CIPV5Transition-TopBanner.html

Many of the CIP V5 Standards and Requirements became effective on July 1, 2016. There is a lot of breadth and nuance to the CIP V5 Standards so this section provides a summary of useful resources. Full details of this summary can be found on the NERC CIP V5 Transition Program page.

One important area for entities to be familiar with is updated terminology, which is found in the NERC Glossary of Terms. One of the biggest changes is moving away from the terms “Critical Assets” and “Critical Cyber Assets” to “Bulk Electric System (BES) Cyber Assets” and “BES Cyber Systems.” Additionally, terms such as “Control Center” are now defined to create compliance parameters. Key terms are provided below.

TERMDESCRIPTION
BES Cyber Asset (BCA)A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. (A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.)
BES Cyber SystemOne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.
BES Cyber System InformationInformation about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System. BES Cyber System Information does not include individual pieces of information that by themselves do not pose a threat or could not be used to allow unauthorized access to BES Cyber Systems, such as, but not limited to, device names, individual IP addresses without context, ESP names, or policy statements. Examples of BES Cyber System Information may include, but are not limited to, security procedures or security information about BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or Monitoring Systems that is not publicly available and could be used to allow unauthorized access or unauthorized distribution; collections of network addresses; and network topology of the BES Cyber System.
CIP Exceptional CircumstanceA situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.
CIP Senior ManagerA single senior management official with overall authority and responsibility for leading and managing implementation of and continuing adherence to the requirements within the NERC CIP Standards, CIP-002 through CIP-011.
Control CenterOne or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facilities at two or more locations, or 4) a Generator Operator for generation Facilities at two or more locations.
Cyber AssetsProgrammable electronic devices, including the hardware, software, and data in those devices.
Cyber Security IncidentA malicious act or suspicious event that: (1) Compromises, or was an attempt to compromise, the Electronic Security Perimeter or Physical Security Perimeter or, (2) Disrupts, or was an attempt to disrupt, the operation of a BES Cyber System.
Dial-Up ConnectivityA data communication link that is established when the communication equipment dials a phone number and negotiates a connection with the equipment on the other end of the link.
Electronic Access Control or Monitoring System (EACMS)Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.
Electronic Access Point (EAP)A Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.
Electronic Security Perimeter (ESP)The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.
External Routable ConnectivityThe ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.
Interactive Remote AccessUser-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity's Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications.
Intermediate SystemA Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter.
Low Impact BES Cyber System Electronic Access Point (LEAP)A Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems.
Low Impact External Routable Connectivity (LERC)Direct user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection. Point-to-point communications between intelligent electronic devices that use routable communication protocols for time-sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).
Physical Access Control Systems (PACS)Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.
Physical Security Perimeter (PSP)The physical border surrounding locations in which BES Cyber Assets, BES Cyber Systems, or Electronic Access Control or Monitoring Systems reside, and for which access is controlled.
Protected Cyber Asset (PCA)One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP. A Cyber Asset is not a Protected Cyber Asset if, for 30 consecutive calendar days or less, it is connected either to a Cyber Asset within the ESP or to the network within the ESP, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.
Removable MediaStorage media that (1) are not Cyber Assets, (2) are capable of transferring executable code, (3) can be used to store, copy, move, or access data, and (4) are directly connected for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber Asset. Examples include, but are not limited to, floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory.
Reportable Cyber Security IncidentA Cyber Security Incident that has compromised or disrupted one or more reliability tasks of a functional entity.
Transient Cyber AssetA Cyber Asset that (1) is capable of transmitting or transferring executable code, (2) is not included in a BES Cyber System, (3) is not a Protected Cyber Asset (PCA), and (4) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.

FERC Order No. 822 postponed the original effective date for all of the V5 standards. The order also approved modifications to select standards, known as "dash 6" and "dash 2." The effective date for most of the individual requirements is July 1, 2016, with the exception of those listed below.

DATESTANDARD    REQUIREMENT    DESCRIPTION
7/15/2016CIP-007-6R4 Part 4.4Review a summarization or sampling of logged events.
8/5/2016CIP-010-2R2 Part 2.1Monitor of baseline configuration and investigate unauthorized changes.
10/1/2016CIP-004-6R4 Part 4.2Verify authorization records.
4/1/2017CIP-003-6R1.2Cyber security policies (Low Impact only).
 CIP-003-6R2Cyber security plans for CIP-003-6 Attachment 1 (Low Impact only).
 CIP-003-6Att. 1, Section 1Cyber security awareness every 15 months (Low Impact only.)
 CIP-003-6Att. 1, Section 4Cyber Security Incident response plan (Low Impact only).
 CIP-006-6R1 Part 1.10Security controls for cabling and other nonprogrammable communication components.

This extension is only applicable to high or medium impact BES Cyber Systems at Control Centers identified by CIP-002-5.1 which were not identified as Critical Cyber Assets in CIP V3. All other high or medium BES Cyber Systems must be compliant by July 1, 2016.
 CIP-007-6R1 Part 1.2Protect against the use of unnecessary physical input/output ports.

This extension is only applicable to PCAs and nonprogrammable communication components located inside a PSP and inside an ESP and associated with high and medium impact BES Cyber Systems. All other high or medium BES Cyber Systems must be compliant by July 1, 2016.
 CIP-010-2R4Transient Cyber Assets and Removable Media.
7/1/2017CIP-004-6R2 Part 2.3Completion of training every 15 months.
 CIP-004-6R4 Part 4.3Verify privileges with accounts, groups, and roles associated with electronic access.
 CIP-004-6R4 Part 4.4Verify access to BES Cyber System Information is correct and necessary every 15 months.
 CIP-006-6R3 Part 3.1Maintenance and testing of each PACS and locally mounted hardware or devices every 24 months.
 CIP-008-5R2 Part 2.1Test each Cyber Security Incident response plan every 15 months.
 CIP-009-6R2 Part 2.1Test each recovery plan every 15 months.
 CIP-009-6R2 Part 2.2Test a representative sample of information used to recover BES Cyber System functionality every 15 months.
 CIP-010-2R3 Part 3.1Conduct a paper of active Vulnerability assessment.
7/1/2018CIP-009-6R2 Part 2.3Test each recovery plan through operational exercise every 36 months (High Impact only).
 CIP-010-2R3 Part 3.2Active vulnerability assessment testing (High Impact only).
9/1/2018CIP-003-6Att. 1, Section 2Physical security controls (Low Impact only).
 CIP-003-6Att. 1, Section 3Electronic access controls for LERC and Dial-up Connectivity (Low Impact only).

The implementation plans contain additional details related to compliance dates. Entities should start by reviewing the updated implementation plan followed by the original implementation plan. The updated implementation plan references the previous version, so both are still relevant. NERC also has a complete list of all CIP V5 Implementation Dates.

Guidelines and Technical Basis sections are appended to each CIP standard. These sections provide a significant amount of information around the requirements. Each of these sections starts with a scope of applicability that helps identify such things as entities, Facilities, systems, and equipment. Insight into each requirement is then given for explaining the requirements in more detail. These sections have a significant amount of additional references.

In addition to the standards and supporting information, outlined above, there are additional guidance documents endorsed by NERC and the Regional Entities. This series of documents address particular questions or fact situations. Keep in mind that these documents serve as guidance only and additional facts and circumstances may affect overall compliance. Additionally, every entity is unique and may encounter special situations that need additional clarification.

DOCUMENTSYNOPSIS
CIP-002-5.1: BES Cyber Assets Lesson Learned It was discovered that the CIP Reliability Standards did not sufficiently define the "programmable electronic device" component of the BCS NERC Glossary term, and the considerations provided in this lesson learned helped the study participants to assess and identify their Cyber Assets.
CIP-002-5.1: Generation Segmentation Lesson Learned Entities must: (1) categorize the shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single Interconnection at such a generating resource as medium impact BES Cyber Systems; and (2) categorize all other BES Cyber Systems at such generating resource as low impact BES Cyber Systems and the generation resource as an asset containing low impact BES Cyber Systems. Segmentation of the generating units and their associated BES Cyber Systems at the generation resource can be used to show that BES Cyber Systems for each segmented unit, or group of units, does not meet the medium impact criteria 2.1 of Attachment 1 to Reliability Standard CIP‐002‐5.1.
CIP-002-5.1: Far-end Relay Lesson Learned In applying Reliability Standard CIP‐002‐5.1, Attachment 1, Criterion 2.5, relays located at Transmission stations or substitutions described in Criterion 2.5 should be categorized as "medium impact" BES Cyber Systems, while relays located at Transmission stations or substations that do not meet the characteristics described in Criterion 2.5 (and do not otherwise satisfy any other high or medium impact rating criteria) may be categorized as "low impact" BES Cyber Systems.
CIP Version 5 Frequently Asked Questions This is a consolidation of questions frequently asked by entities as they transition to CIP V5 Reliability Standards. There may be other legitimate ways to fulfill the obligations of the requirements that are not expressed within this supporting document. Compliance will continue to be determined based on language in the NERC Reliability Standards as they may be amended from time to time.
CIP-002-5.1: Communications and Networking Cyber Assets The purpose of this Lesson Learned is to provide guidance on the categorization of Cyber Assets associated with communication and networking for BES Cyber Systems and includes some sample approaches. It also provides information on situations where there is not a defined Electronic Security Perimeter (ESP).
External Routable Connectivity Lesson Learned The purpose of this lesson learned is to provide guidance when connecting a BES Cyber System or BES Cyber Asset to a communication network external to the system or asset.
CIP-002-5.1: Generation Interconnection Lesson Learned This lesson learned provides guidance on the application of impact rating criterion 2.5 as it relates to generation interconnection. Specifically, it discusses how responsible entities should consider generator lead lines as they apply criterion 2.5.
Mixed Trust EACMS Authentication Lesson Learned The purpose of this Lesson Learned is to provide guidance related to steps Responsible Entities can take to consider mixed trust authentication environments and the effort required to comply with requirements of the CIP V5 standards.
CIP-002-5.1: Grouping of BES Cyber Systems Lesson Learned The purpose of this Lesson Learned is to describe useful methods to group BES Cyber Assets (BCA) into BES Cyber Systems.
Vendor Access Management Lesson Learned The purpose of this Lesson Learned is to provide discussion points for Responsible Entities to consider when developing processes for managing vendor access to BES Cyber Systems.

Insight to the initial focus of the approach to CIP engagements is found in the 2017 ERO Enterprise Compliance Monitoring and Enforcement Program Implementation Plan (CMEP IP). Texas RE’s Risk Assessment group starts with the four standards and eleven requirements listed in the 2017 CMEP IP (shown below). Building on that initial focus, the Inherent Risk Assessment (IRA) and optional Internal Controls Evaluation (ICE) processes then influence the final scoping specifically tailored to each registered entity. This final scoping may include additional standards depending on the results of the IRA and ICE (if applicable).

STANDARDREQUIREMENT   DESCRIPTION
CIP-002-5.1R1Identify high and medium impact BES Cyber Systems and assets that contain low impact BES Cyber Systems
 R2Review identifications of R1 and have approved by CIP Senior Manager or delegate every 15 months
CIP-005-5R1Electronic Security Perimeter
 R2Interactive Remote Access
CIP-006-6R1Physical Security plan
 R2Visitor control program
 R3Physical Access Control System maintenance and testing program
CIP-007-6R1Ports and services
 R2Security patch management
 R3Malicious code prevention
 R5System access control

The IRA process creates a single summary report with requirements of operations and planning (O&P), CIP, or a combination of both. Texas RE will hold O&P and CIP engagements concurrently with a single engagement team lead (ETL). This single ETL will be your contact from the time you receive a notification letter to the final report.

Texas RE conducts a range of outreach efforts geared toward CIP. Let us know if you would like to host a session for Texas RE staff to meet with you and your neighbors. Additionally, we value input from attendees, and ask that you contact us with any suggestions regarding how we might improve the quality of our dialogue with entities. As always, reach out to Texas RE CIP with any of your CIP questions.

CIP Version 5 - html file