NERC-CIP Version 5 Refines, Expands

Dec. 7, 2013
On April 13, the Federal Energy Regulatory Commission (FERC) proposed Version 5 Critical Infrastructure Protection Reliability Standards, CIP-002-5 through 011-5.

The entire list, which contains two new sections (the last two), includes:

  • CIP- 002-5 – BES Cyber Assets and Cyber Systems
  • CIP- 003-5 – Security Management Controls
  • CIP- 004-5 – Personnel and Training
  • CIP- 005-5 – Electronic Security Perimeters
  • CIP- 006-5 – Physical Security of Critical Cyber Assets
  • CIP- 007-5 – Systems Security Management
  • CIP- 008-5 – Incident Reporting and Response Planning
  • CIP- 009-5 – Recovery Plans for Critical Cyber Assets
  • CIP- 0010-5 – Configuration Management and Vulnerability Assessment
  • CIP- 0011-5 – Information Protection

Bulk electricity supply (BES) gets much focus. That includes defining a BES cyber asset as one that would adversely impact one or more facilities, systems or equipment at a BES site—if the asset is unavailable, degraded or misused. Three provisos exist, though:

  • All this would need to occur within 15 minutes of the cyber asset’s required operation or, should they occur, mis-operation or non-operation.
  • Anything affected, when needed, would have to already be destroyed, degraded or not available when needed.
  • Adverse effects would have to interfere with reliable BES operation.

An important change in Version 5 is that unofficial Version 4’s critical and non-critical classifications were recast as high, medium and low impact levels. Large control centers would be the only high-impact operation. Smaller control centers as well as generation and transmission would comprise medium-impact operations. All other operations would be low-impact.

One other substantial change jettisons the “one size fits all” security of Versions 1-4 for Version 5’s security based on the BES reliability impact.