This comment form is no longer interactive because the comment period is closed.

2016-02 Modifications to CIP Standards | Technical Rationale and Justification for CIP-012-1

Description:

Start Date: 08/14/2017
End Date: 09/12/2017

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End

Filter:

Hot Answers

Tacoma Power supports the comments of APPA.

Marc Donaldson, On Behalf of: Tacoma Public Utilities (Tacoma, WA), , Segments 1, 3, 4, 5, 6

- 0 - 0

MidAmerican Energy Company comments on the CIP-012 focused on two major areas which impact the Technical Rationale and Justification document.

One,we do not agree with two separate requirements, one for a plan and one to implement. We recommend following precedent in the other CIP standards, for example, CIP-004 through CIP-011. The obligation can be accomplished with one requirement,

Two, the scoping for sensitive data should be explicitly to information exchanged between Control Centers' BES Cyber Systems. This corresponds to SDT's assertation that "this data resides within BES Cyber Systems, and while at rest is protected by CIP-003 through CIP-011." It also corresponds to FERC's recognition in their order that certain entities are already required to exchange necessary real-time and operational planning data through secured networks using mutually agreeable security protocol.

Additionally, the Technical Rationale and Justification document creates a higher bar than the obligation in the requirement and should be changed. Specifically, expectation levels are different between the requirement “to mitigate the risk of the unauthorized disclosure or modification of data” and Technical Rationale and Justification's  second sentence in the General Consideration for R2 section on page six, which states, “The protection must prevent unauthorized disclosure or modification of applicable data”. “Must prevent” is a higher bar than “mitigate the risk of.” The sentence on page 6 should be changed to match the sentence in the requirement.

MidAmerican Energy Company's comments on the proposed Control Center definition reflect concerns that renewable generation resources such as wind and solar are insufficiently addressed. While the concept of alignment with PER-005-2 has merit, PER-005-2 is antiquated in the reference to "plant operators located at a generator plant site." Renewable resources do not fit the traditional "plant site" or "plant operators" model of historical traditional generating plants. (The diagram on page five represents these as "control rooms." We agree with excluding the plant operators at the plant site for traditional generation. It must also be clear that the operating personnel at wind and solar farms are also excluded.

Corresponding to the comment above, the diagram on page 5 of the Technical Rationale and Justification should include a box to demonstrate with a red dashed line that renewables operating personnel are also out-of-scope for Control Center communications.

Also in the diagram, we are trying to understand the two BA Control Center boxes. Why does one have no field assets depicted?

Also in the diagram, there is a box for "GOP control room."  Shouldn't this be labeled as a GO control room?

 

Annette Johnston, On Behalf of: Annette Johnston, , Segments 1, 3

- 0 - 0

Other Answers

The California ISO supports the comments of the Security Working Group (SWG).

Richard Vine, On Behalf of: Richard Vine, , Segments 2

- 0 - 0

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

The IESO offers the following comments:

  • On page 5, under the Control Center Ownership section, the following statement is confusing, “Applying protection among a Responsible Entity’s owned Control Centers is solely at its discretion.” Our understanding is that choosing to apply protections is not at our discretion, it is required. We recommend the following, “The method of applying protection to Control Center’s exclusively owned by a Responsible Entity is solely at its discretion. However, when multiple Responsible Entities own a Control Center at either end of the communication link, applying protection requires additional coordination and diligence.”

  • Recommend that the rationale state that the standard does not increase the scope of BES Cyber Systems that require protections under CIP-002 thru CIP-011. The requirements apply only to the protection of the data that is transmitted across infrastructure not owned by a Responsible Entity. 

  • Implementation guidance is needed on the use of armored cable as a physical security protection method when using leased or subscribed fiber with multiple telecom carriers in the path. The guidance needs to address router hops and fiber patch panels that exist within a telecom provider’s central office. 

Leonard Kula, On Behalf of: Independent Electricity System Operator, , Segments 2

- 0 - 0

 

However we are concerned because unauthorized alteration Operational Planning Analysis data does not pose a threat to the BES. This should be addressed by TOP 010-1 regarding the quality of the data. Accordingly, we are not clear on the utility of the standard since TOP 010-1 will mitigate the risk.  Operational Planning Data is not real time data. 

 

 

 

The SDT should consider exempting Email as they did with oral communication because of its use for communicating Operational Planning Data.  We suggest that the SDT communicate the risk related to operational planning analysis data. 

 

 

 

We would also like more guidance on key management and inter utility agreements on key management.  Whatever measures implemented to meet compliance, it would increase operational burden and decrease reliability. 

 

 

 

It may be more cost effective if an industry wide initiative is conducted with encryption specifications.  There may be issues with entities using divergent technologies and measures to prevent an uncoordinated mismatched implementation  that should be addressed.  This initiative requires an industry wide standard, entities cannot decide individually to implement encryption schemes without coordination. 

 

Joe Tarantino, On Behalf of: Sacramento Municipal Utility District - WECC - Segments 1, 3, 4, 5, 6

- 0 - 0

Please disregard answer above.  This was an error.  I am unable to change it.  We have no comments on this item.  Dermot Smyth.

Con Edison, Segment(s) 1, 3, 5, 6, 6/24/2016

- 0 - 0

While the CIP standards should emphasize outcomes and allow entities to achieve specific security objectives in many ways, protections applied to communications should be evaluated with due consideration of the context in which people, processes and technology are applied to establish a given security protection.  Demonstration of risk mitigation should include assessment of not just technology and process to provide protection, but also the diversity and severity of threats present in a given context (e.g. the difference between dedicated communication links as opposed to broadly shared communications infrastructure).  Particular technology and process applied in a context with fewer or lower likelihood threats should be preferred over the same technology and process in a context with more or greater likelihood threats (i.e. greater overall risk).  Simply specifying that some (how much?) risk mitigation should be applied by means that include physical, logical and possibly other means leads to insufficient conditions for establishing compliance both for the responsible entity and anyone reviewing compliance for that entity.  Entities should consider not only that risk mitigation should take place, but also the thresholds for residual risk that should be considered acceptable for such communication.

David Rivera, On Behalf of: New York Power Authority, , Segments 1, 3, 5, 6

- 0 - 0

FMPA does not agree that the Technical Rationale and Justification for CIP-012-1 fully explains the technical reasoning for the standard. 

The Rationale document does not provide justification for the Operational Planning and Analysis data that is included in the scope of this standard. 

While the document does provide an example of communication paths (page 5), the example would be improved by adding a communication path between the TOP Control Center and the GOP Control Center.

FMPA, Segment(s) , 8/2/2017

- 0 - 0

Texas RE understands that the intent of a Technical Rationale document, as presented to the NERC Members Representative Committee on August 9, 2017, is to provide stakeholders and the ERO Enterprise an understanding of the technology and technical requirements of the Reliability Standard.  However, the majority of this Technical Rationale Document for proposed Reliability Standard CIP-012-1 appear to be Implementation Guidance.  Texas RE recommends following the process for submitting Implementation Guidance for the content of this document. 

 

Texas RE addressed its concerns with CIP-012-1 in its comments on the requirement language.  Please refer to Texas RE’s comments on the proposed draft of CIP-012-1.  If, in the future, a draft Implementation Guidance is posted for review, Texas RE will evaluate it at that point.

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

SCL supports APPA comments

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

Daniel Gacek, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

Santee Cooper, Segment(s) 1, 9/8/2017

- 0 - 0

This document does not provide justification for the inclusion of the Operational Planning and Analysis data.  NCPA suggests it be removed from the standards scope.

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 5, 6

- 0 - 0

AZPS provides the following comments for the SDT’s consideration:

  1. The statement provided in “General Considerations for Requirement R1” clearly limits the applicability of Requirement R1 to the real-time horizon and does not indicate Requirement R1 being applicable to the Operational Planning Horizon.  Specifically, the technical justification states that the focus is on “developing a plan to protect information that is critical to the real-time operations of the Bulk Electric System.”  This is in direct conflict with the draft standard, which scopes the plan to “to mitigate the risk of the unauthorized disclosure or modification of data used for Operational Planning Analysis, Real-time Assessment, and Real-time monitoring data.”  AZPS reiterates its comments in response to the draft CIP-012-1 that the inclusion of data used for Operational Planning Analysis does not have a meaningful impact on reliability or real-time operations for the BES such that extending protection to Operational Planning Analysis results in overall benefits to reliability. 
  2. AZPS is concerned that the rationale provided in “Alignment with IRO and TOP standards” may misalign with the IRO Standards.  The IRO and TOP Standards explicitly allow each responsible entity to develop individual data specifications because responsible entity processes can differ based upon operational characteristics, coordinated functional registrations, delegation agreements, operating agreements, etc.  Statements within that section that these requirements force consistency in data and data specifications appear to directly conflict with the intent and flexibility of the IRO and TOP data specification requirements.
  3. AZPS also suggests revising the third sentence in the section entitled “Control Center Ownership” because that sentence, read alone, absolves a responsible entity from protecting communications between its own control centers.  The sentence in question reads “Applying protection among a Responsible Entity’s owned Control Centers is solely at its discretion.”  This sentence also seems to conflict with the first sentence in the same section.

Vivian Moser, On Behalf of: Vivian Moser, , Segments 1, 3, 5, 6

- 0 - 0

The document makes a good case for the security needed for Real-time data.  It does not treat the Planning and Analysis data as well.  Please see the AEP comments in the Unofficial Comment Form for CIP-012-1.

Aaron Austin, On Behalf of: Aaron Austin, , Segments 3, 5

- 0 - 0

WAPA feels there is additional need for clarity and proposed language as identified in the NSRF comments.  

sean erickson, On Behalf of: Western Area Power Administration, , Segments 1, 6

Project 2016-02_CIP-012-1_NSRF Final.docx

- 0 - 0

Cowlitz PUD supports comment submitted by APPA.

Russell Noble, On Behalf of: Cowlitz County PUD, , Segments 3, 5

- 0 - 0

Louisville Gas and Electric Company and Kentucky Utilities Company, Segment(s) 3, 5, 6, 4/13/2017

- 0 - 0

The SRC & ITC SWG offers the following comments:

On page 5, under the Control Center Ownership section, the following statement is confusing, “Applying protection among a Responsible Entity’s owned Control Centers is solely at its discretion.” Our understanding is that choosing to apply protections is not at our discretion, it is required. We recommend the following, “The method of applying protection to Control Center’s exclusively owned by a Responsible Entity is solely at its discretion. However, when multiple Responsible Entities own a Control Center at either end of the communication link, applying protection requires additional coordination and diligence.”

 

Recommend that the rationale state that the standard does not increase the scope of BES Cyber Systems that require protections under CIP-002 thru CIP-011. The requirements apply only to the protection of the data that is transmitted across infrastructure not owned by a Responsible Entity. 

 

Implementation guidance is needed on the use of armored cable as a physical security protection method when using leased or subscribed fiber with multiple telecom carriers in the path. The guidance needs to address router hops and fiber patch panels that exist within a telecom provider’s central office.  

SRC + SWG , Segment(s) 2, 3, 1, 0, 9/11/2017

- 0 - 0

Theresa Rakowsky, On Behalf of: Theresa Rakowsky, , Segments 1, 3, 5

- 0 - 0

SERC CIPC, Segment(s) 10, 1, 2, 5, 9, 8/19/2016

- 0 - 0

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 3 - 0

In order to evaluate the extent and kind of obligation involved, the definition of between control centers needs to be clearer with regard to the communication link.  What are the demarcation points for obligation to show compliance?  Should there be explicit agreements with each end of the communication link to arrange such demarcation?  How should responsible entities deal with third parties involved with trust relationships in communication links (i.e. telecommunications providers managing routers)?

Michael Puscas, On Behalf of: ISO New England, Inc., , Segments 2

- 0 - 0

 

A)    It is understood that the reference model shown on page 5 is an example of communication paths.  Suggest adding the communication path between the TOP Control Center and the GOP Control Center to provide further clarity.

 

B)    This document does not provide justification for the inclusion of the Operational Planning and Analysis data is included in the scope of this standard.  Suggest that this be added to the Technical Rationale and Justification document or this data be removed from the scope of the standard.

Brian Evans-Mongeon, On Behalf of: Utility Services, Inc., , Segments 4

- 0 - 0

ERCOT ISO supports the comments of the ITC SWG.

The ITC SWG offers the following comments:

  • On page 5, under the Control Center Ownership section, the following statement is confusing, “Applying protection among a Responsible Entity’s owned Control Centers is solely at its discretion.” Our understanding is that choosing to apply protections is not at our discretion, it is required. We recommend the following, “The method of applying protection to Control Center’s exclusively owned by a Responsible Entity is solely at its discretion. However, when multiple Responsible Entities own a Control Center at either end of the communication link, applying protection requires additional coordination and diligence.”

  • Recommend that the rationale state that the standard does not increase the scope of BES Cyber Systems that require protections under CIP-002 thru CIP-011. The requirements apply only to the protection of the data that is transmitted across infrastructure not owned by a Responsible Entity. 

  • Implementation guidance is needed on the use of armored cable as a physical security protection method when using leased or subscribed fiber with multiple telecom carriers in the path. The guidance needs to address router hops and fiber patch panels that exist within a telecom provider’s central office. 

Elizabeth Axson, On Behalf of: Elizabeth Axson, , Segments 2

- 0 - 0

The SPP Standards Review Group recommends that the drafting team includes other Standards that are identified in question #2 comment form (Glossary of Terms Used in NERC Reliability Standards-Control Center). From our perspective, the technical documents only mention the applicable TOP and IRO Standards. If other standards are identified that are potentially impacted by this definition change, they need to be included in that the documentation to help support justification as well as showing consistency.

SPP Standards Review Group, Segment(s) , 9/11/2017

- 1 - 0

Sandra Shaffer, On Behalf of: Sandra Shaffer, , Segments 6

- 0 - 0

The standard as drafted explicitly excludes oral communications, but does not consider forms of written communication (email, chat, etc) that could communicate the same type of information that an oral communication could. These written instructions are commonly outside of SCADA systems and are on corporate systems, and this standard would require physical or logical controls on those systems for communications that may traverse these systems. The standard should specify the protection of “operational data”, “BCS Data”, or some other term to clarify protection of data outside of instructions, or provide data validation (i.e verify emails by phone) as an acceptable control.

 

Additionally, Entergy has concerns over expanding the scope of protection from “real-time” as defined in other CIP standards and through existing CIP definitions, to require the protection of Operational Planning Analysis data that is outside of the “real-time” horizon.

James Gower, On Behalf of: Entergy, SERC, Segments NA - Not Applicable

- 0 - 0

Reclamation recommends the NIST definitions of “confidentiality” and “integrity” be added to the NERC Glossary of Terms Used in Reliability Standards, rather than referring to NIST Special Publication 800-53A, Revision 4.

 

Reclamation also recommends the Drafting Team state clearly that examples provided in Technical Rationale and Justification documents are neither mandatory, nor enforceable, nor the only method of achieving compliance.

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

Jamie Monette, On Behalf of: Allete - Minnesota Power, Inc., , Segments 1

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

N/A,

Normande Bouffard, On Behalf of: Normande Bouffard, , Segments 1, 5

- 0 - 0

OPG understands the focus is on protection of data communication between control centers but would like to clarify that it is not being required to verify integrity of data from it’s origination points to the point where it’s first aggregated at a control center, as this would be a substantially more difficult and costly requirement to achieve.

David Ramkalawan, On Behalf of: David Ramkalawan, , Segments 5

- 0 - 0

Laura Nelson, On Behalf of: Laura Nelson, , Segments 1

- 0 - 0

While the CIP standards should emphasize outcomes, and allow entities to achieve specific security objectives in many ways, protections applied to communications should be evaluated with due consideration of the context in which people, processes and technology are applied to establish a given security protection.  Demonstration of risk mitigation should include assessment of not just technology and process to provide protection, but also the diversity and severity of threats present in a given context (e.g. the difference between dedicated communication links as opposed to broadly shared communications infrastructure).  Particular technology and process applied in a context with fewer or lower likelihood threats should be preferred over the same technology and process in a context with more or greater likelihood threats (i.e. greater overall risk).  Simply specifying that some (how much?) risk mitigation should be applied by means that include physical, logical and possibly other means leads to insufficient conditions for establishing compliance both for the responsible entity and anyone reviewing compliance for that entity.  Entities should consider not only that risk mitigation should take place, but also the thresholds for residual risk that should be considered acceptable for such communication.

RSC no Con-Edison and Dominion, Segment(s) 10, 2, 4, 5, 6, 7, 1, 3, 9/11/2017

- 0 - 0

This document does not address what equally effective methods are or what appropriate physical controls may be. It also does not discuss where physical controls may or may not be appropriate over logical controls such as encryption. SRP also does not believe the document addresses latency or computer resource concerns. SRP requests additional guidance on what would be acceptable for these items.

SRP also agrees with APPA’s recommendation to provide justification for the inclusion of the Operational Planning and Analysis data in the scope of this standard.

 

 

Lona Calderon, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

BC Hydro, Segment(s) 1, 2, 3, 5, 5/6/2015

- 0 - 0

Douglas Webb, On Behalf of: Great Plains Energy - Kansas City Power and Light Co., SPP RE, Segments 1, 3, 5, 6

- 0 - 0

Southern disagrees with the Technical Rationale and Justification for CIP-012 for several reasons.  We feel that the “data centric approach” being pursued opens the door for misinterpretation and the unintentional scoping-in of data that does not require protection.  We are concerned that under the proposed Standard, the efforts required in redefining the data to be protected will obscure the true intent of the standard which is to protect the communications links over which the data travels.  We feel that clarification of the scope of the data to be protected is essential for ensuring that the correct communications links are secured and the standard can be properly implemented via an appropriate technical solution.  As currently written, Southern feels that the scope is too broad and the protections required would be cost prohibitive.  

Southern Company, Segment(s) 1, 3, 5, 6, 6/15/2017

- 0 - 0

While BPA agrees that the draft Technical Rationale and Justification for CIP-012-1 clearly explains the technical reasoning for the proposed standard, BPA does not agree that the intent of FERC Order No. 822 has been met.  Order No. 822 requires implementation of controls to protect, at a minimum, communication links AND sensitive BES data communicated between BES Control Centers.  However, the SDT is providing latitude to protect communication links, data or both.  BPA recommends placing controls on the data (encryption where availability requirements are not negatively impacted) AND end points (physical controls) where technically feasible. 

Additionally, BPA has concerns about the SDT’s assumption that “availability” is adequately addressed by other NERC standards (TOP-001-4 and IRO-002-5), as discussed in the “Overview of confidentiality and integrity” section of the Technical Rationale and Justification.

  1. The proposed language includes protection of “confidentiality and integrity of data” but excludes “availability” from the language of the requirement.  However, in the Confidentiality/Integrity/Availability (CIA) triad for information security, each leg must be balanced against the other two legs.  By segregating Availability to TOP-001-4 and IRO-002-5, while leaving Confidentiality/Integrity in the proposed CIP-012 standard, it becomes impossible to properly balance all three legs of the triad to achieve optimum Reliability of the BES.  The cyber security triad represents design tradeoffs; entities can’t properly design communications networks – or worse: existing infrastructure may need to be rebuilt – if one of the options (Availability) is removed from consideration.

  2. While TOP-001-4 and IRO-002-5 (redundancy and diverse routing of data) can be used to increase Availability, Availability can also be achieved through other equally effective methods.  Therefore, “Availability” is not adequately addressed by TOP-001-4 and IRO-002-5 and limits entities’ options to address availability by other methods more appropriate to their systems. 

    Therefore, BPA proposes that “availability” be included in the Technical Rationale and Justification to meet the security objectives of Order 822, i.e., “…to protect AVAILABILITY, confidentiality and integrity of data required for reliable operation....”

    BPA also encourages the SDT to use the Guidelines and Technical Basis section to recognize the distinction between the engineering/design term “availability” (in which availability is quantitative – e.g., a system is designed to be available 99.99% of the time) and the cyber security application in which availability is a qualitative element of security that is constantly balanced against two other (often competing) elements (confidentiality and integrity).

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

APPA does not agree that the Technical Rationale and Justification for CIP-012-1 fully explains the technical reasoning for the standard. The document does not address what equally effective methods are, or what appropriate physical controls may be. Nor does it discuss where physical controls may or may not be appropriate over logical controls such as encryption. In addition, latency and computer resource concerns are not addressed. 

The Rationale document does not provide justification for the Operational Planning and Analysis data that is included in the scope of this standard. 

 

While the document does provide an example of communication paths (page 5), the example would be improved by adding a communication path between the TOP Control Center and the GOP Control Center.

Jack Cashin, On Behalf of: American Public Power Association, , Segments 4

- 0 - 0