NERC-CIP Version 5 Refines, Expands

The entire list, which contains two new sections (the last two), includes:

• CIP- 002-5 – BES Cyber Assets and Cyber Systems
• CIP- 003-5 – Security Management Controls
• CIP- 004-5 – Personnel and Training
• CIP- 005-5 – Electronic Security Perimeters
• CIP- 006-5 – Physical Security of Critical Cyber Assets
• CIP- 007-5 – Systems Security Management
• CIP- 008-5 – Incident Reporting and Response Planning
• CIP- 009-5 – Recovery Plans for Critical Cyber Assets
• CIP- 0010-5 – Configuration Management and Vulnerability Assessment
• CIP- 0011-5 – Information Protection

Bulk electricity supply (BES) gets much focus. That includes defining a BES cyber asset as one that would adversely impact one or more facilities, systems or equipment at a BES site—if the asset is unavailable, degraded or misused. Three provisos exist, though:

• All this would need to occur within 15 minutes of the cyber asset’s required operation or, should they occur, mis-operation or non-operation.
• Anything affected, when needed, would have to already be destroyed, degraded or not available when needed.
• Adverse effects would have to interfere with reliable BES operation.

An important change in Version 5 is that unofficial Version 4’s critical and non-critical classifications were recast as high, medium and low impact levels. Large control centers would be the only high-impact operation. Smaller control centers as well as generation and transmission would comprise medium-impact operations. All other operations would be low-impact.

One other substantial change jettisons the “one size fits all” security of Versions 1-4 for Version 5’s security based on the BES reliability impact.