The entire list, which contains two new sections (the last two), includes:
- CIP- 002-5 – BES Cyber Assets and Cyber Systems
- CIP- 003-5 – Security Management Controls
- CIP- 004-5 – Personnel and Training
- CIP- 005-5 – Electronic Security Perimeters
- CIP- 006-5 – Physical Security of Critical Cyber Assets
- CIP- 007-5 – Systems Security Management
- CIP- 008-5 – Incident Reporting and Response Planning
- CIP- 009-5 – Recovery Plans for Critical Cyber Assets
- CIP- 0010-5 – Configuration Management and Vulnerability Assessment
- CIP- 0011-5 – Information Protection
Bulk electricity supply (BES) gets much focus. That includes defining a BES cyber asset as one that would adversely impact one or more facilities, systems or equipment at a BES site—if the asset is unavailable, degraded or misused. Three provisos exist, though:
- All this would need to occur within 15 minutes of the cyber asset’s required operation or, should they occur, mis-operation or non-operation.
- Anything affected, when needed, would have to already be destroyed, degraded or not available when needed.
- Adverse effects would have to interfere with reliable BES operation.
An important change in Version 5 is that unofficial Version 4’s critical and non-critical classifications were recast as high, medium and low impact levels. Large control centers would be the only high-impact operation. Smaller control centers as well as generation and transmission would comprise medium-impact operations. All other operations would be low-impact.
One other substantial change jettisons the “one size fits all” security of Versions 1-4 for Version 5’s security based on the BES reliability impact.