CIP Standards Version 5 modify reportable cyber security incident definition
SUBNET Solutions Inc | Wednesday, September 21, 2011
The North American Electric Reliability Corporation's (NERC's) CIP Standards Version 5 Requirements and Status will address many issues and bring about several expansions and amendments to previous standards. One aspect Version 5 focuses on is the definition of a reportable cyber security incident.
Version 5 will define reportable cyber security incidents as any malicious or suspicious event that has the ability to compromise, or even attempts to compromise, the Electronic Security Parameter of a Bulk Electric System (BES) Cyber System.
An additional definition explains reportable cyber security incidents as events that have made an impact, or hold the potential to impact the Bulk Electric System's reliability. The provisions will be found in Version 5 as Reportable Cyber Security Events.
The new version of standards will also discuss response planning regarding cyber security incident reporting.
The current standard ensures the identification, classification, response and reporting of any cyber security incident related to Critical Cyber Assets. Requirements in previous versions call for response plans to be developed and implemented in the event of a Cyber Security Incident.
Other modifications include adding new flexibility to the Cyber Security Policy, which in Version 5, will explicitly allow multiple policies to be used, as well as allow the policy to specifically address topical areas, as opposed to all requirements.
Previous standards held a requirement to document all exceptions to the policy, and discussions are still ongoing among the Federal Energy Regulatory Commission (FERC) on this approach.
FERC order 706, paragraph 376 states that "the Commission adopts its CIP NOPR proposal and directs the ERO to clarify that the exceptions mentioned in Requirements R2.3 and R3 of CIP-003-1 do not except responsible entities from the Requirements of the CIP Reliability Standards."
Version 5 will draw from the FERC, as SDT, a telecommunications infrastructure service, considers the exceptions found in earlier versions a general management issue that is not found in the scope of a compliance requirement. SDT also said that no reliability had been found in the requirement, and has proposed that the requirement for documented exceptions to the Cyber Security Policy be removed.
What will go unchanged, however, is previous versions of Security Awareness, which will continue to be refreshed quarterly as opposed to formal tracked training.
SUBNET Solution Inc. works with utilities to help them comply with NERC standards by providing substation automation solutions such as IED access control and automated password management of thousands of substation devices.
Substation Cyber Security