatory Commission (FERC) approved CIP-013-2, CIP-005-7, and CIP-010-4 around the topic of addressing supply chain cyber security risk management for bulk electric systems (BES). The three Reliability Standards are designed to help organizations address risks during the planning stages of when they’re procuring BES Cyber Systems and other assets. |
03/22/21 | Status update submitted to FERC on two CIP Reliability Standards development projects | In an informational compliance filing, NERC noted that it was on schedule with Project 2016-02, an effort to modify the CIP Reliability Standards for the purpose of protecting virtualized environments. It also adjusted the schedule for Project 2019-02, a campaign which clarifies the protections for cloud computing services. |
03/29/21 | New proposed Implementation Guidance document posted on Compliance Guidance web page | NERC posted a new proposed Implementation Guidance document on its Compliance Guidance web page. That document concerned CIP-005-06 Vendor Support via Web Conferencing (NATF). The document was unavailable at the time of writing. |
03/29/21 | ERO Enterprise Non-Endorsed Implementation Guidance tracking spreadsheet updated with three new CIP Reliability Standards | Three new CIP Reliability Standards entered the ERO Enterprise Non-Endorsed Implementation Guidance tracking spreadsheet. Those security measures were CIP-005-7 R3 Electronic Security Perimeters (2019-03 SDT), CIP-010-4 R1 Configuration Change Management and Vulnerability Assessments (2019-03 SDT), and CIP-013-2 Supply Chain Risk Management Plans (2019-03 SDT). |
03/29/21 | Regional Entity CIP workshop announced for Texas | NERC opened registration for a CIP workshop associated with the Texas Regional Entity (RE) on June 3, 2021. |
04/12/21 | Abstract submissions requested for GridSecCon 2021 | Ahead of GridSecCon 2021, NERC and Texas RE requested abstracts from grid security professionals discussing physical and cyber security challenges along with best practices in the industry. Those abstracts would be considered for trainings and breakout sessions at the upcoming conference. |
04/12/21 | Comments submitted to FERC on proposed rulemaking for cyber security incentives | On April 6, NERC along with the Regional Entities submitted comments to FERC on proposed rulemaking for cyber security incentives. |
04/15/21 | Align Project and ERO Secure Evidence Locker launched by ERO Enterprise | The ERO Enterprise announced the Release 1 launch of the Align Project and the ERO Secure Evidence Locker (SEL) for NERC, the Midwest Reliability Organization (MRO) and Texas RE. Formerly called the “Compliance Monitoring and Enforcement Program” (CMEP), the Align Project moves all entities’ compliance monitoring and enforcement processes to a standardized platform, providing a more secure means of storing their compliance-related data and evidence. A key part of the Align Project is the ERO SEL, an isolated environment which organizations can use to collect and protect their compliance information. |
04/26/21 | Nomination period extended for Project 2021-03 – CIP-002 Transmission Owner Control Centers (TOCC) | In an update to Project 2021-03 – CIP-002 TOCC, NERC extended the deadline for receiving SDT nominations through 8 p.m. on April 27, 2021. |
04/26/21 | NERC’s senior VP and chief engineer to participate in Tech EnVision Forum | FERC and Virginia Tech organized a two-day virtual Tech EnVision Forum event titled “Future of Electric Energy for an Industry in Transformation.” Mark Lauby, NERC’s senior vice president and chief engineer, was on the schedule to speak during one of the panels. Topics to be discussed included regulatory issues, grid security and resilience, as well as others. |
05/03/21 | ERO Enterprise Non-Endorsed Implementation Guidance tracking spreadsheet updated with another CIP Reliability Standard | NERC updated its ERO Enterprise Non-Endorsed Implementation Guidance tracking spreadsheet by adding CIP-005-6 R2.4_R2.5 Vendor Support via Web Conferencing (NATF). |
05/03/21 | Agenda published for NERC’s Technology and Security Committee meeting in May | NERC’s Technology and Security Committee published its agenda for its virtual meeting on May 12. |
05/10/21 | New webinar announced on modifications to CIP-012 | As part of Project 2020-04, NERC opened registration to a webinar on recent modifications made to CIP-012. |
05/17/21 | Self-Logging Program’s expansion and deferment of on-site activities extended by ERO Enterprise | In response to the ongoing pandemic, the ERO Enterprise extended the expansion of its Self-Logging Program so that entities can self-log instances of potential noncompliance and minimize the risks of spreading COVID-19. |
05/17/21 | Release 1 of Align Project and ERO SEL deployed to WECC | The ERO Enterprise announced that the Western Electricity Coordinating Council (WECC) will be joining NERC, MRO, and Texas RE in their use of the Align Project and the ERO SEL. |
05/17/21 | Cyber risk one of the topics that came up during NERC’s Board of Trustees meeting | During its quarterly meeting, NERC’s Board of Trustees highlighted cyber risk as a significant threat to reliability that requires constant vigilance. |
05/17/21 | Exception process published for BES artifact submittal | On May 14, the ERO Enterprise published an exception process for BES artifact submittal. The process provides an alternate framework for a Compliance Enforcement Authority and an RE to work together on the secure and effective submission of evidence outside of the ERO SEL. |
05/24/21 | Resources from Project 2020-04 webinar made available online | NERC posted the slide presentation and recording for its webinar discussing modifications to CIP-012. |
06/01/21 | Release 1 of Align Project and ERO SEL deployed to NPCC, ReliabilityFirst, and SERC | The ERO Enterprise announced the deployment of the Align Project and ERO SEL to the Northeast Power Coordinating Council (NPCC), ReliabilityFirst, and the Southeastern Reliability Corporation (SERC). |
06/01/21 | Meeting announced for NERC’s Reliability and Security Technical Committee | NERC announced that its Reliability and Security Technical Committee had scheduled a meeting for June 8-9, 2021. In doing so, it shared a registration link and an agenda package for both days. |
06/01/21 | Second installment of NERC’s quarterly compliance podcast released | NERC released the second episode of “Currently Compliant,” its quarterly compliant podcast. The episode explores supply chain risk management along with other topics. |
06/07/21 | Practice guide developed in support of the Department of Energy’s (DOE’s) 100-day plan | On April 20, DOE launched an initiative to foster enhanced visibility, detection, and response capabilities for organizations responsible for upholding the U.S. power grid. Those capabilities include deploying network monitoring solutions on operational technology (OT) networks. In support of that effort, NERC developed a practice guide that addresses how in-scope organizations can pair the CIP Reliability Standards with their network monitoring efforts. |
06/14/21 | Conference call scheduled for team charged with drafting CIP-012 modifications. | As part of Project 2020-04, NERC scheduled a conference call on June 21, 2021 for the drafting team charged with amending CIP-012. |
06/14/21 | Registration opened for GridSecCon 2021 | On October 19-20, 2021, NERC and Texas RE will be hosting the 10th annual GridSecCon virtually. Registration for the event is now open. |
06/14/21 | Comment period open for draft of 2021 ERO Reliability Risk Priorities Report | NERC opened a comment period for a draft of the 2021 ERO Reliability Risk Priorities Report. The report covers existing and emerging risks, including those in cyber security, and offers mitigation strategies. |
Check back next quarter for another roundup of security-related updates. In the meantime, you can review NERC’s full list of bulletins here.