Background Presidents Commission on Critical Infrastructure Protection PDD-63 SMD NOPR NERC Urgent Action Cyber Security Standards 1200 Joint US-Canada Task Force Report on the August 2003 Blackout National Infrastructure Protection Plan
General Numerous comments received on Draft 3 Comments focused on technical issues Comments represented industry consensus
General Ensured that requirements are clear and concise. Eliminated redundancy between the standards. Ensured that levels of noncompliance correctly align with the requirements and are auditable. Removed references to IAW/SOP
Definitions The definition of Critical Assets was changed to remove the references to large quantities of customers and significant risk to public health and safety. The new definition is Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.
CIP-002 Critical Cyber Asset Identification List of Required Critical Assets in Requirement 1 was removed. R1 divided into two requirements: R1. Critical Asset Identification Method and R2. Critical Asset Identification. (New R1 requires Responsible Entities to identify and document a risk-based assessment methodology that shall consider, at a minimum, certain assets as listed in the standard.) R2 requires Responsible Entities to apply the risk-based assessment methodology required in R1 to identify their lists of Critical Assets.
CIP-004 Personnel and Training The update period for Personnel Risk Assessment was extended to 7 years. The review period was changed to be consistent with the update period. Personnel risk assessments and training no longer need to be completed prior to permitting authorized cyber or authorized unescorted physical access; rather, they must be conducted within 90 calendar days of personnel being granted such access.
Other Changes of Significance CIP-003 – Security Management Controls –Provision for emergency situations –Removed test environment from Change Management CIP-005 – Electronic Security Perimeter(s) –Removed requirement for port scanning
Implementation Plan for Standards Implementation plan has been modified to recognize the time necessary to fully implement these standards. New phase of compliance has been added to the tables. Begin Work (BW) has been clarified to mean a Responsible Entity has developed and approved a plan to address the requirements of a standard, has begun to identify and plan for necessary resources, and has begun implementing the requirements.
Ballot Process Balloting opens Feb. 17 th for ten days Drafting Team will respond to any negative comments If necessary, recirculation balloting will be conducted Persons interested in voting must be registered to ballot pool by Feb. 17th
And now its time for your questions and comments. Larry Bugh Chair, Cyber Security Standards Drafting Team