NERC Cyber Security Standards PreBallot Review

1
NERC Cyber Security StandardsPre-Ballot Review
2
Background

• Presidents Commission on Critical Infrastructure
  Protection
• PDD-63
• SMD NOPR
• NERC Urgent Action Cyber Security Standards 1200
• Joint US-Canada Task Force Report on the August
  2003 Blackout
• National Infrastructure Protection Plan

3
General

• Numerous comments received on Draft 3
• Comments focused on technical issues
• Comments represented industry consensus

4
General

• Ensured that requirements are clear and concise.
• Eliminated redundancy between the standards.
• Ensured that levels of noncompliance correctly
  align with the requirements and are auditable.
• Removed references to IAW/SOP

5
Definitions

• The definition of Critical Assets was changed to
  remove the references to large quantities of
  customers and significant risk to public health
  and safety.
• The new definition is Facilities, systems, and
  equipment which, if destroyed, degraded, or
  otherwise rendered unavailable, would affect the
  reliability or operability of the Bulk Electric
  System.

6
CIP-002Critical Cyber Asset Identification

• List of Required Critical Assets in Requirement 1
  was removed.
• R1 divided into two requirements R1. Critical
  Asset Identification Method and R2. Critical
  Asset Identification. (New R1 requires
  Responsible Entities to identify and document a
  risk-based assessment methodology that shall
  consider, at a minimum, certain assets as listed
  in the standard.)
• R2 requires Responsible Entities to apply the
  risk-based assessment methodology required in R1
  to identify their lists of Critical Assets.

7
CIP-004Personnel and Training

• The update period for Personnel Risk Assessment
  was extended to 7 years. The review period was
  changed to be consistent with the update period.
• Personnel risk assessments and training no longer
  need to be completed prior to permitting
  authorized cyber or authorized unescorted
  physical access rather, they must be conducted
  within 90 calendar days of personnel being
  granted such access.

8
Other Changes of Significance

• CIP-003 Security Management Controls
• Provision for emergency situations
• Removed test environment from Change Management
• CIP-005 Electronic Security Perimeter(s)
• Removed requirement for port scanning

9
Implementation Plan for Standards

• Implementation plan has been modified to
  recognize the time necessary to fully implement
  these standards.
• New phase of compliance has been added to the
  tables.
• Begin Work (BW) has been clarified to mean a
  Responsible Entity has developed and approved a
  plan to address the requirements of a standard,
  has begun to identify and plan for necessary
  resources, and has begun implementing the
  requirements.

10
Ballot Process

• Balloting opens Feb. 17th for ten days
• Drafting Team will respond to any negative
  comments
• If necessary, recirculation balloting will be
  conducted
• Persons interested in voting must be registered
  to ballot pool by Feb. 17th

11

• And now its time for your questions and
  comments.
• Larry Bugh
• Chair, Cyber Security Standards Drafting Team
• 330.580.8017
• larry.bugh_at_rfirst.org