Are you ready for NERC CIP Version 5?

The North American Electric Reliability Corporation (NERC) regional entity audit teams already have a list of evidence they need to see when auditing for Critical Infrastructure Protection (CIP) Version 5. Are you ready?

The Federal Energy Regulatory Commission (FERC) released Order No. 791 approving Version 5 CIP Reliability Standards, CIP-002-5 through CIP-011-1, which had been submitted by NERC.

The CIP Version 5 Standards adopt new cyber security controls and extend the scope of the systems that are protected by the CIP Reliability Standards. Preparing for CIP Version 5 can help you efficiently address the requirements and determine how to incorporate the standards into your organization’s compliance program.

What are the requirements of NERC CIP 5?

Your CIP Version 3 compliance program may have been limited to fewer requirements; Order 791 and CIP Version 5 Standards use a new methodology based on whether a Bulk Electric System (BES) Cyber System has a low, medium, or high impact on the reliable operation of the bulk electric system.

BES Cyber Assets are defined as those that “if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, mis-operation or non-operation, adversely impact one or more Facilities, systems or equipment … ”

Most likely, a responsible entity will be required to comply, at minimum, with the requirements associated with Low Impact assets. Many entities will be responsible for identifying Medium and/or High Impact BES Cyber Systems, which require additional protection.

CIP 5 Standards include twelve requirements with new cyber security controls addressing:

  • Electronic security perimeters
  • Systems security management
  • Incident reporting and response planning
  • Recovery plans for BES cyber systems
  • Configuration change management and vulnerability assessments

In addition, Order No. 791 directs NERC to create a definition of communication networks and to develop new or modified Reliability Standards that address the protection of communication networks.

It has become clear the FERC supports NERC’s move away from a “zero tolerance” approach to compliance. The move in this direction encourages the development of strong internal controls by responsible entities, i.e., developing a risk framework and environment that encourages business processes to ensure compliance with NERC standards. FERC also is supportive of NERC’s development of standards that focus on the activities that have the greatest impact on Bulk-Power System reliability.

How NERC CIP Version 5 affects utilities

Utilities may have felt minimal impact from CIP standards before this order. You’ll need to assess whether that is still the case, or if your organization now needs to take a deeper look at your cyber assets. Here is a quick checklist to determine next steps:

  1. Identify the applicability to your entity based on section 4 of CIP-002-5
  2. Revisit or identify the assets that are High, Medium, or Low according to Attachment 1 of CIP-002-5
  3. Identify the BES Cyber Assets and BES Cyber Systems in a way that makes “efficient compliance” achievable
  4. Assess risk to your organization in the area of operations, compliance and reporting for cyber assets
  5. Determine any gap in your control framework that needs to be closed with upgraded business processes
  6. Review documentation of compliance with CIP standards and determine the “audit-worthiness” of your documentation under each area
  7. Determine whether your utility has the necessary in-house staffing and expertise to close the gaps or if you need outside help

The current CIP Version 5 standards do not require specific controls for Low Impact assets nor do they contain objective criteria to judge the sufficiency of the controls adopted by responsible entities for those assets. However, Order No. 791 directs NERC to submit filings to tighten this area. For example, Order 791 states that transient electronic devices such as thumb drives and laptop computers fall outside the BES Cyber Asset definition but that further protections are needed. Consequently, it would be prudent for your utility to not wait for those filings but to treat Low Impact assets as needing an internal control framework to assure compliance, as additional control requirements are most definitely on the horizon.

Preparing for CIP Version 5

Baker Tilly’s Energy and Utilities team has deep experience that will help utilities become audit ready for CIP 5 compliance. Our team includes a former NERC compliance leader at a large, Midwest, investor-owned utility, and team members who can evaluate internal control systems to ensure the framework for compliance. We can assist in these areas:

  • Identification of cyber assets
  • Ranking cyber asset
  • Evaluating current internal controls in each area and identifying control gaps compared to best business practices
  • Documenting the business processes that make up the internal control framework and effectiveness of controls
  • Making recommendations for improvements in evaluation of your system’s cyber asset controls to provide a solid control framework
  • Testing of control upgrades
  • Creating tailored life cycle cyber asset identification methods that will ensure that new and replaced cyber assets are promptly identified and made part of the compliance process
  • Training of your organization’s compliance team, operations personnel, and others involved in the process on proper asset identification, compliance with standards, and audit ready documentation

Time is short as the requirements for Medium and High Cyber assets is April, 2016. Low Cyber assets take effect in April 2017.

For more information on this topic, or to learn how Baker Tilly energy and utility specialists can help, contact our team.