Transcript CIP-WebEx-013106

NERC Cyber Security Standards
Pre-Ballot Review
Background
• President’s Commission on Critical
Infrastructure Protection
• PDD-63
• SMD NOPR
• NERC Urgent Action Cyber Security
Standards 1200
• Joint US-Canada Task Force Report on
the August 2003 Blackout
• National Infrastructure Protection Plan
General
• Numerous comments received on Draft 3
• Comments focused on technical issues
• Comments represented industry
consensus
General
• Ensured that requirements are clear and
concise.
• Eliminated redundancy between the
standards.
• Ensured that levels of noncompliance
correctly align with the requirements and
are auditable.
• Removed references to IAW/SOP
Definitions
• The definition of Critical Assets was
changed to remove the references to
“large quantities of customers” and
“significant risk to public health and
safety.”
• The new definition is “Facilities, systems,
and equipment which, if destroyed,
degraded, or otherwise rendered
unavailable, would affect the reliability or
operability of the Bulk Electric System.”
CIP-002
Critical Cyber Asset Identification
• List of Required Critical Assets in Requirement 1
was removed.
• R1 divided into two requirements: “R1. Critical
Asset Identification Method” and “R2. Critical
Asset Identification.” (New R1 requires
Responsible Entities to identify and document a
risk-based assessment methodology that shall
consider, at a minimum, certain assets as listed
in the standard.)
• R2 requires Responsible Entities to apply the
risk-based assessment methodology required in
R1 to identify their lists of Critical Assets.
CIP-004
Personnel and Training
• The update period for Personnel Risk
Assessment was extended to 7 years. The
review period was changed to be consistent with
the update period.
• Personnel risk assessments and training no
longer need to be completed prior to permitting
authorized cyber or authorized unescorted
physical access; rather, they must be conducted
within 90 calendar days of personnel being
granted such access.
Other Changes of Significance
• CIP-003 – Security Management Controls
– Provision for emergency situations
– Removed “test environment” from Change
Management
• CIP-005 – Electronic Security Perimeter(s)
– Removed requirement for port scanning
Implementation Plan for Standards
• Implementation plan has been modified to
recognize the time necessary to fully implement
these standards.
• New phase of compliance has been added to
the tables.
• Begin Work (BW) has been clarified to mean a
Responsible Entity has developed and approved
a plan to address the requirements of a
standard, has begun to identify and plan for
necessary resources, and has begun
implementing the requirements.
Ballot Process
• Balloting opens Feb. 17th for ten days
• Drafting Team will respond to any negative
comments
• If necessary, recirculation balloting will be
conducted
• Persons interested in voting must be
registered to ballot pool by Feb. 17th
And now it’s time for your
questions and comments.
Larry Bugh
Chair, Cyber Security Standards Drafting Team
330.580.8017
[email protected]