This comment form is no longer interactive because the comment period is closed.

2016-02 Modifications to CIP Standards | CIP-002-6

Description:

Start Date: 09/14/2017
End Date: 10/30/2017

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End
2016-02 Modifications to CIP Standards CIP-002-6 IN 1 ST 2016-02 Modifications to CIP Standards CIP-002-6 09/14/2017 10/13/2017 10/20/2017 10/30/2017

Filter:

Hot Answers

NRG requests that the drafting team to provide clarity on page 18 in reference to criteria 2-12 rationale. The third paragraph mentions BES Cyber Systems and NRG requests SDT consideration that it should reference BES Transmission Lines instead.

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Robert Blackney, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Jeff Ipsaro, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Val Ridad, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 9/18/2017

- 0 - 0

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 10/16/2017

- 0 - 0

We believe further language is specifically required in Criterion 2.12 to clarify that the functional registration of Transmission Owner and Transmission Operator apply.  Per the registration criteria, Transmission Operators are “responsible for the reliability of its local transmission system and operates or directs the operations of the transmission Facilities.”  As a result, this responsibility falls on directly on Transmission Operators.  Further expansion of the criterion places responsibilities on Transmission Owners for activities they are not registered for.

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 6/15/2017

- 0 - 0

Jim Nail, 10/23/2017

- 0 - 0

Jennifer Hohenshilt, On Behalf of: Talen Energy Marketing, LLC, , Segments 6

- 0 - 0

Anton Vu, Los Angeles Department of Water and Power, 6, 10/23/2017

- 0 - 0

David Maier, 10/24/2017

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 10/25/2017

- 0 - 0

Colorado Srings Utilities supports Cowlitz PUD and APPA comments

Colorado Springs Utilities, Segment(s) 5, 3, 1, 6, 5/6/2015

- 0 - 0

The proposed revisions improve upon the clarity of the applicability of Criterion 2.12; however, the proposed criterion raises a number of issues, many of which are discussed in our response to question 2. 

In addition, page 33 of the GTB states that “[i]n accordance with Criterion 2.12, the BES Cyber System(s) associated with the Control Center should be categorized as medium impact BES Cyber System(s).  This statement could be interpreted by an auditor as requiring that all systems controlled and monitored by a medium impact Control Center should also be rated as medium impact as well.  For this reason, Dominion Energy suggests that the language be changed to “In accordance with Criterion 2.12, all BES Cyber Systems contained within four walls of a medium impact Control Center should be categorized as medium impact BES Cyber System(s).”  Such a change would more clearly categorize the applicable assets while limiting an interpretation of the language to mean something outside or beyond the four walls of the medium impact Control Center.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

Aaron Austin, 10/26/2017

- 0 - 0

No.  For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria. 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

Jeanne Kurzynowski, On Behalf of: Consumers Energy Company - RF - Segments 1

- 0 - 0

Hien Ho, Tacoma Public Utilities (Tacoma, WA), 4, 10/26/2017

- 0 - 0

Although the operation of breakers and switches is discussed in the Supplemental Material, it is not clear how Criterion 2.12 addresses whether “the TO has the capability to operate switches, breakers, and relays in the BES.”

CIP-002 is fundamental to determining which Cyber Assets are within scope. Reclamation recommends the impact rating of a BES Cyber System be determined by its possible impact on the Bulk Electric System, not where it resides (Control Center or any other location), how it is identified (virtual, non-virtual, hardware, software, etc.), and regardless of a Responsible Entity’s functional registration. Following this principle, phrases such as “performing the functional obligations of” are unnecessary.

Reclamation also recommends simplifying the Impact Rating Criteria using the methodology described below.

BES Cyber Systems are to be rated as high, medium, or low impact as follows:

A high impact BES Cyber System has one or more of the following characteristics:

  • Is used to operate transmission lines of 500kV or above
  • Supports a sum greater than 2500kV of transmission lines above 230kV
  • Supports generation with an aggregate capacity greater than 3000MW
  • Is identified as supporting an IROL or is necessary to avoid an Adverse Reliability Impact

A medium impact BES Cyber System has one or more of the following characteristics:

  • Supports generation with the aggregate capacity between 1500 – 3000MW
  • Supports a sum between 1500 – 2500kV of transmission lines above 230kV
  • Supports a RAS that could negatively affect an IROL or that can perform automatic Load shedding of 300MW or more

A low impact BES Cyber System has one or more of the following characteristics:

  • Supports a sum less than 1500kV of transmission lines above 230kV
  • Supports transmission only between 110 – 230kV
  • Supports generation with an aggregate capacity between 75 – 1500MW
  • Supports any single generator greater than 20MW not already identified as a Medium Impact BES Cyber System
  • Supports any Facilities that are designated a blackstart resource
  • Supports any other RAS not already identified as a medium impact BES Cyber System

Wendy Center, U.S. Bureau of Reclamation, 5, 10/26/2017

- 0 - 0

NIPSCO is in support of the comment provided by EEI below.

"The proposed revisions improve upon the clarity of the applicability of Criterion 2.12; however, the proposed criterion raises a number of issues, many of which are discussed in our response to question 2. 

 

In addition, page 33 of the GTB states that “[i]n accordance with Criterion 2.12, the BES Cyber System(s) associated with the Control Center should be categorized as medium impact BES Cyber System(s).  This statement could be interpreted by an auditor as requiring that all systems controlled and monitored by a medium impact Control Center should also be rated as medium impact as well.  For this reason, EEI suggests that the language be changed to “In accordance with Criterion 2.12, all BES Cyber Systems contained within four walls of a medium impact Control Center should be categorized as medium impact BES Cyber System(s).”  Such a change would more clearly categorize the applicable assets while limiting an interpretation of the language to mean something outside or beyond the four walls of the medium impact Control Center."

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 10/27/2017

- 0 - 0

Steven Powell, On Behalf of: Trans Bay Cable LLC, WECC, Segments NA - Not Applicable

- 0 - 0

For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria.

 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

James Anderson, 10/27/2017

- 0 - 0

Vivian Moser, 10/27/2017

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 10/27/2017

- 0 - 0

For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria.

 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 10/27/2017

- 0 - 0

IMEA supports APPA comments.

Mary Ann Todd, Illinois Municipal Electric Agency, 4, 10/27/2017

- 0 - 0

Bette White, 10/27/2017

- 0 - 0

Russell Noble, Cowlitz County PUD, 3, 10/27/2017

- 1 - 0

Daniel Grinkevich, 10/30/2017

- 0 - 0

Stephanie Burns, 10/30/2017

- 0 - 0

SRC + SWG , Segment(s) 2, 3, 1, 0, 10/30/2017

- 0 - 0

NRECA supports the modified Criterion 2.12.

Barry Lawson, 10/30/2017

- 0 - 0

Regan Haines, On Behalf of: TECO - Tampa Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Tyson Archie, Platte River Power Authority, 5, 10/30/2017

- 0 - 0

The proposed revisions improve upon the clarity of the applicability of Criterion 2.12; however, the proposed criterion raises a number of issues, many of which are discussed in our response to question 2. 

In addition, page 33 of the GTB states that “[i]n accordance with Criterion 2.12, the BES Cyber System(s) associated with the Control Center should be categorized as medium impact BES Cyber System(s).  This statement could be interpreted by an auditor as requiring that all systems controlled and monitored by a medium impact Control Center should also be rated as medium impact as well.  For this reason, EEI suggests that the language be changed to “In accordance with Criterion 2.12, all BES Cyber Systems contained within four walls of a medium impact Control Center should be categorized as medium impact BES Cyber System(s).”  Such a change would more clearly categorize the applicable assets while limiting an interpretation of the language to mean something outside or beyond the four walls of the medium impact Control Center.

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 10/30/2017

- 0 - 0

MidAmerica would like to change its answer for this question to NO.

MidAmerican agrees with EEI"s  comments. Please see EEI's Comments below:

 

The proposed revisions improve upon the clarity of the applicability of Criterion 2.12; however, the proposed criterion raises a number of issues, many of which are discussed in our response to question 2. 

 

In addition, page 33 of the GTB states that “[i]n accordance with Criterion 2.12, the BES Cyber System(s) associated with the Control Center should be categorized as medium impact BES Cyber System(s).  This statement could be interpreted by an auditor as requiring that all systems controlled and monitored by a medium impact Control Center should also be rated as medium impact as well.  For this reason, EEI suggests that the language be changed to “In accordance with Criterion 2.12, all BES Cyber Systems contained within four walls of a medium impact Control Center should be categorized as medium impact BES Cyber System(s).”  Such a change would more clearly categorize the applicable assets while limiting an interpretation of the language to mean something outside or beyond the four walls of the medium impact Control Center.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 10/30/2017

- 0 - 0

The removal of the term “functional obligation” from 2.12 still does not clarify the requirement applies to TO because the capitalized term Control Center is used and that term implies functional registery (RC/BA/TOP/GOP).  Clarification could be improved by using the non-capitalized term  “control center” and defined as used in CIP-014.  In addition, the use of the term “control” is also a source of confusion as it can be interpreted as having operational control (ie. Direct the switching operation) or physical control (perform the switching operation).

David Rivera, New York Power Authority, 3, 10/30/2017

- 0 - 0

The California ISO supports the comments of the Security Working Group (SWG)

- 0 - 0

Manitoba Hydro, Segment(s) 5, 3, 6, 1, 8/8/2017

- 1 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Bob Solomon, On Behalf of: Bob Solomon, , Segments 1

- 0 - 0

No Response.

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

Louisville Gas and Electric Company and Kentucky Utilities Company, Segment(s) 3, 5, 6, 4/13/2017

- 0 - 0

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

Mike Lotz, On Behalf of: Mike Lotz, , Segments 3, 5

- 0 - 0

Salt River Project supports comments submitted by APPA.

Lona Calderon, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Russel Mountjoy, 10/30/2017

- 0 - 0

Duke Energy requests further clarification on the removal of the phrase “perform functional obligations of a TOP”. Was it the drafting team’s intent that all Control Centers, and not just Control Centers that perform TOP obligations, should be considered applicable to the new criterion? For instance, would a Control Center operated by a GO/GOP or a DP be considered under this criterion, even though any operation involving Transmission lines conducted by that Control Center, would only be done at the direction of a Transmission Operator? We would also like to point out that the use of “functional obligations” is also present when referencing the BA in 2.13. Lastly, the revision proposed to criterion 2.12 appears to create some inconsistency with the language used in the High Impact section, part 1.3.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

FMPA appreciates the SDT efforts for clarifying the the applicability requirements for a TO Control Center that performs the functional obligations of a TOP.  We have some suggested language for Criterion 2.12 that we feel removes some ambiguity and possible interpretration questions.  Our suggested language is as follows:

“Each BES Cyber System, not included in Section 1 above, associated with any of the following:”

“Cyber Assets used to control BES Transmission lines, located at Control Centers or backup Control Centers, where the summed weighted value (according to the table below) of each BES Transmission Line controlled or monitored exceeds 6000.”

FMPA, Segment(s) , 10/23/2017

2016-02_CIP-002-6_Unofficial_Comment_Form_10 27 17 draft- FMPA.pdf

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 10/30/2017

- 0 - 0

The proposed revisions improve upon the clarity of the applicability of Criterion 2.12; however, the proposed criterion raises a number of issues, many of which are discussed in our response to question 2. 

In addition, page 33 of the GTB states that “[i]n accordance with Criterion 2.12, the BES Cyber System(s) associated with the Control Center should be categorized as medium impact BES Cyber System(s).”  EEI is concerned that this statement might be interpreted by an auditor as requiring that all systems controlled and monitored by a medium impact Control Center should also be rated as medium impact as well.  For this reason, EEI suggests that the SDT consider revised  language similar to the following: “In accordance with Criterion 2.12, all BES Cyber Systems contained within four walls of a medium impact Control Center should be categorized as medium impact BES Cyber System(s).”  Such a change would more clearly categorize the applicable assets while limiting an interpretation of the language to mean something outside or beyond the four walls of the medium impact Control Center.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

MMWEC agrees that revisions to Criterion 2.12 clarify the issue of “functional obligation.” However, additional wording for Criterion 2.12 is needed to further clarify how Criterion 2.12 is to be applied. MMWEC supports APPA’s response to question 5 regarding this issue.

David Gordon, 10/30/2017

- 0 - 0

Jack Cashin, American Public Power Association, 4, 10/30/2017

- 1 - 0

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 4 - 0

Eversource Group, Segment(s) 5, 3, 9/11/2017

- 0 - 0

Steve Rawlinson, 10/30/2017

- 0 - 0

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 10/30/2017

- 0 - 0

Sandra Shaffer, 10/30/2017

- 0 - 0

KCP&L incorporates by reference Edison Electric Institute’s (EEI) Question 1 response.

Douglas Webb, 10/30/2017

- 0 - 0

The new 2.12 criterion language has the Impact Rating on the “Control Center” as an asset, yet in the “Rationale for Criterion 2.12” on page 18 of the standard it has the “…aggregate weighted value for applicable BES Cyber Systems…”.  This is a problem because there could be a case where the number of transmission lines being controlled from a Control Center (asset) add up to a weighted value 8000 but there are two completely separate control systems (applicable BES Cyber Systems) each controlling transmission lines that would add up to a weighted value of 4000.  In this case the language of IRC would lead you to make both control systems Medium Impact as the asset is being rated.  If the intent of the standard is to assign the aggregate weighted value to the BES Cyber Systems as the language in the “Rationale for Criterion 2.12”, the two do not align and confuse the reader.  The “Consideration of Issues and Directives” on the NERC project site also says that the “Criterion 2.12 provides a bright line threshold that categorizes BES Cyber Systems associated with Control Centers of Transmission as medium impact.”. This leads the reader to believe the aggregate weighted value is associated with BES Cyber Systems, not the Control Center asset itself.  We recommend the language of the standard and any rationale or guidance be made clear as to which one (the Control Center asset or the BES Cyber System) the aggregate weighted value is associated.

Don Schmit, 10/30/2017

- 0 - 0

ERCOT ISO signs on to the SRC + SWG comments.

Elizabeth Axson, 10/30/2017

- 0 - 0

Texas RE agrees with the Standard Drafting Team’s (SDT) approach to to replace the “functional obligation” language in CIP-002-5.1, Criteria 2.12 with a bright line 6000 weighted value for BES Transmission Line threshold for delineating Medium and Low Impact Control Centers. 

Rachel Coyne, Texas Reliability Entity, Inc., 10, 10/30/2017

- 0 - 0

Seattle City Light supports the comments of Cowlitz PUD and APPA.

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

RSC no Dominion and ISO-NE, Segment(s) 10, 2, 4, 5, 6, 7, 1, 3, 10/30/2017

- 0 - 0

We support comments offered by EEI for this question.

David Jendras, Ameren - Ameren Services, 3, 10/30/2017

- 0 - 0

Fred Frederick, 10/30/2017

- 0 - 0

Spencer Tacke, Modesto Irrigation District, 4, 10/30/2017

- 0 - 0

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

The group would like the drafting team to provide clarity on page 18 in reference to criteria 2-12 rationale. The third paragraph mention BES Cyber Systems and we feel that it should reference BES Transmission Lines instead.

SPP Standards Review Group, Segment(s) , 10/30/2017

- 0 - 0

Jeff Johnson, 10/30/2017

- 0 - 0

Please refer to comments submitted by Robert Blackney on behalf of Southern California Edison

Kenya Streeter, Edison International - Southern California Edison Company, 6, 10/30/2017

- 0 - 0

Michael Johnson, On Behalf of: Burns & McDonnell, FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments NA - Not Applicable

- 0 - 0

 SNPD does not have comments on Question 1.

Long Duong, 10/30/2017

- 0 - 0

Hot Answers

NRG has a concern that there may be confusion on what the drafting team’s intent is in reference to proposed language pertaining to BES Cyber System’s span of control instead of the BES Cyber System monitors and controls. Industry interpretation of the current language leads NRG stakeholders to believe that the Rationale information may not match up correctly with the CIP-002-6 Standard. (NRG reqeusts clarity on the operation authortity versus capability). NRG requests that the drafting team provide clarity on what their intent is in reference to Criterion 2.12 and verify the alignment of the rationale document and the standard.

Question: Does control include the ability to issue an operating instruction through another element besides a BES Cyber System element?  Is it the intent of the SDT, that a TOP could drop from Medium to Low based on these calculations?  It seems that most if not all TOPs are Medium and this can reduce them to Low which may be a concern for the industry.

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Robert Blackney, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Jeff Ipsaro, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Val Ridad, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 9/18/2017

- 0 - 0

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 10/16/2017

- 0 - 0

Seminole agrees that this is a valid approach as long as Functional Registrations are honored.

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 6/15/2017

- 0 - 0

Jim Nail, 10/23/2017

- 0 - 0

Jennifer Hohenshilt, On Behalf of: Talen Energy Marketing, LLC, , Segments 6

- 0 - 0

Anton Vu, Los Angeles Department of Water and Power, 6, 10/23/2017

- 0 - 0

David Maier, 10/24/2017

- 0 - 0

N&ST assumes, based on the precise wording of Criterion 2.12, that what must be evaluated is a Control Center's span of control, vs. any particular BES Cyber System associated with a Control Center, and that if a Control Center meets this criterion, all of its associated BES Cyber Systems must be categorized as medium impact.

Nicholas Lauriat, Network and Security Technologies, 1, 10/25/2017

- 0 - 0

Colorado Srings Utilities supports Cowlitz PUD and APPA comments

Colorado Springs Utilities, Segment(s) 5, 3, 1, 6, 5/6/2015

- 0 - 0

Dominion Energy disagrees with modified criterion and weighted value used in Criterion 2.12 for the following reasons:

  1. The use of an aggregate weighted value of 6000 contains no justified rationale and appears to be an arbitrary selection. There is no methodology provided that demonstartes how the value is derived.
  2. The proposed criterion approach, which deviates from the facilities-based approach used to identify high impact Control Centers (i.e., those monitoring and controlling medium impact facilities), appears tofocus on the number of lines rather than facility impacts. This appears to create situations where control centers that simply monitor a large number of lower impact transmission lines (i.e., 24 or more - 100kV to 199kV lines) will be classified as medium impact while other Control Centers that are monitoring and controlling a small number of higher impact transmission lines (i.e., 300kV to 499kV and 200kV to 299kV lines) could be classified as low impact.
  3. The proposed Criterion 2.12 does not consider or exempt radial feeders.

    Dominion Energy recommends that the SDT consider limiting the voltage range for medium impact Control Centers to 200kV, similar to Criterion 2.5, and in addition to providing the methodology for the derivation of the value, replacing the aggregate weighted value “exceeding 6000” with a range “exceeding 2500 but below 3000.” We also recommend that Criterion 2.12 use the same table and methodology as provided in Criterion 2.5 since a similar approach would provide greater focus and emphasis on identifying those facilities which are most likely to have the greatest impact on BES reliability.  Lastly, we recommend that if a Control Center only monitors and controls BES Transmission Lines within the range of 100kV to 199kV, then it should be considered a Low Impact Control Center.

    These recommendations more closely leverage Criterion 2.5 and provide greater consistency, which is more likely to result in the identification of higher impact Control Centers through the use of a lower “aggregate weighted value.”  Moreover, Control Centers that fell just outside of the parameters used to identify high impact Control Centers would be categorized as Medium Impact with this approach.  This recommended approach also does not inappropriately pull in a disproportionate number of Control Centers that are simply monitoring lower voltage transmission lines.  The rationale for the proposed aggregate weighted value between 2500 to 2999 is that Control Centers monitoring and controlling transmission facilities with two connected 345kV lines or four connected 230kV lines at a transmission station or substation would be categorized as Medium Impact.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

Aaron Austin, 10/26/2017

- 0 - 0

No.  For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria. 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

Jeanne Kurzynowski, On Behalf of: Consumers Energy Company - RF - Segments 1

- 0 - 0

Hien Ho, Tacoma Public Utilities (Tacoma, WA), 4, 10/26/2017

- 0 - 0

Reclamation recommends simplifying the Impact Rating Criteria using the methodology described in the response to Question 1.

Wendy Center, U.S. Bureau of Reclamation, 5, 10/26/2017

- 0 - 0

NIPSCO is in support of the comment provided by EEI below.

"

EEI disagrees with modified criterion and weighted value used in Criterion 2.12 for the following reasons:

 

  1. The use of an aggregate weighted value of 6000 contains no justified rational and appears to be an arbitrary selection.
  2. The proposed criterion approach, which deviates from the facilities-based approach used to identify high impact Control Centers (i.e., those monitoring and controlling medium impact facilities), focuses more on the number of lines rather than facility impacts. (EEI is concerned that the proposed Criterion 2.12 could create situations where control centers that simply monitor a large number of lower impact transmission lines (i.e., 24 or more - 100kV to 199kV lines) will be classified as medium impact while other Control Centers that are monitoring and controlling a small number of higher impact transmission lines (i.e., 300kV to 499kV and 200kV to 299kV lines) could be classified as low impact.)
  3. The proposed Criterion 2.12 does not consider or exempt radial feeders.

 

 

For these reasons, EEI recommends that the SDT consider limiting the voltage range for medium impact Control Centers to 200kV, similar to Criterion 2.5, and replacing the aggregate weighted value “exceeding 6000” with a range “exceeding 2500 but below 3000.” We also recommend that Criterion 2.12 use the same table and methodology as provided in Criterion 2.5 since a similar approach would provide greater focus and emphasis on identifying those facilities which are most likely to have the greatest impact on BES reliability.  Lastly, we recommend that if a Control Center only monitors and controls BES Transmission Lines within the range of 100kV to 199kV, then it should be considered a Low Impact Control Center.

 

Our recommendations more closely leverage Criterion 2.5 and provide greater consistency, which is more likely to result in the identification of higher impact Control Centers through the use of a lower “aggregate weighted value.”  Moreover, Control Centers that fell just outside of the parameters used to identify high impact Control Centers would be categorized as Medium Impact with this approach.  This recommended approach also does not inappropriately pull in a disproportionate number of Control Centers that are simply monitoring lower voltage transmission lines.  The rationale for the proposed aggregate weighted value between 2500 to 2999 is that Control Centers monitoring and controlling transmission facilities with two connected 345kV lines or four connected 230kV lines at a transmission station or substation would be categorized as Medium Impact."

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 10/27/2017

- 1 - 0

Steven Powell, On Behalf of: Trans Bay Cable LLC, WECC, Segments NA - Not Applicable

- 0 - 0

For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria.

 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

James Anderson, 10/27/2017

- 0 - 0

Vivian Moser, 10/27/2017

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 10/27/2017

- 0 - 0

For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria.

 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 10/27/2017

- 0 - 0

IMEA supports APPA comments.

Mary Ann Todd, Illinois Municipal Electric Agency, 4, 10/27/2017

- 0 - 0

Bette White, 10/27/2017

- 0 - 0

Cowlitz PUD agrees with the intent of the SDT as implied in Question 2.  However, as written, Criterion 2.12 appears to require an evaluation of the Control Center’s span of control rather than the BES Cyber System associated with the Control Center.  Please see response to Question 5.

Russell Noble, Cowlitz County PUD, 3, 10/27/2017

- 5 - 0

Daniel Grinkevich, 10/30/2017

- 0 - 0

Stephanie Burns, 10/30/2017

- 0 - 0

SRC + SWG , Segment(s) 2, 3, 1, 0, 10/30/2017

- 0 - 0

NRECA supports weighted value approach in the modified Criterion 2.12.

Barry Lawson, 10/30/2017

- 0 - 0

Regan Haines, On Behalf of: TECO - Tampa Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Tyson Archie, Platte River Power Authority, 5, 10/30/2017

- 0 - 0

MEC disagrees with modified criterion and weighted value used in Criterion 2.12 for the following reasons:

  1. The use of an aggregate weighted value of 6000 contains no justified rational and appears to be an arbitrary selection.
  2. The proposed criterion approach, which deviates from the facilities-based approach used to identify high impact Control Centers (i.e., those monitoring and controlling medium impact facilities), focuses more on the number of lines rather than facility impacts. (EEI is concerned that the proposed Criterion 2.12 could create situations where control centers that simply monitor a large number of lower impact transmission lines (i.e., 24 or more - 100kV to 199kV lines) will be classified as medium impact while other Control Centers that are monitoring and controlling a small number of higher impact transmission lines (i.e., 300kV to 499kV and 200kV to 299kV lines) could be classified as low impact.)
  3. The proposed Criterion 2.12 does not consider or exempt radial feeders.

For these reasons, MEC recommends that the SDT consider limiting the voltage range for medium impact Control Centers to 200kV, similar to Criterion 2.5, and replacing the aggregate weighted value “exceeding 6000” with a range “exceeding 2500 but below 3000.” We also recommend that Criterion 2.12 use the same table and methodology as provided in Criterion 2.5 since a similar approach would provide greater focus and emphasis on identifying those facilities which are most likely to have the greatest impact on BES reliability.  Lastly, we recommend that if a Control Center only monitors and controls BES Transmission Lines within the range of 100kV to 199kV, then it should be considered a Low Impact Control Center.

Our recommendations more closely leverage Criterion 2.5 and provide greater consistency, which is more likely to result in the identification of higher impact Control Centers through the use of a lower “aggregate weighted value.”  Moreover, Control Centers that fell just outside of the parameters used to identify high impact Control Centers would be categorized as Medium Impact with this approach.  This recommended approach also does not inappropriately pull in a disproportionate number of Control Centers that are simply monitoring lower voltage transmission lines.  The rationale for the proposed aggregate weighted value between 2500 to 2999 is that Control Centers monitoring and controlling transmission facilities with two connected 345kV lines or four connected 230kV lines at a transmission station or substation would be categorized as Medium Impact.

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 10/30/2017

- 0 - 0

MidAmerica would like to change its answer for this question to NO.

MidAmerican agrees with EEI"s  comments. Please see EEI's Comments below:

EEI disagrees with modified criterion and weighted value used in Criterion 2.12 for the following reasons:

 

  1. The use of an aggregate weighted value of 6000 contains no justified rational and appears to be an arbitrary selection.
  2. The proposed criterion approach, which deviates from the facilities-based approach used to identify high impact Control Centers (i.e., those monitoring and controlling medium impact facilities), focuses more on the number of lines rather than facility impacts. (EEI is concerned that the proposed Criterion 2.12 could create situations where control centers that simply monitor a large number of lower impact transmission lines (i.e., 24 or more - 100kV to 199kV lines) will be classified as medium impact while other Control Centers that are monitoring and controlling a small number of higher impact transmission lines (i.e., 300kV to 499kV and 200kV to 299kV lines) could be classified as low impact.)
  3. The proposed Criterion 2.12 does not consider or exempt radial feeders.

 

 

For these reasons, EEI recommends that the SDT consider limiting the voltage range for medium impact Control Centers to 200kV, similar to Criterion 2.5, and replacing the aggregate weighted value “exceeding 6000” with a range “exceeding 2500 but below 3000.” We also recommend that Criterion 2.12 use the same table and methodology as provided in Criterion 2.5 since a similar approach would provide greater focus and emphasis on identifying those facilities which are most likely to have the greatest impact on BES reliability.  Lastly, we recommend that if a Control Center only monitors and controls BES Transmission Lines within the range of 100kV to 199kV, then it should be considered a Low Impact Control Center.

 

Our recommendations more closely leverage Criterion 2.5 and provide greater consistency, which is more likely to result in the identification of higher impact Control Centers through the use of a lower “aggregate weighted value.”  Moreover, Control Centers that fell just outside of the parameters used to identify high impact Control Centers would be categorized as Medium Impact with this approach.  This recommended approach also does not inappropriately pull in a disproportionate number of Control Centers that are simply monitoring lower voltage transmission lines.  The rationale for the proposed aggregate weighted value between 2500 to 2999 is that Control Centers monitoring and controlling transmission facilities with two connected 345kV lines or four connected 230kV lines at a transmission station or substation would be categorized as Medium Impact.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 10/30/2017

- 0 - 0

Agree with the weighting concept however, consider the following:

  1. Assuming wording became specific to TOs, should there be a caveat noting the transmission Facilities need to be at two or more locations similar to the existing Control Center definition with respect to TOP?  This would exclude TOs that operate one large station.   

  2. Assuming wording became specific to TOs  there should be a weighting for 500 KV and above. Criterion 1.3 would apply to Control Center (TOP registration) that control 500 kV+ lines (criterion 2.4); if 2.12 were specific to TOs, then a weight should be given to the 500 kV+ lines. If the intention is for a TO's control center that "operates" a 500 kV+ facility to be High impact, then clarification is needed in criterion 1.3; if the intention is that TO control centers would, at most, be classified as Medium impact, then a weighting is needed for the 500 kV+ lines in criterion 2.12.

David Rivera, New York Power Authority, 3, 10/30/2017

- 0 - 0

The California ISO supports the comments of the Security Working Group (SWG)

- 0 - 0

Manitoba Hydro, Segment(s) 5, 3, 6, 1, 8/8/2017

- 1 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Bob Solomon, On Behalf of: Bob Solomon, , Segments 1

- 0 - 0

No Response.

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

Louisville Gas and Electric Company and Kentucky Utilities Company, Segment(s) 3, 5, 6, 4/13/2017

- 0 - 0

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

Not all entities controlling lower voltage transmission, which ultimately serve a large customer population, should be allowed to move from medium to low impact for their control centers.  Under the proposed criteria, INDN which provides utility services to over 100,000 residents would go from a medium to low impact control center.  The low impact CIP requirements are not adequate protections for some entities.

Mike Lotz, On Behalf of: Mike Lotz, , Segments 3, 5

- 0 - 0

Salt River Project supports comments submitted by APPA.

Lona Calderon, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Russel Mountjoy, 10/30/2017

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

FMPA, Segment(s) , 10/23/2017

- 0 - 0

The formulation of the question #2  in the answer form is incorrect by inducing the notion of BCS whereas criterion 2.12 of the standard does not mention it. In our view, including the notion of BCS in the determination of the BES transmission lines to be included in the weighted voltage level calculation with a threshold of 6000 would allow an arbitrary division of an entity that would like to subtract from the requirement. We believe that criterion 2.12 as written in version 6 is correct and that the question of the form should be reworded in this way or at least that the respondent indicates No and specifies its answer in the comment section of the question # 2.

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 10/30/2017

- 0 - 0

EEI cannot support the modified criterion and weighted value used in Criterion 2.12 at this time for the following reasons:

  1. The use of an aggregate weighted value of 6000 contains no justified rational and appears to be an arbitrary selection.
  2. The proposed criterion approach, which deviates from the facilities-based approach used to identify high impact Control Centers (i.e., those monitoring and controlling medium impact facilities), focuses more on the number of lines rather than facility impacts. (EEI is concerned that the proposed Criterion 2.12 could create situations where control centers that simply monitor a large number of lower impact transmission lines (i.e., 24 or more - 100kV to 199kV lines) will be classified as medium impact while other Control Centers that are monitoring and controlling a small number of higher impact transmission lines (i.e., 300kV to 499kV and 200kV to 299kV lines) could be classified as low impact.)
  3. The proposed Criterion 2.12 does not consider or exempt radial feeders.

For these reasons, EEI asks the SDT to consider other approaches such as limiting the voltage range for medium impact Control Centers to 200kV, similar to Criterion 2.5, and replacing the aggregate weighted value “exceeding 6000” with a range “exceeding 2500 but below 3000.” Contained within this recommendation is a suggestion that Criterion 2.12 use the same table and methodology as provided in Criterion 2.5 since a similar approach would provide greater focus and emphasis on identifying those facilities which are most likely to have the greatest impact on BES reliability.  Lastly, we suggest that if a Control Center only monitors and controls BES Transmission Lines within the range of 100kV to 199kV, then it should be considered a Low Impact Control Center.

We submit that the above recommendations more closely leverage Criterion 2.5 and provide greater consistency, which is more likely to result in the identification of higher impact Control Centers through the use of a lower “aggregate weighted value.”  Moreover, Control Centers that fell just outside of the parameters used to identify high impact Control Centers would be categorized as Medium Impact with this approach.  This recommended approach also does not inappropriately pull in a disproportionate number of Control Centers that are simply monitoring lower voltage transmission lines.  The rationale for the proposed aggregate weighted value between 2500 to 2999 is that Control Centers monitoring and controlling transmission facilities with two connected 345kV lines or four connected 230kV lines at a transmission station or substation would be categorized as Medium Impact.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 1 - 0

MMWEC supports comments submitted by APPA.

David Gordon, 10/30/2017

- 0 - 0

APPA agrees that SDT’s approach of “summing the weight value of each BES Transmission Lines that the BES Cyber System monitors and controls” is the desired approach.  However, this is not what Criterion 2.12 requires (see answer to question 5 below). As written, Criterion 2.12 sums the BES Transmission Lines that the Control Center monitors and controls.  

Jack Cashin, American Public Power Association, 4, 10/30/2017

- 5 - 0

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 4 - 0

Eversource Group, Segment(s) 5, 3, 9/11/2017

- 0 - 0

Steve Rawlinson, 10/30/2017

- 0 - 0

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 10/30/2017

- 0 - 0

Sandra Shaffer, 10/30/2017

- 0 - 0

KCP&L incorporates by reference Edison Electric Institute’s (EEI) Question 2 response.

Douglas Webb, 10/30/2017

- 0 - 0

Don Schmit, 10/30/2017

- 0 - 0

ERCOT ISO signs on to the SRC + SWG comments.

Elizabeth Axson, 10/30/2017

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 10/30/2017

- 0 - 0

Seattle City Light supports the comments of Cowlitz PUD and APPA.

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

RSC no Dominion and ISO-NE, Segment(s) 10, 2, 4, 5, 6, 7, 1, 3, 10/30/2017

- 0 - 0

We believe the control center should have the same rating as the highest impact rating of the transmission facilities that it monitors.  Example, if a control center monitors high impact transmission facilities, then it should also have a high impact rating.  If a control center monitors only low or medium impact transmission facilities, then it should also have a low or medium impact rating, respectively. 

David Jendras, Ameren - Ameren Services, 3, 10/30/2017

- 0 - 0

Fred Frederick, 10/30/2017

- 0 - 0

Evaluation should be based on the short circuit MVA capacity at the element location in the system. 

Spencer Tacke, Modesto Irrigation District, 4, 10/30/2017

- 0 - 0

The term Transmission Line as defined in the Glossary of Terms Used in NERC Reliability Standards does not adequately identify the endpoints of a Transmission Line.  Does the Transmission Line begin and end at the circuit breaker, line switch, or at the bus?  A clarification of this issue would help Responsible Entities determine how to count lines in certain configurations, such as tapped lines.  Additionally, are Responsible Entities required to count a Transmission Line if they only control the breakers on one end of the line, such as a tie line with a neighboring TOP?

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

The SPP Standards Review Group has a concern that there is confusion on what the drafting team’s intent is in reference to proposed language pertaining to BES Cyber System’s span of control instead of the BES Cyber System monitors and controls. Our interpretation of the current language leads us to believe that the Rationale information doesn’t match up correctly with the CIP-002-6 Standard. (need clarity on the operation authortity versus capability).We would ask the drafting team to provide clarity on what their intent is in reference to Criterion 2.12 and verify the alignment of the rationale document and the standard.

Question:

Does control include the ability to issue an operating instruction through another element besides a BES Cyber System element?

Is it the intent of the SDT, that a TOP could drop from Medium to Low based on these calculations?

 It seems that most if not all TOP are Medium and this can reduce them to Low.  This is a concern.

SPP Standards Review Group, Segment(s) , 10/30/2017

- 0 - 0

Jeff Johnson, 10/30/2017

- 0 - 0

Please refer to comments submitted by Robert Blackney on behalf of Southern California Edison

Kenya Streeter, Edison International - Southern California Edison Company, 6, 10/30/2017

- 0 - 0

Michael Johnson, On Behalf of: Burns & McDonnell, FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments NA - Not Applicable

- 0 - 0

SNPD agrees with the SDT’s approach in using the “aggregated weighted values” per line and per voltage class to determine the Impact Ratings of Control Centers and Backup Control Centers.

When the aggregated weighted value of lines for each of the applicable voltage classes exceeds 6000 points, both the Control Center and the Backup Control Center whose Facilities are rated Medium Facilities, and all BES Cyber Systems that are part of the Control Centers should also be rated Medium Impact by association.  However, the new terminology, that was adopted by the SDT, “BES Cyber System’s Span of Control”, is somewhat ambiguous.  Is this concept related to evaluating the applicability of the BES Reliability Operating Services (BROS)?

 

Long Duong, 10/30/2017

- 0 - 0

Hot Answers

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Robert Blackney, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Jeff Ipsaro, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Val Ridad, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 9/18/2017

- 0 - 0

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 10/16/2017

- 0 - 0

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 6/15/2017

- 0 - 0

As written, there will be TOP Control Centers that will drop from Medium to Low and become exempt from many of the current requirements.  Given the propensity for NOT maintaining standards of performance which are not enforced/required, this WILL produce a predictable weakening of the BES's overall Cyber-Security posture.

Jim Nail, 10/23/2017

- 0 - 0

Jennifer Hohenshilt, On Behalf of: Talen Energy Marketing, LLC, , Segments 6

- 0 - 0

Anton Vu, Los Angeles Department of Water and Power, 6, 10/23/2017

- 0 - 0

David Maier, 10/24/2017

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 10/25/2017

- 0 - 0

Co lorado Srings Utilitiessupports Cowlitz PUD and APPA comments

Colorado Springs Utilities, Segment(s) 5, 3, 1, 6, 5/6/2015

- 0 - 0

Dominion Energy does not support the 6000 aggregate weighted value used in Criterion 2.12 for the reasons specified in our response to question 2.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

Aaron Austin, 10/26/2017

- 0 - 0

No.  For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria. 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

Jeanne Kurzynowski, On Behalf of: Consumers Energy Company - RF - Segments 1

- 0 - 0

Tacoma Power proposes that the aggregate weighted value be 30000 instead of 6000.  The proposed weighting values overestimates the impact of 115 kV subtransmission networks.    For example, between two of our major substations we have a line rated at 239 MW with 4 intermediate looped through distributions stations.  In the proposed evaluation methodology each of the short sections between substations would be weighted as 250 for a total value of 1250, overstating the importance of the line by more than a factor of 5. 

 

An alternative to adjusting the threshold would be to exclude any line that terminates at a substation that only has two transmission lines connected.

Hien Ho, Tacoma Public Utilities (Tacoma, WA), 4, 10/26/2017

- 0 - 0

Reclamation recommends simplifying the Impact Rating Criteria using the methodology described in the response to Question 1.

Wendy Center, U.S. Bureau of Reclamation, 5, 10/26/2017

- 0 - 0

NIPSCO is in support of the comment provided by EEI below.

"EEI does not support the 6000 aggregate weighted value used in Criterion 2.12 for the reasons specified in our response to question 2."

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 10/27/2017

- 0 - 0

Steven Powell, On Behalf of: Trans Bay Cable LLC, WECC, Segments NA - Not Applicable

- 0 - 0

For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria.

 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

James Anderson, 10/27/2017

- 0 - 0

Vivian Moser, 10/27/2017

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 10/27/2017

- 0 - 0

For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria.

 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 10/27/2017

- 0 - 0

IMEA supports APPA comments.

Mary Ann Todd, Illinois Municipal Electric Agency, 4, 10/27/2017

- 0 - 0

Bette White, 10/27/2017

- 0 - 0

Cowlitz PUD agrees the aggregated weighted value will properly identify the impact threshold of a BES Cyber System as long as the calculated value relates directly to those Tranmission Lines the BES Cyber System monitors and controls.

Russell Noble, Cowlitz County PUD, 3, 10/27/2017

- 5 - 0

Daniel Grinkevich, 10/30/2017

- 0 - 0

Suggest 3000 points to be in-line with Criterion 2.5. Concerns that entities with large amounts of 100-199kV lines would be excluded (6000 points = 24 100kV lines).

Stephanie Burns, 10/30/2017

- 0 - 0

SRC + SWG , Segment(s) 2, 3, 1, 0, 10/30/2017

- 0 - 0

NRECA supports the 6000 aggregate weighted value used in Criterion 2.12.

Barry Lawson, 10/30/2017

- 0 - 0

Regan Haines, On Behalf of: TECO - Tampa Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Tyson Archie, Platte River Power Authority, 5, 10/30/2017

- 0 - 0

MEC does not support the 6000 aggregate weighted value used in Criterion 2.12 for the reasons specified in our response to question 2.

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 10/30/2017

- 0 - 0

MidAmerica would like to change its answer for this question to NO.

MidAmerican agrees with EEI"s  comments. Please see EEI's Comments below:

EEI does not support the 6000 aggregate weighted value used in Criterion 2.12 for the reasons specified in our response to question 2.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 10/30/2017

- 0 - 0

Agree with the weighting concept however, consider the following:

  1. Assuming wording became specific to TOs, should there be a caveat noting the transmission Facilities need to be at two or more locations similar to the existing Control Center definition with respect to TOP?  This would exclude TOs that operate one large station.  

  2. Assuming wording became specific to TOs  there should be a weighting for 500 KV and above. Criterion 1.3 would apply to Control Center (TOP registration) that control 500 kV+ lines (criterion 2.4); if 2.12 were specific to TOs, then a weight should be given to the 500 kV+ lines. If the intention is for a TO's control center that "operates" a 500 kV+ facility to be High impact, then clarification is needed in criterion 1.3; if the intention is that TO control centers would, at most, be classified as Medium impact, then a weighting is needed for the 500 kV+ lines in criterion 2.12.

David Rivera, New York Power Authority, 3, 10/30/2017

- 0 - 0

The California ISO supports the comments of the Security Working Group (SWG)

- 0 - 0

Manitoba Hydro, Segment(s) 5, 3, 6, 1, 8/8/2017

- 1 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Bob Solomon, On Behalf of: Bob Solomon, , Segments 1

- 0 - 0

No Response.

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

Louisville Gas and Electric Company and Kentucky Utilities Company, Segment(s) 3, 5, 6, 4/13/2017

- 0 - 0

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

The aggregate weighted value of 6000 is too high for entities controlling lower voltage transmission ultimately serving a large customer population.  Under the proposed criteria, INDN which provides utility services to over 100,000 residents would go from a medium to low impact control center.  The low impact CIP requirements are not adequate protections for some entities.

Mike Lotz, On Behalf of: Mike Lotz, , Segments 3, 5

- 0 - 0

Salt River Project supports comments submitted by APPA.

Lona Calderon, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Russel Mountjoy, 10/30/2017

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 10/30/2017

- 0 - 0

EEI cannot support the 6000 aggregate weighted value used in Criterion 2.12 at this time for the reasons specified in our response to question 2.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

David Gordon, 10/30/2017

- 0 - 0

Jack Cashin, American Public Power Association, 4, 10/30/2017

- 1 - 0

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 4 - 0

Eversource Group, Segment(s) 5, 3, 9/11/2017

- 0 - 0

Steve Rawlinson, 10/30/2017

- 0 - 0

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 10/30/2017

- 0 - 0

Sandra Shaffer, 10/30/2017

- 0 - 0

KCP&L incorporates by reference Edison Electric Institute’s (EEI) Question 3 response.

Douglas Webb, 10/30/2017

- 0 - 0

Don Schmit, 10/30/2017

- 0 - 0

ERCOT ISO signs on to the SRC + SWG comments.

Elizabeth Axson, 10/30/2017

- 0 - 0

The SDT elected to double weighted value used to define Medium Impact substations in Criterion 2.5.  While this may be a reasonable approach, the Texas RE requests the SDT provide a basis for this approach, including why the Control Center weighted value bright line should be higher than that used for the Tranmission Facility criterion set forth in 2.5.  In addition, Texas RE requests clarification on how double circuits are calculated as it is assumed they are calculated as a single line.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 10/30/2017

- 0 - 0

Seattle City Light supports the comments of Cowlitz PUD and APPA.

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

RSC no Dominion and ISO-NE, Segment(s) 10, 2, 4, 5, 6, 7, 1, 3, 10/30/2017

- 0 - 0

See the response to question 2 above.

David Jendras, Ameren - Ameren Services, 3, 10/30/2017

- 0 - 0

Fred Frederick, 10/30/2017

- 0 - 0

Spencer Tacke, Modesto Irrigation District, 4, 10/30/2017

- 0 - 0

Does Criterion 2.12 allow a Responsible Entity to mitigate risk to the BES by separating it’s monitoring and control functions at a Control Center into multiple separate BES Cyber Systems?  For example, a Responsible Entity monitors and controls Transmission Lines that sum to an aggregate weighted value of 7000, but they split the monitoring and control functions between two BES Cyber Systems (3500 each) that reside in two separate ESPs.  This option reduces the risk to the reliability of the BES if a system is compromised.  Does this allow the BES Cyber Systems associated with the Control Center in this example to be categorized as low impact BES Cyber Systems?

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

SPP Standards Review Group, Segment(s) , 10/30/2017

- 0 - 0

Jeff Johnson, 10/30/2017

- 0 - 0

Please refer to comments submitted by Robert Blackney on behalf of Southern California Edison

Kenya Streeter, Edison International - Southern California Edison Company, 6, 10/30/2017

- 0 - 0

Michael Johnson, On Behalf of: Burns & McDonnell, FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments NA - Not Applicable

- 0 - 0

SNPD does not have comments on Question 3.

Long Duong, 10/30/2017

- 0 - 0

Hot Answers

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Robert Blackney, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Jeff Ipsaro, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Val Ridad, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 9/18/2017

- 0 - 0

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 10/16/2017

- 0 - 0

Per the registration criteria, Transmission Operators are “responsible for the reliability of its local transmission system and operates or directs the operations of the transmission Facilities.”  As a result, this responsibility falls on directly on Transmission Operators.  Further expansion of the criterion places responsibilities on Transmission Owners for activities they are not registered for.

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

The Proposed Definition of Control Center would have direct bearing on the outcome of how Xcel Energy interprets this question.  The term would have to be finalized before an opinion could be formed.

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 6/15/2017

- 0 - 0

Jim Nail, 10/23/2017

- 0 - 0

Jennifer Hohenshilt, On Behalf of: Talen Energy Marketing, LLC, , Segments 6

- 0 - 0

Anton Vu, Los Angeles Department of Water and Power, 6, 10/23/2017

- 0 - 0

David Maier, 10/24/2017

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 10/25/2017

- 0 - 0

Colorado Srings Utilities supports Cowlitz PUD and APPA comments

Colorado Springs Utilities, Segment(s) 5, 3, 1, 6, 5/6/2015

- 0 - 0

Section 2.12 of the proposed standard conflicts with the Applicability section of the standard.  Under criterion 2.12, Distribution Provider control centers could be applicable, but Distribution Providers are not included as applicable entities.  The Applicability section should be the ultimate deciding factor for determing applicability.  In addition, we recommend the removal of the first line in the table.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

Aaron Austin, 10/26/2017

- 0 - 0

No comment.

Jeanne Kurzynowski, On Behalf of: Consumers Energy Company - RF - Segments 1

- 0 - 0

Hien Ho, Tacoma Public Utilities (Tacoma, WA), 4, 10/26/2017

- 0 - 0

Reclamation recommends that impact ratings apply to BES Cyber Systems associated with Transmission (Control Center or control room) or generation (Control Center, control room, or plant), or any identified Facilities regardless of a Responsible Entity’s functional registration.

Wendy Center, U.S. Bureau of Reclamation, 5, 10/26/2017

- 0 - 0

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 10/27/2017

- 0 - 0

Steven Powell, On Behalf of: Trans Bay Cable LLC, WECC, Segments NA - Not Applicable

- 0 - 0

James Anderson, 10/27/2017

- 0 - 0

Vivian Moser, 10/27/2017

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 10/27/2017

- 0 - 0

No Comment

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 10/27/2017

- 0 - 0

IMEA supports APPA comments.

Mary Ann Todd, Illinois Municipal Electric Agency, 4, 10/27/2017

- 0 - 0

Bette White, 10/27/2017

- 0 - 0

Cowlitz PUD is in agreement as long as the definition of “Control Center” is modified to clearly point to registered functions, including Transmission Owners.

Russell Noble, Cowlitz County PUD, 3, 10/27/2017

- 5 - 0

Daniel Grinkevich, 10/30/2017

- 0 - 0

Agree. However would be clearer if the statement "...regardless of a Responsible Entity’s functional registration" was included in critera 2.12.

Stephanie Burns, 10/30/2017

- 0 - 0

Any entity that controls Transmission service that could impact the overall grid reliability, capability, and the functionality of power delivery should be following the CIP security structure in monitoring, maintaining and reporting on those systems that have physical control capability.

SRC + SWG , Segment(s) 2, 3, 1, 0, 10/30/2017

- 0 - 0

NRECA supports this approach.

Barry Lawson, 10/30/2017

- 0 - 0

Regan Haines, On Behalf of: TECO - Tampa Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Tyson Archie, Platte River Power Authority, 5, 10/30/2017

- 0 - 0

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 10/30/2017

- 0 - 0

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 10/30/2017

- 0 - 0

The approach does not clarify the issue.  The removal of the term “functional obligation” from 2.12 still does not clarify the requirement applies to TO because the capitalized term Control Center is used and that term implies functional registery (RC/BA/TOP/GOP).  Clarification could be improved by using the non-capitalized term  “control center” and defined as used in CIP-014.  In addition, the use of the term “control” is also a source of confusion as it can be interpreted as having operational control (ie. Direct the switching operation) or physical control (perform the switching operation).

David Rivera, New York Power Authority, 3, 10/30/2017

- 0 - 0

The California ISO supports the comments of the Security Working Group (SWG)

- 0 - 0

Manitoba Hydro, Segment(s) 5, 3, 6, 1, 8/8/2017

- 1 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Bob Solomon, On Behalf of: Bob Solomon, , Segments 1

- 0 - 0

No Response.

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

Louisville Gas and Electric Company and Kentucky Utilities Company, Segment(s) 3, 5, 6, 4/13/2017

- 0 - 0

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

Mike Lotz, On Behalf of: Mike Lotz, , Segments 3, 5

- 0 - 0

Salt River Project supports comments submitted by APPA.

Lona Calderon, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Russel Mountjoy, 10/30/2017

- 0 - 0

See our response to question 1. Does this question confirm that the drafting team’s intent is that all Control Centers should be considered under this criterion, nothwithstanding the fact that in order to control Transmission facilities (100kV and above), a NERC BA/TOP certification is required?

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

We agree with the described concept of categorizing BES Cyber Systems but would want to see the suggested language used from our comments for Question 1.

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 10/30/2017

- 0 - 0

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

David Gordon, 10/30/2017

- 0 - 0

Jack Cashin, American Public Power Association, 4, 10/30/2017

- 1 - 0

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 4 - 0

Eversource Group, Segment(s) 5, 3, 9/11/2017

- 0 - 0

Steve Rawlinson, 10/30/2017

- 0 - 0

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 10/30/2017

- 0 - 0

Sandra Shaffer, 10/30/2017

- 0 - 0

Douglas Webb, 10/30/2017

- 0 - 0

Don Schmit, 10/30/2017

- 0 - 0

ERCOT ISO signs on to the SRC + SWG comments.

Elizabeth Axson, 10/30/2017

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 10/30/2017

- 0 - 0

Seattle City Light supports the comments of Cowlitz PUD and APPA.

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

RSC no Dominion and ISO-NE, Segment(s) 10, 2, 4, 5, 6, 7, 1, 3, 10/30/2017

- 0 - 0

David Jendras, Ameren - Ameren Services, 3, 10/30/2017

- 0 - 0

Fred Frederick, 10/30/2017

- 0 - 0

Spencer Tacke, Modesto Irrigation District, 4, 10/30/2017

- 0 - 0

AECI agrees with the approach and believes that a BES Cyber System (BCS) should be categorized by the BCS's span of control, regardless of functional registration.

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

SPP Standards Review Group, Segment(s) , 10/30/2017

- 0 - 0

Jeff Johnson, 10/30/2017

- 0 - 0

Please refer to comments submitted by Robert Blackney on behalf of Southern California Edison

Kenya Streeter, Edison International - Southern California Edison Company, 6, 10/30/2017

- 0 - 0

Michael Johnson, On Behalf of: Burns & McDonnell, FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments NA - Not Applicable

- 0 - 0

SNPD suggests that a Control Center that is only responsible for Low Impact Facilities, should default to a Low Impact Control Center rating; independent of its registration or weighted value criterion.  Currently, there are numerous Medium Impact Control Centers that meet the registration requirements or proposed weighting criteria, but clearly do not have BES Cyber Assets.

 

“A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or nonā€operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System.  Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact.  Each BES Cyber Asset is included in one or more BES Cyber Systems.”

 

Registered Entities have identified SCADA related assets and systems as BCS and BCAs in order to comply with Reliability Standards interpretations and the expectations of the regulators.  However, if these assets were rendered unavailable, degraded, or misused, they would not adversely impact the Bulk Electric System.  In these cases the scope of the impact would be local load service and restoration efforts.  They would not result in BES cascading events.  The original intent of the NERC Reliability Standards were to address BES reliability, yet the application of Medium Impact Control Centers operating Low Impact Facilities often targets local load service and distribution systems.

Long Duong, 10/30/2017

- 0 - 0

Hot Answers

NRG has a concern that there may be confusion on what the drafting team’s intent is in reference to proposed language pertaining to BES Cyber System’s span of control instead of the BES Cyber System monitors and controls. Industry interpretation of the current language leads NRG stakeholders to believe that the Rationale information may not match up correctly with the CIP-002-6 Standard. (NRG reqeusts clarity on the operation authortity versus capability). NRG requests that the drafting team provide clarity on what their intent is in reference to Criterion 2.12 and verify the alignment of the rationale document and the standard.

Question: Does control include the ability to issue an operating instruction through another element besides a BES Cyber System element?  Is it the intent of the SDT, that a TOP could drop from Medium to Low based on these calculations?  It seems that most if not all TOPs are Medium and this can reduce them to Low which may be a concern for the industry.

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Robert Blackney, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Jeff Ipsaro, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Val Ridad, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 9/18/2017

- 0 - 0

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 10/16/2017

- 0 - 0

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

See response to Question 4.

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 6/15/2017

- 0 - 0

As written, there will be TOP Control Centers that will drop from Medium to Low and become exempt from many of the current requirements.  Given the propensity for NOT maintaining standards of performance which are not enforced/required, this WILL produce a predictable weakening of the BES's overall Cyber-Security posture.

Jim Nail, 10/23/2017

- 0 - 0

Jennifer Hohenshilt, On Behalf of: Talen Energy Marketing, LLC, , Segments 6

- 0 - 0

Anton Vu, Los Angeles Department of Water and Power, 6, 10/23/2017

- 0 - 0

David Maier, 10/24/2017

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 10/25/2017

- 0 - 0

Colorado Srings Utilities supports Cowlitz PUD and APPA comments

Colorado Springs Utilities, Segment(s) 5, 3, 1, 6, 5/6/2015

- 0 - 0

Based on the response to Question 4, Dominion Energy recommends the following additional language modification. 

“TO and TOP Control Centers or backup Control Centers, not included in High Impact Rating (H) above, that monitor and control BES Transmission Lines with an "aggregate weighted value" exceeding 2500 but below 3000 according to the table below. The "aggregate weighted value" for a TO or TOP Control Center or backup Control Center is determined by summing the "weight value per line" shown in the table below for each BES Transmission Line monitored and controlled by the Control Center or backup Control Center.”

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

Aaron Austin, 10/26/2017

- 0 - 0

No.  For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria. 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

Jeanne Kurzynowski, On Behalf of: Consumers Energy Company - RF - Segments 1

- 0 - 0

Hien Ho, Tacoma Public Utilities (Tacoma, WA), 4, 10/26/2017

- 0 - 0

Reclamation recommends simplifying the Impact Rating Criteria using the methodology stated in the response to Question 1.

Wendy Center, U.S. Bureau of Reclamation, 5, 10/26/2017

- 0 - 0

NIPSCO is in support of the comment provided by EEI below.

"See our comments, rationale and alternate proposal as provided in our response to question 2."

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 10/27/2017

- 0 - 0

Steven Powell, On Behalf of: Trans Bay Cable LLC, WECC, Segments NA - Not Applicable

- 0 - 0

For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria.

 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

James Anderson, 10/27/2017

- 0 - 0

Vivian Moser, 10/27/2017

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 10/27/2017

- 0 - 0

For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria.

 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 10/27/2017

- 0 - 0

IMEA supports APPA comments.

Mary Ann Todd, Illinois Municipal Electric Agency, 4, 10/27/2017

- 0 - 0

Bette White, 10/27/2017

- 0 - 0

Cowlitz PUD fully supports estabishment of medium and low impact TOP/TO Control Centers, and believes that summing the weighted value of each BES Transmission Line that the BES Cyber System monitors and controls is the desired approach. However, it is possible that Criterion 2.12 can be interpreted by the Regional Entity contrary to this approach.  As written, Criterion 2.12 appears to mandate a “Control Center impact designation” by summing the  weighted values of Transmission Lines that the Control Center monitors and controls via any methodology.  Cowlitz PUD has obtained confirmation from regional compliance personnel opinion in this regard.  Montoring and control can include Control Center operator verbal communication with field perssonel, or non-programmable electronic devices along with BES Cyber Assets.  The result is the BES Cyber System is not categorized by evaluating its integral importance to the BES asset’s function, it is categorized based on mere association with the asset regardless of whether it is necessary for the asset’s complex function.

Cowlitz PUD supports the APPA suggested alternate proposal.

 

Russell Noble, Cowlitz County PUD, 3, 10/27/2017

- 5 - 0

Daniel Grinkevich, 10/30/2017

- 0 - 0

Suggest 3000 points to be in-line with Criterion 2.5. Concerns that entities with large amounts of 100-199kV lines would be excluded (6000 points = 24 100kV lines).

Stephanie Burns, 10/30/2017

- 0 - 0

SRC + SWG , Segment(s) 2, 3, 1, 0, 10/30/2017

- 0 - 0

NRECA supports the proposed modifications.

Barry Lawson, 10/30/2017

- 0 - 0

Regan Haines, On Behalf of: TECO - Tampa Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Tyson Archie, Platte River Power Authority, 5, 10/30/2017

- 0 - 0

See our comments, rationale and alternate proposal as provided in our response to question 2.

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 10/30/2017

- 0 - 0

MidAmerica would like to change its answer for this question to NO.

MidAmerican agrees with EEI"s  comments. Please see EEI's Comments below:

See our comments, rationale and alternate proposal as provided in our response to question 2.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 10/30/2017

- 0 - 0

Removing functional obligation does not remove the conflict with the existing definition of Control Center for performing the functional obligation of a TOP.  Removing Control Center and replacing with the control center concept used in CIP-014 would would provide clarification.

David Rivera, New York Power Authority, 3, 10/30/2017

- 0 - 0

The California ISO supports the comments of the Security Working Group (SWG)

- 0 - 0

Manitoba Hydro, Segment(s) 5, 3, 6, 1, 8/8/2017

- 1 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Bob Solomon, On Behalf of: Bob Solomon, , Segments 1

- 0 - 0

No Response.

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

Louisville Gas and Electric Company and Kentucky Utilities Company, Segment(s) 3, 5, 6, 4/13/2017

- 0 - 0

IID believes that summing the weighted value of each BES Transmission Line that the BES Cyber System monitors and controls is the desired approach, but Criterion 2.12 can be interpreted by the Regional Entity contrary to this approach.  As written, Criterion 2.12 appears to mandate a “Control Center impact designation” by summing the  weighted values of Transmission Lines that the Control Center monitors and controls via any methodology. Montoring and control can include Control Center operator verbal communication with field perssonel, or non-programmable electronic devices along with BES Cyber Assets.  The result is the BES Cyber System is not categorized by evaluating its integral importance to the BES asset’s function, it is categorized based on mere association with an asset regardless of whether it is necessary for the asset’s complex function.

Further, IID has concerns a Control Center that may be used for various functions, and may have several isolated BES Cyber Systems (BCS) to cover each.  In addition, applicable entities should be encouraged to apply technology which is not subject to the inherent vulnerabilities of programmable devices using routable protocol.  Removal of key high risk control to highly secure technology should be removed from the “aggregate weighted value” of the BES Cyber Systems used to monitor and control.

IID supports the following possible modifications:

  1. At the beginning of Section 2: Each BES Cyber Sytem, not included in Section 1 above, integral in the operation of the following:

  2. For Rational for criterion 2.12, last paragraph, second sentence: … “weight value per line”shown in the associated table for each BES Transmission Line monitored and controlled by the Control Center’s or backup Control Center’s BES Cyber System…

  3. For criterion 2.12: Control Centers or backup Control Centers, not included in High Impact Rating (H) above, that monitor and control BES Transmission Lines with an "aggregate weighted value" exceeding 6000 according to the table below. The "aggregate weighted value" for a Control Center or backup Control Center is determined by summing the "weight value per line" shown in the table below for each BES Transmission Line monitored and controlled by the Control Center’s or backup Control Center’s BES Cyber System.

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

The proposed changes to criterion 2.12 will allow some entities, currently rated at medium impact, to change their control center(s) impact rating to low.  This change could significantly increase both cyber and physical risks to reliability for the entity moving to low, and also the entities they are connected to.  The low impact CIP requirements are not adequate protections for some entities.

Mike Lotz, On Behalf of: Mike Lotz, , Segments 3, 5

- 0 - 0

Salt River Project supports comments submitted by APPA.

Lona Calderon, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Russel Mountjoy, 10/30/2017

- 0 - 0

Based on the lack of clarity that exists regarding whether criterion 2.12 would be applicable to all Control Centers, not just TO Control Centers, Duke Energy does not support the proposed modifications. In the CIP V5 Issues for Standard Drafting Team Consideration document, the V5TAG group suggests the following:

“Clarify the applicability of requirements on a TO Control Center that perform the functional obligations of a TOP, particularly if the TO has the ability to operate switches, breakers and relays in the BES.”

The sentence above from the V5TAG document, specifically makes reference to a need to clarify requirements on TO Control Centers that perform functional obligations of a TOP. As we have stated previously, this proposed modification could be interpreted to include all Control Centers, not just TO Control Centers. Was it the drafting team’s intent to clear up the “functional obligations of a TOP” issue by inserting the phrase “that monitor and control BES Transmission Lines” into the criterion of 2.12? Perhaps a better understanding of what “performing the functional obligations of” would be beneficial, since it is commonly used throughout Attachment 1.

If it was the drafting team’s intent that this proposed modification to the criterion only refer to TO Control Centers, we recommend revising said criterion to explicitly reference TO Control Centers.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Pleae see our comments for Question 1.

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 10/30/2017

- 0 - 0

See our comments, rationale and alternate proposal as provided in our response to question 2.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

MMWEC supports the comments submitted by APPA, and suggests adding the following sentence (similar to wording in criteria 2.1 and 2.1) to the end of the proposed Criterion 2.12. "The only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that monitor and control BES Transmission Lines with an "aggregate weighted value" exceeding 6000 according to the table below."

David Gordon, 10/30/2017

- 0 - 0

Public power supports the concept of establishing criteria for Medium Impact Control Centers and Low Impact Control Centers. We support the approach of basing the criteria on "aggregate weighted value" of Transmission Lines controlled by BES Cyber Systems located at the Control Centers.  However, as proposed, Criterion 2.12 is ambiguous as to how the "aggregate weighted value" is derived. Is it derived by summing the values for all Transmission Lines monitored and controlled by a Control Center, or should it be derived by summing the value for Transmission Lines monitored and controlled by BES Cyber Systems located at the Control Center? Also, the criterion is not clear on whether "control" refers to control by personnel at the Control Center (e.g., by verbal instruction to field personnel) or to control by a BES Cyber System.

APPA suggests adding the following sentence (similar to wording in criteria 2.1 and 2.1) to the end of the proposed Criterion 2.12. "The only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that monitor and control BES Transmission Lines with an "aggregate weighted value" exceeding 6000 according to the table below."

Public power appreciates the SDT efforts for clarifying the applicability requirements for a TO Control Center that performs the functional obligations of a TOP.  We have some suggested language for Criterion 2.12 that we feel removes some ambiguity and possible interpretation questions.  Our suggested language is as follows:

“Cyber Assets used to control BES Transmission lines, located at Control Centers or backup Control Centers, where the summed weighted value (according to the table below) of each BES Transmission Line controlled and monitored exceeds 6000.” 

Jack Cashin, American Public Power Association, 4, 10/30/2017

- 5 - 0

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 4 - 0

Eversource Group, Segment(s) 5, 3, 9/11/2017

- 0 - 0

Steve Rawlinson, 10/30/2017

- 0 - 0

Hydro One supports comments submitted by NPCC RSC.

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 10/30/2017

- 0 - 0

Sandra Shaffer, 10/30/2017

- 0 - 0

KCP&L incorporates by reference Edison Electric Institute’s (EEI) Question 5 response.

Douglas Webb, 10/30/2017

- 0 - 0

See comments on question #1.

Don Schmit, 10/30/2017

- 0 - 0

ERCOT ISO signs on to the SRC + SWG comments.

Elizabeth Axson, 10/30/2017

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 10/30/2017

- 0 - 0

Seattle City Light supports the comments of Cowlitz PUD and APPA.

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

We support the concept of establishing criteria for Medium Impact Control Centers and Low Impact Control Centers. We support the approach of basing the criteria on "aggregate weighted value" of Transmission Lines controlled by BES Cyber Systems located at the Control Centers.  However, as proposed, Criterion 2.12 is ambiguous as to how the "aggregate weighted value" is derived. Is it derived by summing the values for all Transmission Lines monitored and controlled by a Control Center, or should it be derived by summing the value for Transmission Lines monitored and controlled by BES Cyber Systems located at the Control Center? Also, the criterion is not clear on whether "control" refers to control by personnel at the Control Center (e.g., by verbal instruction to field personnel) or to control by a BES Cyber System.

 

We suggest adding the following sentence (similar to wording in criteria 2.1 and 2.1) to the end of the proposed Criterion 2.12. "The only BES Cyber Systems that meet this criterion are those shared BES Cyber Systems that monitor and control BES Transmission Lines with an "aggregate weighted value" exceeding 6000 according to the table below."

RSC no Dominion and ISO-NE, Segment(s) 10, 2, 4, 5, 6, 7, 1, 3, 10/30/2017

- 0 - 0

See the response to question 2 above

David Jendras, Ameren - Ameren Services, 3, 10/30/2017

- 0 - 0

Fred Frederick, 10/30/2017

- 0 - 0

Spencer Tacke, Modesto Irrigation District, 4, 10/30/2017

- 0 - 0

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

See comments on question #2.

SPP Standards Review Group, Segment(s) , 10/30/2017

- 0 - 0

Jeff Johnson, 10/30/2017

- 0 - 0

Please refer to comments submitted by Robert Blackney on behalf of Southern California Edison

Kenya Streeter, Edison International - Southern California Edison Company, 6, 10/30/2017

- 0 - 0

Michael Johnson, On Behalf of: Burns & McDonnell, FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments NA - Not Applicable

- 0 - 0

SNPD only agrees with the weighted approach to identify ratings of Control Centers.  A BES Cyber System that is an integrated part of a Control Center, and involves one or more BES Reliability Operating Service (BROS), should have a Medium Impact rating by association.  The introduction of Span of Control, from the SDT is somewhat confusing language for SNPD.   

Long Duong, 10/30/2017

- 0 - 0

Hot Answers

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Robert Blackney, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Jeff Ipsaro, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Val Ridad, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 9/18/2017

- 0 - 0

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

As the IESO does not own or operate BES Transmission Lines we have no opinion or comment on the implimentation plan.

Leonard Kula, Independent Electricity System Operator, 2, 10/16/2017

- 0 - 0

The following language is not adequately clear.

 “Responsible entity identifies first medium impact or high impact BES Cyber System (i.e., the responsible entity previously had no BES Cyber Systems categorized as high impact or medium impact according to the CIP-002-6 identification and categorization processes)” (24 months)

This language needs to be clarified to clearly identify that 12 months is for the first medium or high impact BES Cyber System for this asset. 

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

The implementation time period needed would be contingent on the status of the changes to the definition of Control Center.

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

The question asks, “please note the actions you will take that require this amount of time to complete”, although there is no time afforded entities to complete any actions.  The proposed Implementation Plan states “Where approval by an applicable governmental authority is required, Reliability Standard CIP-002-6 shall become effective on the effective date of the applicable governmental authority’s order approving the standard, or as otherwise provided for by the applicable governmental authority.”  This does not allow entities adequate time to achieve compliance with ‘main R’ requirements to have ‘one or more documented processes’ at the time of approval.  Updates to entity policies, programs, plans, and procedures would be required, regardless of whether or not the modifications result in the identification of new, or reclassification of existing BES Cyber Systems at Control Centers. 

The Implementation Plan does explicity state “For the purposes of transitioning from CIP-002-5.1a to CIP-002-6, increases in BES Cyber System categorization (i.e., from low to medium/high or from medium to high) from the application of CIP-002-6 Attachment 1 criteria are provided 24 months for implementation of applicable CIP Cyber-Security Standards.”  However, there is no explicit clarification whether the changes to CIP-002-6 are considered a Planned change, or an Unplanned change.  This impacts entities where there is no change to BES Cyber System categorization, but yet policies, programs, plans, and procedures must comply as of the effective date of the new approved standard.  For the 24 month implementation clause above, this needs to also explicity state “This includes changes or updates necessary to entity policies, programs, plans or procedures to address these modifications in CIP-002-6.”

Southern Company, Segment(s) 1, 3, 5, 6, 6/15/2017

- 0 - 0

Jim Nail, 10/23/2017

- 0 - 0

Jennifer Hohenshilt, On Behalf of: Talen Energy Marketing, LLC, , Segments 6

- 0 - 0

Anton Vu, Los Angeles Department of Water and Power, 6, 10/23/2017

- 0 - 0

David Maier, 10/24/2017

- 0 - 0

N&ST agrees with the proposed implementation time frames in the draft Implementation Plan. However, N&ST believes there a number of issues with the accompanying narrative that should be addressed:

 

- Third paragraph under heading, “Planned and Unplanned Changes:” N&ST does not believe it is possible for “unplanned” changes, defined in the Implementation Plan document as changes not planned and implemented by the responsible entity, to be made to one or more of that entity’s BES Cyber Systems. 

 

- That same paragraph describes a “...scenario where a particular BES Cyber System at a transmission substation does not meet the criteria in CIP-002-6, Attachment 1,...” N&ST believes this condition is logically impossible. An unplanned change, outside of the hypothetical transmission substation, could only result either in (a) an existing Cyber Asset, not previously identified as a BES Cyber Asset, becoming part of a new or existing BES Cyber System, or (b) a low impact BES Cyber System being recategorized as a medium impact BES Cyber System.

 

N&ST recommends the following changes to the Implementation Plan’s timeline table:

 

- For ease of reference, table entries should be numbered.

 

- The Implementation Plan should state explicitly that the table’s third and forth entries (an existing BES Cyber System is recategorized from medium to high or from low to medium impact) applies to responsible entities that have previously identified at least one medium impact BES Cyber System.

 

- N&ST finds it difficult to envision a scenario wherein a new high or medium impact BES Cyber System must be implemented as the result of an unplanned change (first and second entries in table). At the same time, N&ST believes it is possible, if unlikely, that an existing Cyber Asset could be recategorized as a BES Cyber Asset as the result of an unplanned change. If this is the scenario the Drafting Team had in mind, these timeline table entries should be clarified. Otherwise, N&ST recommends they be deleted. 

Nicholas Lauriat, Network and Security Technologies, 1, 10/25/2017

- 0 - 0

Colorado Srings Utilities supports Cowlitz PUD and APPA comments

Colorado Springs Utilities, Segment(s) 5, 3, 1, 6, 5/6/2015

- 0 - 0

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

Aaron Austin, 10/26/2017

- 0 - 0

No comment.

Jeanne Kurzynowski, On Behalf of: Consumers Energy Company - RF - Segments 1

- 0 - 0

Hien Ho, Tacoma Public Utilities (Tacoma, WA), 4, 10/26/2017

- 0 - 0

Reclamation recommends an initial implementation period of 18 months to allow entities time to determine the effects of the revised Impact Rating Criteria and an additional 18 months to comply.

Wendy Center, U.S. Bureau of Reclamation, 5, 10/26/2017

- 0 - 0

NIPSCO is in support of the comment provided by EEI below.

"It is premature to comment on the implementation plan because EEI disagrees with the revisions."

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 10/27/2017

- 0 - 0

Steven Powell, On Behalf of: Trans Bay Cable LLC, WECC, Segments NA - Not Applicable

- 0 - 0

James Anderson, 10/27/2017

- 0 - 0

AZPS recommends that the proposed implementation time period be extended to 24 months for all options. Regardless of whether a facility’s categorization is revised from Low to Medium or Medium to High, the effort required would involve the design and implementation of new or different technology, new or revised processes, procurement and contracting efforts, etc.  To design and implement an approach to compliance could – alone – take 12 months.  When the additional time required for and uncertainty associated with the execution and completion of the supply chain and procurement processes are considered, implementation efforts could easily exceed 12 months.  For this reason, implementation efforts should be allotted 24 months for completion as such timeline better aligns with the time needed foranalysis, procurement of long lead items, and actual work. 

Vivian Moser, 10/27/2017

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 10/27/2017

- 0 - 0

No Comment

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 10/27/2017

- 0 - 0

IMEA supports APPA comments.

Mary Ann Todd, Illinois Municipal Electric Agency, 4, 10/27/2017

- 0 - 0

Bette White, 10/27/2017

- 0 - 0

Cowlitz PUD supports APPA comment.

Russell Noble, Cowlitz County PUD, 3, 10/27/2017

- 1 - 0

Daniel Grinkevich, 10/30/2017

- 0 - 0

Consider further clarification of the classification of planned or unplanned changes. Existing definitions are vague with regard to regard to change of facility ownership, criterion that are based on agreements (2.7 NUC-001) or other entities or internal.

Stephanie Burns, 10/30/2017

- 0 - 0

SRC + SWG , Segment(s) 2, 3, 1, 0, 10/30/2017

- 0 - 0

NRECA supports the proposed implementation plan.

Barry Lawson, 10/30/2017

- 0 - 0

Regan Haines, On Behalf of: TECO - Tampa Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Tyson Archie, Platte River Power Authority, 5, 10/30/2017

- 0 - 0

It is premature to comment on the implementation plan because MEC disagrees with the revisions.

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 10/30/2017

- 0 - 0

MidAmerica would like to change its answer for this question to NO.

MidAmerican agrees with EEI"s  comments. Please see EEI's Comments below:

It is premature to comment on the implementation plan because EEI disagrees with the revisions.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 10/30/2017

- 0 - 0

David Rivera, New York Power Authority, 3, 10/30/2017

- 0 - 0

The California ISO supports the comments of the Security Working Group (SWG)

- 0 - 0

Enforcement schedules triggered by a system change or periodic review should be incorporated directly within the Standard, not within a standalone Implementation Plan. An example of doing this is CIP-014-2 R5. The “unplanned changes compliance implementation table” in the Implementation Plan creates a situation where this Implementation Plan is never fully vested/implemented. An Implementation Plan should be used to dictate timelines required to implement a requirement, where timelines allowing for compliance maintenance (after Standard is fully implemented) should be incorporated directly within the standard, which allows the Implementation Plan itself to expire. This supports NERC’s implementation timeline reporting in Col L, here.

Manitoba Hydro, Segment(s) 5, 3, 6, 1, 8/8/2017

- 1 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Bob Solomon, On Behalf of: Bob Solomon, , Segments 1

- 0 - 0

No Response.

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

Louisville Gas and Electric Company and Kentucky Utilities Company, Segment(s) 3, 5, 6, 4/13/2017

- 0 - 0

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

Mike Lotz, On Behalf of: Mike Lotz, , Segments 3, 5

- 0 - 0

Salt River Project supports comments submitted by APPA.

Lona Calderon, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Russel Mountjoy, 10/30/2017

- 0 - 0

Based on the lack of clarity on the scope of criterion 2.12, we cannot agree that 12 months would be a sufficient time to address impact changes resulting from an unplanned change to the system.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 10/30/2017

- 0 - 0

It is premature to comment on the implementation plan because EEI disagrees with the proposed revisions to the standard.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

David Gordon, 10/30/2017

- 0 - 0

We agree with the intent of the implementation plan but feel that the unintended consequences of potential interpretations could bring assets into scope, thereby requiring recalibration of compliance programs in an ongoing manner.  

Jack Cashin, American Public Power Association, 4, 10/30/2017

- 5 - 0

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 4 - 0

Eversource Group, Segment(s) 5, 3, 9/11/2017

- 0 - 0

Steve Rawlinson, 10/30/2017

- 0 - 0

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 10/30/2017

- 0 - 0

Sandra Shaffer, 10/30/2017

- 0 - 0

KCP&L incorporates by reference Edison Electric Institute’s (EEI) Question 6 response

Douglas Webb, 10/30/2017

- 0 - 0

Don Schmit, 10/30/2017

- 0 - 0

ERCOT ISO signs on to the SRC + SWG comments.

Elizabeth Axson, 10/30/2017

- 0 - 0

While Texas RE does not necessarily object to the proposed Implementation Plan timeframes, the IP, as currently drafted, could introduce ambiguity regarding the expected compliance timelines for entities with Control Centers that are would be newly subject to the proposed CIP-002-6 Criteria 2.12 definition.  In particular, Texas RE requests the SDT should clarify whether the change to the Control Center criteria would constitute a planned or unplanned change. 

 

The standard will become effective immediately upon the effective date of the FERC order approving the revisions.  However, the new criteria presumably will interact with the impact rating review criteria set forth in CIP-002-5.1 R2.  Specifically, Transmission Owners with Control Centers that satisfy the proposed 2.12 criteria presumably will have to identify those Control Centers during its periodic 15-month review of its Medium Impact BES Cyber System identifications.  As such, depending on the time of the approval, entities could have as much as 15 months to properly categorize and implement medium impact controls for any Control Centers now captured by the changes to the CIP-002-5.1 Criteria 2.12 language.  Further, entities may possibly have an additional 12 months beyond the 15 month categorization window if the SDT changes fall within the definition of an “unplanned change.”  That is, “any changes of the electric system or BES Cyber System, as identified through the assessment under CIP-002-6, Requirement R2, which were not planned by the responsible entity.”  Texas RE recommends that the SDT clarify this timeline, and, particularly, whether the SDT intends for the additional 12-month period for unplanned changes to be applicable in these circumstances.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 10/30/2017

- 0 - 0

Seattle City Light supports the comments of Cowlitz PUD and APPA.

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

RSC no Dominion and ISO-NE, Segment(s) 10, 2, 4, 5, 6, 7, 1, 3, 10/30/2017

- 0 - 0

It is premature in our opinion to comment on the implementation plan because Ameren disagrees with the revisions.

David Jendras, Ameren - Ameren Services, 3, 10/30/2017

- 0 - 0

Fred Frederick, 10/30/2017

- 0 - 0

Spencer Tacke, Modesto Irrigation District, 4, 10/30/2017

- 0 - 0

AECI requests the SDT to revise the implementation plan to provide added clarity.  AECI suggests moving the statement, “For the purposes of transitioning from CIP-002-5.1a to CIP-002-6, increases in BES Cyber System categorization (i.e., from low to medium/high or from medium to high) from the application of CIP-002-6 Attachment 1 criteria are provided 24 months for implementation of applicable CIP Cyber-Security Standards.” to the beginning of the Planned/Unplanned Changes section of the Implementation Plan.  It is confusing to read through all of the planned/unplanned options in the associated table and finally conclude with the statement that is most impactful to Responsible Entities.

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

SPP Standards Review Group, Segment(s) , 10/30/2017

- 0 - 0

Jeff Johnson, 10/30/2017

- 0 - 0

Please refer to comments submitted by Robert Blackney on behalf of Southern California Edison

Kenya Streeter, Edison International - Southern California Edison Company, 6, 10/30/2017

- 0 - 0

Michael Johnson, On Behalf of: Burns & McDonnell, FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments NA - Not Applicable

- 0 - 0

SNPD does not have comments on Question 6.

Long Duong, 10/30/2017

- 0 - 0

Hot Answers

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Robert Blackney, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Jeff Ipsaro, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Val Ridad, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 9/18/2017

- 0 - 0

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

As the IESO does not own or operate BES Transmission Lines we have no opinion or comment on the implimentation plan.

Leonard Kula, Independent Electricity System Operator, 2, 10/16/2017

- 0 - 0

The SDT should strongly consider replacing CIP-002 and the associated CIP standards with an alternative non-prescriptive approach that focuses on effective cyber and physical security and adapt the enforcement approach to be consistent with those used in financial auditing.  This alternative approach would reduce costs and allow Registered Entities to focus on maintaining a secure power grid .

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

We have not performed a cost analysis on the proposed changes.

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 6/15/2017

- 0 - 0

Jim Nail, 10/23/2017

- 0 - 0

Jennifer Hohenshilt, On Behalf of: Talen Energy Marketing, LLC, , Segments 6

- 0 - 0

Anton Vu, Los Angeles Department of Water and Power, 6, 10/23/2017

- 0 - 0

David Maier, 10/24/2017

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 10/25/2017

- 0 - 0

Colorado Srings Utilities supports Cowlitz PUD and APPA comments

Colorado Springs Utilities, Segment(s) 5, 3, 1, 6, 5/6/2015

- 0 - 0

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

Aaron Austin, 10/26/2017

- 0 - 0

No.  For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria. 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

Jeanne Kurzynowski, On Behalf of: Consumers Energy Company - RF - Segments 1

- 0 - 0

Hien Ho, Tacoma Public Utilities (Tacoma, WA), 4, 10/26/2017

- 0 - 0

Reclamation recommends that the Impact Rating Criteria in CIP-002 Attachment 1 be simplified, using the methodology described in the response to Question 1, to reduce the overall impact of CIP-002-6 and allow entities to reduce the time spent “review[ing] the identifications in Requirement R1 and its parts (and update[ing] them if there are changes identified) at least once every 15 calendar months” and the cost of implementing the standard.

Wendy Center, U.S. Bureau of Reclamation, 5, 10/26/2017

- 0 - 0

NIPSCO is in support of the comment provided by EEI below.

"It is premature to comment on the cost effectiveness of the proposed changes because EEI disagrees with the revisions."

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 10/27/2017

- 0 - 0

Steven Powell, On Behalf of: Trans Bay Cable LLC, WECC, Segments NA - Not Applicable

- 0 - 0

For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria.

 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

James Anderson, 10/27/2017

- 0 - 0

AZPS agrees that the SDT’s proposal meets the reliability objectives in a cost effective manner so long as a reasonable implementation period, i.e., at least 24 months, is allotted.  Otherwise, entities to which these modifications are applicable may expend significant resources unnecessarily to meet timeframes that were, at their time of proposal, unreasonable.  Such unnecessary expenditures would gravely adversely impact the cost-effectiveness of the proposed revisions. 

Vivian Moser, 10/27/2017

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 10/27/2017

- 0 - 0

For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only serves to create additional compliance burden to determine an irrelevant criteria.

 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 10/27/2017

- 0 - 0

IMEA supports APPA comments.

Mary Ann Todd, Illinois Municipal Electric Agency, 4, 10/27/2017

- 0 - 0

Bette White, 10/27/2017

- 0 - 0

Cowlitz PUD supports APPA comment.

Russell Noble, Cowlitz County PUD, 3, 10/27/2017

- 1 - 0

Daniel Grinkevich, 10/30/2017

- 0 - 0

Stephanie Burns, 10/30/2017

- 0 - 0

SRC + SWG , Segment(s) 2, 3, 1, 0, 10/30/2017

- 0 - 0

Barry Lawson, 10/30/2017

- 0 - 0

Regan Haines, On Behalf of: TECO - Tampa Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Tyson Archie, Platte River Power Authority, 5, 10/30/2017

- 0 - 0

It is premature to comment on the cost effectiveness of the proposed changes because MEC disagrees with the revisions.

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 10/30/2017

- 0 - 0

Removal of the guidelines and technical basis on which entities implemented their CIP-002 BES Cyber System identifications and classifications could cause significant re-work if it results in compliance interpretations other than what the SDT intended. Re-work is not cost effective.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 10/30/2017

- 0 - 0

David Rivera, New York Power Authority, 3, 10/30/2017

- 0 - 0

The California ISO supports the comments of the Security Working Group (SWG)

- 0 - 0

Manitoba Hydro, Segment(s) 5, 3, 6, 1, 8/8/2017

- 1 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Bob Solomon, On Behalf of: Bob Solomon, , Segments 1

- 0 - 0

No Response.

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

Louisville Gas and Electric Company and Kentucky Utilities Company, Segment(s) 3, 5, 6, 4/13/2017

- 0 - 0

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

Mike Lotz, On Behalf of: Mike Lotz, , Segments 3, 5

- 0 - 0

Salt River Project supports comments submitted by APPA.

Lona Calderon, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Russel Mountjoy, 10/30/2017

- 0 - 0

See our response to question 6. Without clarity on the scope, it is difficult to determine the cost effectiveness.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 10/30/2017

- 0 - 0

It is premature to comment on the cost effectiveness of the proposed changes because EEI disagrees with the revisions.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

MMWEC supports the concept of establishing criteria for Medium Impact Control Centers and Low Impact Control Centers. We support the approach of basing the criteria on "aggregate weighted value" of Transmission Lines controlled by BES Cyber Systems located at the Control Centers.

David Gordon, 10/30/2017

- 0 - 0

Based on the perception of the SDT intent, public power agrees with the weighted values for transmission lines that the BES cyber system monitors and controls approach and that the allowing for low impact Control Centers is a positive action.

The changes proposed should reduce cost and/or potentially provide flexability in compliance options. 

Jack Cashin, American Public Power Association, 4, 10/30/2017

- 5 - 0

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 4 - 0

Eversource Group, Segment(s) 5, 3, 9/11/2017

- 0 - 0

Steve Rawlinson, 10/30/2017

- 0 - 0

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 10/30/2017

- 0 - 0

Sandra Shaffer, 10/30/2017

- 0 - 0

KCP&L incorporates by reference Edison Electric Institute’s (EEI) Question 7 response.

Douglas Webb, 10/30/2017

- 0 - 0

Don Schmit, 10/30/2017

- 0 - 0

ERCOT ISO signs on to the SRC + SWG comments.

Elizabeth Axson, 10/30/2017

- 0 - 0

Texas RE does not have comments on this question.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 10/30/2017

- 0 - 0

Seattle City Light supports the comments of Cowlitz PUD and APPA.

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

RSC no Dominion and ISO-NE, Segment(s) 10, 2, 4, 5, 6, 7, 1, 3, 10/30/2017

- 0 - 0

See the response to question 6 above.

David Jendras, Ameren - Ameren Services, 3, 10/30/2017

- 0 - 0

Fred Frederick, 10/30/2017

- 0 - 0

Spencer Tacke, Modesto Irrigation District, 4, 10/30/2017

- 0 - 0

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

SPP Standards Review Group, Segment(s) , 10/30/2017

- 0 - 0

Item 7 is ambiguous and needs to be explained. SDG&E seeks clarification to what the “cost effective manner” element is of this proposed change to CIP-002-5.1.

Jeff Johnson, 10/30/2017

- 0 - 0

Please refer to comments submitted by Robert Blackney on behalf of Southern California Edison

Kenya Streeter, Edison International - Southern California Edison Company, 6, 10/30/2017

- 0 - 0

Michael Johnson, On Behalf of: Burns & McDonnell, FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments NA - Not Applicable

- 0 - 0

SNPD does not have comments on Question 7.

Long Duong, 10/30/2017

- 0 - 0

Hot Answers

N/A

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

SCE does not agree with the first paragraph that has been inserted into the Guidelines and Technical Basis (GTB) section of the proposed standard.

SCE used the existing Guidelines and Technical basis section of CIP-002 (and other CIP standards) to inform the implementation of NERC compliant CIP programs and, consequently, SCE does not think that NERC should remove this section from the proposed standard without providing a replacement process to inform the understanding of the impact rating criteria in CIP-002, and the impact of BES Cyber System impact ratings on the applicability of other CIP standards.  

In proposed standard CIP-002-6, NERC states that the guidance that is normally provided in the GTB section of the standard could be moved into the accompanying Implementation Guidance document, however, NERC does not provide any assurance that the Implementation Guidance will be released in a timely manner, or if industry participants would have the opportunity to vet and/or approve the information.  Consequently, SCE does not agree with NERC’s proposal to remove the GTB sections of CIP-002-6 unless NERC can provide clear and discrete next steps about what implementation information will be made available to industry participants, when NERC will release the information, and NERC provides assurance that industry stakeholders will have an opportunity to reviewing/vet the information prior to its implementation.

 

Furthermore, SCE does not believe that the Implementation Guidance document is an appropriate place to present the information that would typically be accessible in the GTB section of the standard. Currently, the GTB section of the standards provides valuable examples that clarify the specific compliance circumstances and variables NERC could/would review during the NERC audit process. Additionally, the GTB provides industry stakeholders insight to the SDT’s drafting process and the underlying intents of the proposed requirements in a draft standard. Conversely, Implementation Guidance documents provide a specific, NERC endorsed approach that an entity can use to achieve compliance with a particular requirement.  Therefore, SCE does not think it would be appropriate to relocate information from the GTB section into Implementation Guidance. If necessary, the SDT could modify Attachment 1 of the proposed standard to include the guidance from the GTB.

Having said that, if NERC disagrees with SCE and believes that Implementation Guidance is an appropriate place to present the guidance normally found in the GTB section, SCE recommends that NERC issue the Implementation Guidance document for the review and approved of industry participants.  Specifically, SCE believes that the Implementation Guidance doucument should pass through an industry participant ballot process before to the final ballot for CIP-002 (analogous to NERC’s process for CIP-013).

Lastly, SCE is concerned that removal of the GTB may impact SCE’s ability to support the approval of the proposed CIP-002-6.  SCE recommends NERC address the concerns surrounding GTB before taking CIP-002-6 to a second ballot.

Robert Blackney, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

I am in agreement with the proposed changes.

Jeff Ipsaro, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

SVP appreciates the effort by the SDT to look at and improve criterion 2.12

Val Ridad, On Behalf of: Silicon Valley Power - City of Santa Clara, , Segments 3, 4, 5

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 9/18/2017

- 0 - 0

None

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 10/16/2017

- 0 - 0

  1. As this team is planning to submit the Guidelines and Technical Basis as a separate document from the Standard itself, Seminole requests the drafting team to revise the language “adversely impact the reliable operation” and make it more clear.  This phrase is very unclear.  How is an adverse impact quantitatively measured?

  2. The Interpretation listed in Section C on page 13 of the redline, is that part of the Reliability Standard, or more of an Associated Document?

  3. Should the Guidelines and Technical Basis be listed under Associated Documents (Section F) on p. 13 of 43 of the redline?

  4. In the Guidelines and Technical Basis, the SDT has differentiated between Control Centers and backup Control Centers.  However, in portions of the redline changes (see page 34 for example), the SDT only references Control Centers.  This is confusing as Seminole isn’t sure if the drafting team purposely means not to include backup Control Centers in these sections where they are not specifically identified.  The team should only use one term or define backup Control Centers (make it a NERC defined term) and reference both throughout the document.

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

We suggest that rationale similar to Criterion 2.12 should also be referenced for 1.3.

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 6/15/2017

- 0 - 0

Jim Nail, 10/23/2017

- 0 - 0

Jennifer Hohenshilt, On Behalf of: Talen Energy Marketing, LLC, , Segments 6

- 0 - 0

Anton Vu, Los Angeles Department of Water and Power, 6, 10/23/2017

- 0 - 0

David Maier, 10/24/2017

- 0 - 0

(No additional comments)

Nicholas Lauriat, Network and Security Technologies, 1, 10/25/2017

- 0 - 0

Colorado Srings Utilities supports Cowlitz PUD and APPA comments

Colorado Springs Utilities, Segment(s) 5, 3, 1, 6, 5/6/2015

- 0 - 0

NERC’s statement inserted into the first paragraph of the Guidelines and Technical Basis (GTB) regarding removal of the GTB before final ballot is a critical issue for this ballot.  This creates an untenable situation where the approval of this standard must rest on the language currently contained solely in the requirements of the standard. 

Of significant concern is that registered entities’ existing CIP programs have been built using the GTB as a guide to understanding the meaning of the impact rating criteria in CIP-002, which is used to identify the BES Cyber System impact ratings that set the foundation of applicability for the other CIP standards.  Dominion Energy does not agree with NERC’s approach to removing the GTB without providing transparent next steps as to which information will be retained in the Technical Rationale and how that rationale will be treated. Implementation Guidance is also mentioned as a possibility for the SDT, but no certainty as to whether or when the SDT will develop it is provided.  Alternatively, the SDT could modify the Attachment 1 criteria to include the guidance from the GTB.

It is also unclear why NERC is directing the removal of the GTB when the currently approved Standards Process Manual clearly allows the development of Application Guidelines as a component of a Reliability Standard, noting that such documents are intended “to support the implementation of the associated Reliability Standard.”  Implementation Guidance is meant to gain NERC endorsement of specific approaches to compliance with a particular requirement or part of a requirement.  Much of the GTB is more like application guidance; it is not necessarily an approach to compliance, but supports implementation by providing the SDT’s intent behind the requirements, which includes examples to further clarify this intent.  However, if NERC disagrees and views the GTB to primarily consist of Implementation Guidance, then the SDT should be directed to convert this information into Implementation Guidance and NERC should endorse it in a ballot before the final ballot like it did with CIP-013.

It is also important to note that most of the CIP-002 GTB (excluding the redlined text for CIP-002-6) has been submitted with previous versions of the standard and has been relied upon not only by industry, but also by FERC in understanding the SDT’s intent behind the requirements.  At this point, it is unclear if the Technical Rationale will be submitted to FERC along with the revised standard and how much of the GTB will be converted into Technical Rationale.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 1 - 0

Aaron Austin, 10/26/2017

- 0 - 0

Additional savings for entities could be gained by not requiring evaluation of lower priority CIP-002-6, Attachment 1 Criteria, where applicable assets are determined to meet higher priority IRC Criteria (and are High Watermarked for the higher priority IRC Criteria/CIP Controls).

Jeanne Kurzynowski, On Behalf of: Consumers Energy Company - RF - Segments 1

- 0 - 0

Hien Ho, Tacoma Public Utilities (Tacoma, WA), 4, 10/26/2017

- 0 - 0

None

Wendy Center, U.S. Bureau of Reclamation, 5, 10/26/2017

- 0 - 0

NIPSCO is in support of the comment provided by EEI below.

"

NERC’s statement inserted into the first paragraph of the Guidelines and Technical Basis (GTB) regarding removal of the GTB before final ballot is a critical issue for this ballot.  This creates an untenable situation where the approval of this standard must rest on the language currently contained solely in the requirements of the standard. 

The problem is that registered entities’ existing CIP programs have been built using the GTB as a guide to understanding the meaning of the impact rating criteria in CIP-002, which is used to identify the BES Cyber System impact ratings that set the foundation of applicability for the other CIP standards.  As a result, EEI does not agree with NERC’s approach to removing the GTB without providing transparent next steps as to which information will be retained in the Technical Rationale and how that rationale will be treated.  Implementation Guidance is also mentioned as a possibility for the SDT, but no certainty as to whether or when the SDT will develop it is provided.  Alternatively, the SDT could modify the Attachment 1 criteria to include the guidance from the GTB.

It is also unclear why NERC is directing the removal of the GTB when the currently approved Standards Process Manual clearly allows the development of Application Guidelines as a component of a Reliability Standard, noting that such documents are intended “to support the implementation of the associated Reliability Standard.”  Implementation Guidance is meant to gain NERC endorsement of specific approaches to compliance with a particular requirement or part of a requirement.  Much of the GTB is more like application guidance; it is not necessarily an approach to compliance, but supports implementation by providing the SDT’s intent behind the requirements, which includes examples to further clarify this intent.  However, if NERC disagrees and views the GTB to primarily consist of Implementation Guidance, then the SDT should be directed to convert this information into Implementation Guidance and NERC should endorse it in a ballot before the final ballot like it did with CIP-013.

It is also important to note that most of the CIP-002 GTB (excluding the redlined text for CIP-002-6) has been submitted with previous versions of the standard and has been relied upon not only by industry, but also by FERC in understanding the SDT’s intent behind the requirements.  At this point, it is unclear if the Technical Rationale will be submitted to FERC along with the revised standard and how much of the GTB will be converted into Technical Rationale.

EEI is concerned that removal of the GTB may impact the ability for this standard to pass ballot.  We recommend that NERC address these concerns before taking CIP-002-6 to a second ballot."

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 10/27/2017

- 1 - 0

Steven Powell, On Behalf of: Trans Bay Cable LLC, WECC, Segments NA - Not Applicable

- 0 - 0

Additional savings for entities could be gained by not requiring evaluation of lower priority CIP-002-6, Attachment 1 Criteria, where applicable assets are determined to meet higher priority IRC Criteria (and are High Watermarked for the higher priority IRC Criteria/CIP Controls).

James Anderson, 10/27/2017

- 0 - 0

Vivian Moser, 10/27/2017

- 0 - 0

Utility Services supports the efforts of the Standard Development Team to date and believe that the revised language for Criteria 2.12 is a significant incremental step forward which will focus efforts on the most critical locations. We are aware of issues with the interpretation of the of the TOCC proposed version of Criteria 2.12 and encourage the Standard Development Team to clarify the specific language of criteria 2.12 to clarify the scoring application of Criteria 2.12. To that end, Utility Services supports the comments of the NPCC Regional Standards Committee suggesting revision of the criteria for clarity.

 

Brian Evans-Mongeon, Utility Services, Inc., 4, 10/27/2017

- 0 - 0

Additional savings for entities could be gained by not requiring evaluation of lower priority CIP-002-6, Attachment 1 Criteria, where applicable assets are determined to meet higher priority IRC Criteria (and are High Watermarked for the higher priority IRC Criteria/CIP Controls).

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 10/27/2017

- 0 - 0

IMEA supports APPA comments.

Mary Ann Todd, Illinois Municipal Electric Agency, 4, 10/27/2017

- 0 - 0

Bette White, 10/27/2017

- 0 - 0

Cowlitz PUD supports APPA comment.

Russell Noble, Cowlitz County PUD, 3, 10/27/2017

- 0 - 0

NERC’s statement inserted into the first paragraph of the Guidelines and Technical Basis (GTB) regarding removal of the GTB before final ballot is a critical issue for this ballot.  This creates an untenable situation where the approval of this standard must rest on the language currently contained solely in the requirements of the standard. 

The problem is that registered entities’ existing CIP programs have been built using the GTB as a guide to understanding the meaning of the impact rating criteria in CIP-002, which is used to identify the BES Cyber System impact ratings that set the foundation of applicability for the other CIP standards.  As a result, Con Edison does not agree with NERC’s approach to removing the GTB without providing transparent next steps as to which information will be retained in the Technical Rationale and how that rationale will be treated.  Implementation Guidance is also mentioned as a possibility for the SDT, but no certainty as to whether or when the SDT will develop it is provided.  Alternatively, the SDT could modify the Attachment 1 criteria to include the guidance from the GTB.

Daniel Grinkevich, 10/30/2017

- 0 - 0

Stephanie Burns, 10/30/2017

- 0 - 0

SRC + SWG , Segment(s) 2, 3, 1, 0, 10/30/2017

- 0 - 0

NRECA appreciates the hard work of the drafting team over a long period of time on complex issues.

Barry Lawson, 10/30/2017

- 0 - 0

Regan Haines, On Behalf of: TECO - Tampa Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Platte River Power Authority (PRPA) supports the comments provided by the American Public Power Administration (APPA).

Tyson Archie, Platte River Power Authority, 5, 10/30/2017

- 0 - 0

NERC’s statement inserted into the first paragraph of the Guidelines and Technical Basis (GTB) regarding removal of the GTB before final ballot is a critical issue for this ballot.  This creates an untenable situation where the approval of this standard must rest on the language currently contained solely in the requirements of the standard. 

The problem is that registered entities’ existing CIP programs have been built using the GTB as a guide to understanding the meaning of the impact rating criteria in CIP-002, which is used to identify the BES Cyber System impact ratings that set the foundation of applicability for the other CIP standards.  As a result, EEI does not agree with NERC’s approach to removing the GTB without providing transparent next steps as to which information will be retained in the Technical Rationale and how that rationale will be treated.  Implementation Guidance is also mentioned as a possibility for the SDT, but no certainty as to whether or when the SDT will develop it is provided.  Alternatively, the SDT could modify the Attachment 1 criteria to include the guidance from the GTB.

It is also unclear why NERC is directing the removal of the GTB when the currently approved Standards Process Manual clearly allows the development of Application Guidelines as a component of a Reliability Standard, noting that such documents are intended “to support the implementation of the associated Reliability Standard.”  Implementation Guidance is meant to gain NERC endorsement of specific approaches to compliance with a particular requirement or part of a requirement.  Much of the GTB is more like application guidance; it is not necessarily an approach to compliance, but supports implementation by providing the SDT’s intent behind the requirements, which includes examples to further clarify this intent.  However, if NERC disagrees and views the GTB to primarily consist of Implementation Guidance, then the SDT should be directed to convert this information into Implementation Guidance and NERC should endorse it in a ballot before the final ballot like it did with CIP-013.

It is also important to note that most of the CIP-002 GTB (excluding the redlined text for CIP-002-6) has been submitted with previous versions of the standard and has been relied upon not only by industry, but also by FERC in understanding the SDT’s intent behind the requirements.  At this point, it is unclear if the Technical Rationale will be submitted to FERC along with the revised standard and how much of the GTB will be converted into Technical Rationale.

MEC is concerned that removal of the GTB may impact the ability for this standard to pass ballot.  We recommend that NERC address these concerns before taking CIP-002-6 to a second ballot.

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 10/30/2017

- 0 - 0

MEC supports the comments of EEI on this question. The content of the guidelines and technical basis is essential to convey the SDT’s intent, which was the basis for industry approval and implementation and therefore must continue to be a part of the standard. Also, the proposal to remove the guidelines and technical basis from CIP-002 is out of scope of the Standards Authorization Request, which states, “Finally, the SDT will review the Guidelines and Technical Basis sections of the CIP V5 standards and adjust where appropriate as well as correct any grammatical, punctuation, and/or formatting errors, and make other errata changes to the CIP V5 standards, as necessary.” This indicates continuation of the guidelines and technical basis, not removal.

MEC also agrees with EEI's comments for questions #8

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 10/30/2017

- 0 - 0

Since the Guidance & Technical Basis (GTB) will be removed, we need clarification on where this GTB goes. Some GTB information such as the BROS (BES Reliability Operating Services) should be included in an Implementation Guideline and not a technical reference document.

David Rivera, New York Power Authority, 3, 10/30/2017

- 0 - 0

The California ISO supports the comments of the Security Working Group (SWG)

- 0 - 0

Manitoba Hydro, Segment(s) 5, 3, 6, 1, 8/8/2017

- 0 - 0

FirstEnergy supports the comments supplied by EEI regarding the removal of the Guidelines and Technical Basis Section from the CIP-002 Standard.  This section provides valuable application guidance that the industry has relied on in implementing the CIP-002 Standard, and should remain part of the Standard.

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Bob Solomon, On Behalf of: Bob Solomon, , Segments 1

- 0 - 0

CenterPoint Energy Houston Electric, LLC (“CenterPoint Energy”) agrees with Edison Electric Institute’s comments regarding the removal of the Guidelines and Technical Basis (GTB) from the Reliability Standard prior to final ballot.  CenterPoint Energy does not agree with NERC’s proposal to remove the GTB without providng guidance on how the information in the GTB will be retained.  CenterPoint Energy believes the GTB in CIP-002 provides pertinent information that establishes guidance for identifying and categorizing the BES Cyber Systems that would be subject to CIP-002, which sets the foundation of applicability for the other CIP standards.  CenterPoint Energy is concerned that the removal of the GTB will provide less guidance to entities regarding the technical basis for the requirements and the intent of the Standard Drafting Team, which has been relied upon by the industry and regulatory authorities.

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Guidelines and Technical Basis

At NERC’s direction, the current draft Guidelines and Technical Basis section will be removed from the Reliability Standard template prior to final ballot. The SDT will evaluate the content for placement in a Technical Rationale document for posting along with, but separate from, the Reliability Standard. Additionally, the SDT may develop Implementation Guidance on this Reliability Standard to submit for ERO endorsement based on the content of this section.

The NSRF has concerns with removing the Guideline and Technical Basis from all Standard(s).  Currently Entities feel they vote for the “entire standard” including the Guideline and Technical Basis.  The NSRF understands that Entities are actually voting for the Requirements but the perception is that FERC approves all th verbiage and sections to the Entire Standard. 

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

LG&E and KU Services Company as agent for Louisville Gas and Electric Company and Kentucky Utilities Company (LKE) submits these comments for NERC’s consideration.  LKE strongly supports the comments submitted by Edison Electric Institute (EEI) with respect to the Guidelines and Technical Basis (GTB) portion of the draft changes to the standard.  Specifically, LKE is deeply concerned with the proposed approach of removing the GTB section of the standards without the simultaneous posting of 1) Technical Rationale prepared by the Standards Drafting Team for industry comment or 2) potential Implementation Guidance developed through the Compliance Guidance policy.  It is our understanding that the Standards Committee is working with NERC staff to develop a process for removal of the GTB sections from standards.  We recommend that GTB sections not be removed from any standard until that process has been defined.  As detailed in section 2.5 of the Standards Processes Manual (Rules of Procedures Appendix 3A), Application Guidelines are included, among other reasons, “to support the implementation of the associated Reliability Standard,” “establish relevant scope and technical paradigm, and to provide guidance to Functional Entities concerning how compliance will be assessed by the Compliance Enforcement Authority.”  In many cases, and specifically in the case of CIP-002-5.1a, the GTB plays a critical role in determining the scope of the standard to which it applies.  Consequently, removal of GTB sections without simultaneously publishing a Technical Rationale document as proposed for this standard creates unnecessary and significant ambiguity.  Furthermore, removing the GTB may inadvertently contradict the Standards Process Manual and we suggest NERC should avoid any such appearance.

Louisville Gas and Electric Company and Kentucky Utilities Company, Segment(s) 3, 5, 6, 4/13/2017

- 0 - 0

IID fully supports SDT efforts so far, and regrets the need for submitting a negative ballot.  However, the application interpretations received from regional auditors of the proposed criterion is cause for serious concern, and can impact application of other criteria in similar fashion. 

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

Other factors besides transmission values, such as customers served, should be used to determine an entities’ impact.  It should not be assumed that all entities will voluntarily implement and maintain security controls above the low impact threshold if not mandated to do so.  The low impact requirements may not be adequate in all situations.

Mike Lotz, On Behalf of: Mike Lotz, , Segments 3, 5

- 0 - 0

Salt River Project supports comments submitted by APPA.       

Lona Calderon, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Provide clarity: If each end of a line is controlled and monitored by separate Control Centers (same or different entities) is the line weight counted for each Control Center?

Russel Mountjoy, 10/30/2017

- 0 - 0

Duke Energy has some concerns regarding the removal of the Guidelines and Technical Basis Section (GT&B) of the standard. While the GT&B section is not considered to be an enforceable part of the standard (as opposed to requirements), it may be used by some entities to get a better understanding of the standard’s expectations, as well as determining a compliance approach. If the GT&B section is removed from the standard, we recommend that it be incorporated into ERO Enterprise-Endorsed Implementation Guidance.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 10/30/2017

- 0 - 0

NERC’s statement inserted into the first paragraph of the Guidelines and Technical Basis (GTB) regarding removal of the GTB before final ballot is a critical issue for this ballot.  This creates an untenable situation where the approval of this standard must rest on the language currently contained solely in the requirements of the standard while removing the original SDT intent by which was the basis for industry approval and implementation. 

The problem is that registered entities’ existing CIP programs have been built using the GTB as a guide to understanding the meaning of the impact rating criteria in CIP-002, which is used to identify the BES Cyber System impact ratings that set the foundation of applicability for the other CIP standards.  As a result, EEI does not agree with NERC’s approach to removing the GTB without providing transparent next steps as to which information will be retained in the Technical Rationale and how that rationale will be treated.  Implementation Guidance is also mentioned as a possibility for the SDT, but no certainty as to whether or when the SDT will develop it is provided.  Alternatively, the SDT could modify the Attachment 1 criteria to include the guidance from the GTB.

It is also unclear why NERC is directing the removal of the GTB when the currently approved Standards Process Manual clearly allows the development of Application Guidelines as a component of a Reliability Standard, noting that such documents are intended “to support the implementation of the associated Reliability Standard.”  Implementation Guidance is meant to gain NERC endorsement of specific approaches to compliance with a particular requirement or part of a requirement.  Much of the GTB is more like application guidance; it is not necessarily an approach to compliance, but supports implementation by providing the SDT’s intent behind the requirements, which includes examples to further clarify this intent.  However, if NERC disagrees and views the GTB to primarily consist of Implementation Guidance, then the SDT should be directed to convert this information into Implementation Guidance and NERC should endorse it in a ballot before the final ballot like it did with CIP-013.

It is also important to note that most of the CIP-002 GTB (excluding the redlined text for CIP-002-6) has been submitted with previous versions of the standard and has been relied upon not only by industry, but also by FERC and Regional auditors in understanding the SDT’s intent behind the requirements.  At this point, it is unclear if the Technical Rationale will be submitted to FERC along with the revised standard and how much of the GTB will be converted into Technical Rationale.

EEI is concerned that removal of the GTB may impact the ability for this standard to pass ballot.  We recommend that NERC address these concerns before taking CIP-002-6 to a second ballot.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 1 - 0

David Gordon, 10/30/2017

- 0 - 0

The possible new interpretations could impact the application of other criteria.  (2.11 and 2.13)

The removal of the Guidelines and Technical Basis (GTB) section from the standard reduces the standard’s continuity and authority. This removal makes it so that the language in the requirements includes the details currently included in guidance. Such inclusion makes requirements out of guidance. 

Jack Cashin, American Public Power Association, 4, 10/30/2017

- 5 - 0

PSEG generally supports EEI’s comments on Questions 8. PSEG does not agree with NERC’s approach to remove the GTB without providing transparent next steps as to which information will be retained in the Technical Rationale.

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 4 - 0

Since the Guidance & Technical Basis (GTB) will be removed, we need clarification on where this GTB goes. Some GTB information such as the BROS (BES Reliability Operating Services) should be included in an Implementation Guideline and not a technical reference document

Eversource Group, Segment(s) 5, 3, 9/11/2017

- 0 - 0

While Vectren’s subject matter experts are in agreement with the proposed modifications for CIP-002-06 Attachment 1 Criterion 2.12, Vectren does not agree with removing the Guidelines and Technical Basis (G&TB) from CIP-002-6.  The G&TB addresses complex concepts and provides additional guidance regarding what should be considered when developing the methodology to categorize Facilities, systems, and equipment into high-, medium-, and low-impact ratings.  It also provides clarification for some ambiguities in the requirements and has been referenced as one source in our documentation of how we arrived at our approach.  It is unclear where this information will reside or how it will be maintained once it is removed from the CIP-002-6 standard.   The removal of the G&TB should be delayed until a defined removal process has been developed by NERC staff, including the new location of the information.

Vectren is committed to the safety and reliability of the BES and committed to compliance excellence.  We appreciate the efforts of the Standard Drafting Team and will be glad to provide any additional detail upon request.  Thank you for allowing Vectren the opportunity to provide comments on this draft standard.

 

Steve Rawlinson, 10/30/2017

- 0 - 0

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 10/30/2017

- 0 - 0

PacifiCorp supports EEI comments.  

Sandra Shaffer, 10/30/2017

- 0 - 0

KCP&L incorporates by reference Edison Electric Institute’s (EEI) Question 8 response.

Douglas Webb, 10/30/2017

- 0 - 0

None.

Don Schmit, 10/30/2017

- 0 - 0

Elizabeth Axson, 10/30/2017

- 0 - 0

Texas RE has the following comments regarding the Guidelines and Technical Basis:

  • Texas RE requests clarification as to what Part 1, which is mentioned several times, in the Guidelines and Technical Basis refers. 

  • It appears version 5 is left out of the sentence on page 20:  “This is a process familiar to Responsoble Entities that have to comply with versions 1, 2, 3, and 4.  As in versions 1, 2, 3, and 4, Responsible Entities may use substations, generation plants, and Control Centers at single site locations as identifiers of these groups of Facilities, systems, and equipment”.

  • Page 27 of the GTb contains a reference to functional obligations.  Since the intent of this project was to clarify the use of the term “to perform the functional obligations of” and the SDT created the 2.12 criteria in Attachment 1, it does not seem necessary to use this term in the GTB.  Texas RE requests the SDT ensure that it makes sense to use the term in this case.

  • Page 33 contains the phrase “Associated data centers”.  As it is important and to be consistent, Texas RE recommends the phrase be included in criteria 2.12 of Attachment 1.

  • Page 37 describes the SDT’s rationale behind some of the CIP version 5 changes.  It would be helpful to have this description for the CIP-002-6 changes. 

     

Texas RE noticed the Violation Severity Level table references CIP-002-5.1a.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 10/30/2017

- 0 - 0

Seattle City Light supports the comments of Cowlitz PUD and APPA.

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

Since the Guidance & Technical Basis (GTB) will be removed, we need clarification on where this GTB goes. Some GTB information such as the BROS (BES Reliability Operating Services) should be included in an Implementation Guideline and not a technical reference document.

NERC’s statement inserted into the first paragraph of the Guidelines and Technical Basis (GTB) regarding removal of the GTB before final ballot is a critical issue for this ballot.  This creates an untenable situation where the approval of this standard must rest on the language currently contained solely in the requirements of the standard.

The problem is that registered entities’ existing CIP programs have been built using the GTB as a guide to understanding the meaning of the impact rating criteria in CIP-002, which is used to identify the BES Cyber System impact ratings that set the foundation of applicability for the other CIP standards.  As a result, we  do not agree with NERC’s approach to removing the GTB without providing transparent next steps as to which information will be retained in the Technical Rationale and how that rationale will be treated.  Implementation Guidance is also mentioned as a possibility for the SDT, but no certainty as to whether or when the SDT will develop it is provided.  Alternatively, the SDT could modify the Attachment 1 criteria to include the guidance from the GTB.

RSC no Dominion and ISO-NE, Segment(s) 10, 2, 4, 5, 6, 7, 1, 3, 10/30/2017

- 0 - 0

We support comments offered by EEI for this question.

David Jendras, Ameren - Ameren Services, 3, 10/30/2017

- 0 - 0

While Vectren’s subject matter experts are in agreement with the proposed modifications for CIP-002-06 Attachment 1 Criterion 2.12, Vectren does not agree with removing the Guidelines and Technical Basis (G&TB) from CIP-002-6.  The G&TB addresses complex concepts and provides additional guidance regarding what should be considered when developing the methodology to categorize Facilities, systems, and equipment into high-, medium-, and low-impact ratings.  It also provides clarification for some ambiguities in the requirements and has been referenced as one source in our documentation of how we arrived at our approach.  It is unclear where this information will reside or how it will be maintained once it is removed from the CIP-002-6 standard.   The removal of the G&TB should be delayed until a defined removal process has been developed by NERC staff, including the new location of the information.

Vectren is committed to the safety and reliability of the BES and committed to compliance excellence.  We appreciate the efforts of the Standard Drafting Team and will be glad to provide any additional detail upon request.  Thank you for allowing Vectren the opportunity to provide comments on this draft standard.

Fred Frederick, 10/30/2017

- 0 - 0

Spencer Tacke, Modesto Irrigation District, 4, 10/30/2017

- 0 - 0

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

SPP Standards Review Group, Segment(s) , 10/30/2017

- 0 - 0

Jeff Johnson, 10/30/2017

- 0 - 0

Please refer to comments submitted by Robert Blackney on behalf of Southern California Edison

Kenya Streeter, Edison International - Southern California Edison Company, 6, 10/30/2017

- 0 - 0

As part of the diagrams provided for 2.12, we are providing a suggested additional diagram we feel the Standard should display in the Supplemental Material section.  Even though the text for 2.12 indicates it is for “BES Transmission Lines”, it is not clear that generator lead line(s) should not be counted as part of aggregated weight value of 6000.  To avoid having to have separate guidance document like Criteria 2.5 has (CIP-002-5, Requirement R1, Attachment 1: Criterion 2.5 and Generator Interconnection), we recommend the standard include a third diagram which clearly indicates the generator lead line(s) are not part of the aggregated weighted value.  A suggested diagram has been provided to Wendy Muller since diagrams may not import correctly to the comment portal.  The file name of the diagram provided to Wendy was “Visio-CIP V6 Diagram Trans - 20170826 - 2-12.pdf”

Michael Johnson, On Behalf of: Burns & McDonnell, FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments NA - Not Applicable

Visio-CIP V6 Diagram Trans - 20170826 - 2-12.pdf

- 0 - 0

Are there any RC and TOP functional obligations that SNPD should consider, other than the services already stated in BROS?

Long Duong, 10/30/2017

- 0 - 0