• be_ixf; php_sdk; php_sdk_1.4.11
  • 29 ms
  • iy_2023; im_12; id_02; ih_04; imh_35; i_epoch:1.70152050486E+12
  • ixf-compiler; ixf-compiler_1.0.0.0
  • py_2018; pm_11; pd_14; ph_12; pmh_14; p_epoch:1.54222645072E+12
  • link-block; link-block_link-block; bodystr
  • pn_tstr:Wed Nov 14 12:14:10 PST 2018; pn_epoch:1.54222645072E+12
  • 0 ms
  • be_ixf; php_sdk; php_sdk_1.4.11
  • https://www.naes.com/news/cip-more-than-just-a-buzzword-do-you-have-evidence-of-implementation/
  • https://www.naes.com/news/cip-more-than-just-a-buzzword-do-you-have-evidence-of-implementation/
Skip to content
NAES
  • Twitter
  • LinkedIn
  • Services
    • Power Services
    • Compliance & Fleet Services
      • Engineering
      • E3 Consulting
      • O&M Services
      • Regulatory Compliance Services
      • Maximo Services
      • Field Engineering and Research
    • Fabrication, Maintenance, & Construction
    • Staffing Services
  • About Us
    • Subsidiaries
    • Leadership
  • Communications
    • News
    • Case Studies
    • Press Releases
  • Careers
  • Contact
    • Contact a Location
    • NAES Login Center
Critical Infrastructure

In the News

Home Communications In the News CIP: More Than Just a Buzzword - Do You Have Evidence of Implementation?

10.11.2019

CIP: More Than Just a Buzzword - Do You Have Evidence of Implementation?

By Leland McMillan, Supervisor, NERC Services

January 1, 2020 is almost here and the highly anticipated pressure to complete the CIP-003-7 cyber security plans will be over. Or will it?

Background:

Since 2017, registered entities have been deploying plans as required for:

Section 1. Cyber Security Awareness and

Section 4. Cyber Security Incident Response

Also, entities have been preparing to complete plans required by1/1/2020 for:

Section 2. Physical Security Controls

Section 3. Electronic Access Controls

Section 5. Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation

The purpose of this article is to raise awareness that simply writing and approving the plan is just the beginning. The work will not end on 12/31/19.

Implementation:

Requirement 2 of CIP-003-7 states:

Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.

*The key word here is “implement;” which means that your entity will need to demonstrate that the plan documents you have been working on have, in fact, been deployed. The following narrative constitutes what those words can mean for the applicable sections.

Physical Security: Examples of controls and evidence are found in the standard, but the key is to demonstrate that you are controlling access. Whether you use the fence, locked rooms, or key cards, it would make sense to have a list of individuals with access for the audit period. This means that terminated individuals and new hires are tracked, with some sort of periodic verification, with documentation to serve as good evidence.

Electronic Access: For those of us with routable communications (almost everyone), obtaining a copy of the firewall rules is a good first step. However, that doesn’t necessarily show evidence of controlling access. It is critical that a technical review is

performed to ensure that external communications are limited to only ports that are needed. Evidence can be as simple as an excel spreadsheet, but must show that all ports are closed, except those needed for operations. The open ports must have a documented justification. Network diagrams along with an Access Control List showing justified firewall rules restricting IP addresses, ports, or services, are good evidence of implementation of electronic access controls.

Transient Cyber Assets/Removable Media (TCA/RM): Perhaps the most onerous of the new requirements, registered entities must now document that applicable portable devices connected to control systems, microprocessor relays, etc. have been verified free of malicious code prior to connection. Did I mention that this needs to be documented? The evidence can vary, but a simple form or checklist can serve well if personnel are properly trained.

The Future:

As soon as Version 7 goes into effect, its days will be numbered. Version 8 goes into effect on April 1, 2020. Don’t worry though – all your favorite requirements from V7 will stick around. V8 simply adds Section 5.2.2 to document additional mitigating steps to address risks of third-party TCAs containing malicious code.

Beyond that Supply Chain issues have emerged as a global threat. The recent NERCAlert and NERC data request on this subject serve as evidence of the importance for this topic.

Certainly, the future of cybersecurity risks and potential for new requirements is overwhelming, but the first step is making sure that your cybersecurity plans for the CIP standards are supported by evidence of implementation. Training is not required but is highly recommended to help your staff understand and implement the new requirements properly.

Join the Conversation

  • Twitter
  • LinkedIn
NAES

© Copyright 2023 NAES. All rights reserved.

  • Privacy Policy
  • Terms of Use
  • Do Not Sell My Personal Information

Website design by Jordan Crown

  • Services
    • Power Services
    • Compliance & Fleet Services
      • Engineering
      • E3 Consulting
      • O&M Services
      • Regulatory Compliance Services
      • Maximo Services
      • Field Engineering and Research
    • Fabrication, Maintenance, & Construction
    • Staffing Services
  • About Us
    • Subsidiaries
    • Leadership
  • Communications
    • News
    • Case Studies
    • Press Releases
  • Careers
  • Contact
    • Contact a Location
    • NAES Login Center

‹ › ×
    Manage Cookie Consent
    We use cookies to optimize our website and our service.
    Functional cookies Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    Manage options Manage services Manage vendors Read more about these purposes
    View preferences
    {title} {title} {title}
    CAISO Generator Modeling Process and Data Requirements

    Don’t wait until the last minute. You should allow time for at least one iteration with CAISO so that you are complete and deemed compliant before your deadline.

    On August 1, 2018, CAISO introduced a revised Business Practice Manual for Transmission Planning Process (BPM), which includes new data requirements for interconnected generation resources within the ISO’s footprint. Section 10 of the BPM establishes revised data requirements and compliance procedures for all participating generators including non-NERC registered entities. While additional requirements have been placed on larger NERC registered facilities, these changes may pose an even greater burden to entities that have been exempt from NERC mandated modeling and protection requirements.

    New data requirements include voltage and frequency protection models, power flow models, and in some cases, sub-synchronous resonance models. These models must be verified using criteria listed in the BPM, which can only be performed by entities with modeling software and knowledge of modeling practices.

    NAES is prepared to assist entities with data aggregation, modeling, and testing to ensure compliance with CAISO’s data requests. The following links will allow entities to determine when to expect their individual data requests (phase) and what data will be required (category).

    Business Practice Manual (BPM)

    Entity Category and Phase Listing

    CAISO Transmission Planning Website

    TPL-007

    TPL-007 establishes planning criteria for induced currents caused by geomagnetic disturbances. The standard is applicable to facilities using transformer(s) with a high side, wye grounded winding operated above 200 kV and can require both submittal of general geomagnetic data (R2) and thermal impact assessments (R6) depending on results of Planning Coordinator analysis.

    VOLTAGE AND REACTIVE (VAR) STANDARDS

    VAR-501-WECC

    VAR-501-WECC requires applicable entities within the WECC region to confirm performance settings and characteristics of Power System Stabilizers (PSS). NAES provides physical testing and reporting services to address WECC’s specific PSS requirements.

    PERSONNEL PERFORMANCE, TRAINING AND QUALIFICATIONS

    PER-006

    PER-006 requires Generator Operators to provide training to personnel who are responsible for the Real-time control of a generator. NAES has developed specific protection system training materials suitable for compliance with the Standard and provides this training both on and off site

    PROTECTION AND CONTROL (PRC) STANDARDS

    PRC-001

    PRC-001 requires entities to coordinate protection system changes with other affected parties. NAES offers both procedural documentation and engineering services to establish the required coordination for both PRC-001 and PRC-027.

    PRC-002

    PRC-002 requires the installation and operation of disturbance monitoring equipment (DME) for applicable entities. NAES can assist with the design and installation of DME as well as ongoing compliance support.

    PRC-019

    PRC-019 requires applicable entities to show coordination between voltage regulating controls, limiters, equipment capabilities, and protection settings. NAES produces PRC-019 specific coordination studies for both traditional generators and renewable projects to establish compliance with the Standard.

    PRC-023

    PRC-023 requires load responsive protective relays be set according to criteria within the Standard to ensure settings do not limit transmission loadability. NAES provides full engineering analyses to maintain compliance with this Standard.

    PRC-024

    PRC-024 requires applicable entities to ensure generator protective relays do not trip within predefined frequency and voltage limits. NAES can complete protection settings analyses and provide compliance documentation that clearly identifies protection settings as they relate to NERC’s “no trip” zones.

    PRC-025

    PRC-025 establishes minimum settings requirements for load-responsive relays protecting generators, step up transformers, and auxiliary transformers. NAES utilizes predefined calculation options as well as simulations to determine a facility’s compliance status and development of new relay settings if required.

    PRC-026

    PRC-026 requires applicable entities to perform load responsive relay settings analyses based on criteria identified within the Standard. Entities are typically notified by the Planning Coordinator when an analysis is required. NAES performs all required studies to establish compliance.

    MODELING, DATA, AND ANALYSIS (MOD) STANDARDS

    MOD-025

    MOD-025 requires Real and Reactive Power capability testing for individual generating units over 20 MVA or facilities with over 75 MVA of generation capacity. NAES offers site specific test procedures and/or complete onsite testing services to meet the requirements of this standard.

    MOD-026

    MOD-026 requires verification of excitation or volt/var control dynamic models through utilization of either system disturbances or physical testing. NAES offers full testing and modeling services to meet the requirements of this standard.

    MOD-027

    MOD-027 requires verification of governor or active power/frequency control dynamic models through utilization of either system disturbances or physical testing. NAES offers full testing and modeling services to meet the requirements of this standard.