Buckle up folks because the NERC CIP roller-coaster is about to take off again! The July 16, 2015 FERC Notice of Proposed Rulemaking (NOPR) proposes to approve the CIP V5 modifications (CIP-003-6, CIP-004-6, CIP-006-6, CIP-007-6, CIP-009-6, CIP-010-2, and CIP-011-2) which will collectively be known as CIP Version 6. FERC also proposes to accept the new (Transient Cyber Asset and Removable Media) and revised (BES Cyber Asset and Protected Cyber Asset) definitions for inclusion in NERC Glossary of Terms. No surprises here - most of us who have been following the standard development process expected this action.
However, there were a few significant developments in the NOPR that provide some insight into the future of NERC CIP version 7 and beyond:
1.) FERC proposes to direct NERC to develop modifications to CIP-006-6 (Physical Security of BES Cyber Systems) to require protections for communication network components and data communicated between all bulk electric system Control Centers.
This change would require responsible entities to implement controls to protect all communication links and sensitive bulk electric system data communicated between all bulk electric system Control Centers. This would include communication between two (or more) Control Centers, but not between a Control Center and non-Control Center facilities such as substations. FERC is also seeking comment to determine if latency concerns should prevent the use of encryption as a logical control for any inter-Control Center communications.
2.) FERC requests comment on the sufficiency of the security controls incorporated in the current CIP Reliability Standards regarding remote access used in relation to bulk electric system communications.
The concern here is related to panelist comments during the April 29, 2014, FERC Technical Conference in which participants commented that the use of intermediate devices alone provided insufficient protection and that consideration should be given to additional controls behind the intermediate system. FERC seeks comment on whether these or other steps to improve remote access protection are needed, and would provide substantial reliability and security benefits.
3.) In response to ‘recent malware campaigns targeting supply chain vendors,’ FERC directs NERC to develop a new Reliability Standard or modified Reliability Standard to provide security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.
This item is perhaps the most surprising and most impactful. Supply chain security threats are a real danger but implementing systems to secure the cyber supply chain can be a difficult task for even the largest entities to implement.
4.) In a number of areas FERC expressed concerns with the current controls around Low Impact BES Cyber Assets and is seeking comments on possible ambiguity in the LERC definition, lack of requirements for the use of antivirus, and the limitation of CIP-010-2 to only High and Medium Impact BES Cyber Systems.
The general tone around the Low Impact BES Cyber Systems is that we’ve made progress but there is still room for additional controls around these systems that may add to overall BES security and reliability. The CIP tentacles are sure to keep reaching into more and more areas and there is plenty of room to grow into the low impact space.
Bottom line is that while you may still be busy with your Version 5 implementations you can’t lose sight of the developments underway at NERC and FERC. Evaluate the latest NOPR and provide comments in the timeframe required. It’s too important to be a passive bystander.
Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & NERC CIP Product Manager at the SANS Institute. Ted was formerly the Director of Operations Technology & NERC Compliance at Northern Indiana Public Service Company (NIPSCO) where he was responsible for compliance to NERC 693 and CIP standards and the support of the related operations technology systems. Ted has over twenty-five years of experience working in the electric utility, information technology and manufacturing industries.