This comment form is no longer interactive because the comment period is closed.

2016-02 Modifications to CIP Standards | CIP-012-1 Draft 3

Description:

Start Date: 03/16/2018
End Date: 04/30/2018

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End
2016-02 Modifications to CIP Standards CIP-012-1 AB 3 ST 2016-02 Modifications to CIP Standards CIP-012-1 07/27/2017 08/25/2017 04/20/2018 04/30/2018

Filter:

Hot Answers

Brandon Gleason, Electric Reliability Council of Texas, Inc., 2, 4/30/2018

- 0 - 0

SRP agrees the data should be protected. SRP also agrees the protections for the data in scope must ensure the data has not been modified, and that FERC directed NERC to “specify how the confidentiality, integrity, and availability of each type of bulk electric system data should be protected while it is being transmitted.” However, SRP takes exception to the extent the proposed standard requires the data in scope to be protected. FERC Order 822 states on page 36, “…we recognize that not all communication network components and data pose the same risk to bulk electric system reliability and may not require the same level of protection.” However, the proposed standard applies the same criteria of protection against unauthorized disclosure across all of the data within the defined scope. SRP does not agree viewing of the Real-time Assessment and Real-time monitoring and control data without context will decrease the reliable operation of the BES and asserts confidentiality does not need to be protected for all data under this scope. Along with this, SRP would like a clarification of how the SDT defines Real-Time Assessment Data.

 

Additionally, SRP recognizes the SDT is not specifying the controls used to protect confidentiality and integrity. However, the only method available to achieve the proposed required objective is to implement encryption. FERC Order 822 states on page 39, “it is reasonable to conclude that any lag in communication speed resulting from implementation of protections [encryption technologies] should only be measureable on the order of milliseconds and, therefore, will not adversely impact Control Center communications,” but SRP asserts this statement only refers to a single data stream. It is unknown what encryption will do when dealing with multiple data streams being transmitted at once, from one to many points, not only to the latency added for the reliable operation of the BES, but also to the computing resources.

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

 

Real-time monitoring is not a defined term, the R in Real-time should not be capitalized. We are still concerned that coordination between control centers may result in compromises that may not satisfy the needs of the entities involved.

 

- 0 - 0

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 4/23/2018

- 0 - 0

Aaron Austin, 4/23/2018

- 0 - 0

R1.2 needs to be modified to reflect the comments in question 4 below.

“On page 5 under section “Identification of Where Security Protection is Applied by the Responsible Entity”, language should be added to address the situation where a Responsible Entity does not manage either end of a communication link, indicating that this Responsible Entity does not have compliance obligations to R1.2.”

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

The drafting team has done a good job of responding to industry comments. The NSRF would like to offer the following two items:

1) The Standards Efficiency group within NERC is working towards actionable Standards and removing the layers of compliance that do not promote reliability. The NSRF recommends for R1 that entities not be required to have a plan, but have an actionable Requirement to implement.  NSRF suggests the following R1 wording:

“The Responsible Entity shall mitigate the risk of unauthorized disclosure or modification of Real-time Assessment and Real-time monitoring data while being transmitted between any Control Centers. This requirement excludes oral communications. Responsible Entities shall document:

  • security protection used to mitigate the risk of unauthorized disclosure or modification of Real-time Assessment and Real-time monitoring data while being transmitted between Control Centers;

  • where the Responsible Entity applied security protection for transmitting Real-time Assessment and Real-time monitoring data between Control Centers;

  • The responsibilities of each Responsible Entity for applying security protection to the transmission of Real-time Assessment and Real-time monitoring data between Control Centers that are owned or operated by different Responsible Entities.

2) NERC has issued for comment the definition for Control Center during the third draft of CIP-012-1. The definition of terms late in the drafting/balloting process of a Standard is not the right time to consider a definition change as this may impact the Standard being considered during the late rounds of balloting. The NSRF recommends that defined terms be offered up in the early stages of drafting and balloting of Standards.

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 6/14/2017

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 4/25/2018

- 0 - 0

The requirement as written does not provide clear threshold on the type of Control Centers that should be in scope for this standard, i.e. does this requirement apply to high/medium impact BES Cyber Systems, or it also applies to low impact BES Cyber System. Please clarify. Please also consider how to incorporate the scoping criteria into CIP-002 standard.

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 1, 3, 4, 5

- 0 - 0

City Light supports SRP comments

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

Faz Kasraie, On Behalf of: Seattle City Light, WECC, Segments 5

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 4/27/2018

- 0 - 0

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

- 0 - 0

See MRO NSRF comments.

- 0 - 0

CSU agrees the data should be protected. CSU also agrees the protections for the data in scope must ensure the data has not been modified, and that FERC directed NERC to “specify how the confidentiality, integrity, and availability of each type of bulk electric system data should be protected while it is being transmitted.” However, CSU takes exception to the extent the proposed standard requires the data in scope to be protected. FERC Order 822 states on page 36, “ we recognize that not all communication network components and data pose the same risk to bulk electric system reliability and may not require the same level of protection.” However, the proposed standard applies the same criteria of protection against unauthorized disclosure across all of the data within the defined scope. CSU does not agree viewing of the Real-time Assessment and Real-time monitoring and control data without context will decrease the reliable operation of the BES and asserts confidentiality does not need to be protected for all data under this scope. Along with this, CSU would like a clarification of how the SDT defines Real-Time Assessment Data.

Additionally, CSU recognizes the SDT is not specifying the controls used to protect confidentiality and integrity. However, the only method available to achieve the proposed required objective is to implement encryption. FERC Order 822 states on page 39, “it is reasonable to conclude that any lag in communication speed resulting from implementation of protections [encryption technologies] should only be measureable on the order of milliseconds and, therefore, will not adversely impact Control Center communications,” but CSU asserts this statement only refers to a single data stream. It is unknown what encryption will do when dealing with multiple data streams being transmitted at once, from one to many points, not only to the latency added for the reliable operation of the BES, but also to the computing resources.     

Colorado Springs Utilities, Segment(s) 5, 3, 1, 6, 10/26/2017

- 0 - 0

While we support the changes to the standard, we are concerned that there may be unintended consequences if the Control Center definition is approved as proposed and urge the SDT to proceed with caution.

Thomas Breene, WEC Energy Group, Inc., 3, 4/27/2018

- 0 - 0

Adrian Andreoiu, On Behalf of: BC Hydro and Power Authority, WECC, Segments 1, 3, 5

- 0 - 0

This standard is unnecessary IRO-010 and TOP-003 already require a mutually agreeable security protocol. 

Marty Hostler, Northern California Power Agency, 4, 4/27/2018

- 0 - 0

While Duke Energy has no immediate concerns regarding the scope of R1, we do have concerns regarding the proposed definition of Control Center which is included in this project. We have submitted our comments on the proposed definition separately, and will not repeat them here. However, the definition of Control Center is directly related to the overall scope of CIP-012, and if we have some clarifying concerns with the definition, those same concerns are inherent to the proposed CIP-012. We suggest the drafting team consider the procedural effects of balloting these two related items separately, when they are so directly related.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Douglas Johnson, 4/30/2018

- 0 - 0

David Gordon, 4/30/2018

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

We support the MRO NSRF comments and add these. One, until the definition of Control Center is set, we will vote no due to uncertain scope for this requirement. Two, "security protection used to mitigate risk" is too ambiguous for an enforceable standard. We respect the SDT's challenge in writing language that is not overly prescriptive but yet enforceable.  However, we respectfully request SDT to consider including two concepts in R1. First concept is to include clarity on currently in place ICCP. The Requirement states "while being transmitted between any Control Centers." The draft Implementation Guidance has content talking about "both ends of the link" but doesn't enlighten on what the expectations are for the data while on the link. We are concerned with latency (primarily for generation control) if secure encryption is expected over the ICCP. Also, it is our understanding the secure ICCP may not be widely implemented. Second concept is to include examples that include but are not limiting for security protection.      

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 4/30/2018

- 1 - 0

Please see the attached file for Arizona Public Service Co.'s comments to Question 1. 

Vivian Moser, 4/30/2018

CIP-012-1_Draft 3_AZPS Comments-Question 1.docx

- 0 - 0

Daniel Gacek, Exelon, 1, 4/30/2018

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 4/30/2018

- 0 - 0

AECI supports comments provided by NRECA

AECI, Segment(s) 1, 3, 6, 5, 4/30/2018

- 0 - 0

Given this ballot is concurrently open with the Control Center definition revision, NV Energy cannot vote affirmative for this iteration of CIP-012-1, until there is further clarity in the Control Center definition, or the definition is approved. Additionally, NV Energy has concerns with the implementation of security protections associated with its multiple ICCP links. The reference documentation of the proposed Standard assumes an “ease” for installation of “secure ICCP”, but previous regional studies of such protections have proven unfeasible and costly.

Kevin Salsbury, On Behalf of: Berkshire Hathaway - NV Energy, , Segments 5

- 0 - 0

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

The requirement as written does not provide clear threshold on the type of Control Centers that should be in scope for this standard, i.e. does this requirement apply to high/medium impact BES Cyber Systems, or it also applies to low impact BES Cyber System. Please clarify. Please also consider how to incorporate the scoping criteria into CIP-002 standard.

James Anderson, 4/30/2018

- 0 - 0

The statement for Real-time monitoring does not include control data here.  Again for clarification and consistency is control going to be removed from all the referencing within CIP-012 or added to all references of Real-time monitoring requirements.

 

Ellen Oswald, 4/30/2018

- 0 - 0

FMPA agrees with the following comments from Lakeland Electric:

Real-time Assessments lists a number of specific inputs that should be considered for both “Real-time Assessment (RTA) and Real-time monitoring (RTm) data.”  There may be an overly stringent audit approach taken that would require consideration of both RTA AND RTm data for proof that an entity provided adequate protections.  If there is a distinction between data used for the RTA and data used for RTm,  please provide clarification of the expectation.  We recommend consideration of the use of the inputs in the RTA NERC term with a caveat that Entities may choose to protect additional data if they feel the need to expand the scope. 

From the RTA definition:  The assessment shall reflect applicable inputs including, but not limited to: load, generation output levels, known Protection System and Special Protection System status or degradation, Transmission outages, generator outages, Interchange, Facility Ratings, and identified phase angle and equipment limitations.

While we recognize that TOP/GOP are doing monitoring of their own systems, the Functional Model does not include the term monitoring in the list of the functions they are performing in real-time.  The TOP/GOP functions include “providing real time operational information” or “real time operating information” to the BA/RC. 

 

The term “any Control Centers” may be overly broad as it seems more reasonable for the standards to apply to High and Medium Impact Control Centers.  It seems more likely that the Control Centers that meet the low impact rating for CIP-002 Attachment 1 Criteria for Low Impact found in section 3 would be transmitting information via the ICCP network.  The RC should be required to plan for the encryption of that data on behalf of the Entities under their direction/control.  I believe that some of the “Low Impact Control Centers” may not be required to have a backup control center, especially if they are operating out of a control house at a substation or control room at a generating plant. 

 

Also, the VRF/VSL still contains language related to CIP Exceptional Circumstances which was part of R2 which was struck from the standard. 

 

FMPA, Segment(s) , 10/23/2017

- 0 - 0

While Tri-State agrees with the language of Requirement R1, we are concerned that there could be a possible violation if logical protections (encryption) were to temporarily fail. Is that the intent of the SDT? The removal of the CIP Exceptional Circumstance that was in R2 no longer provides the exception from potential noncompliance if either entity's protections fail due to catastrophic event. Tri-State would like for the CIP Exceptional Circumstance exclusion to be added back to the standard.

 

Additionally, if we use encryption as our primary method to meet this requirement and it fails, can we rely solely on physical protections identified and documented in our plans as a backup protection method to satisfy the intent of the standard?

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 4/30/2018

- 0 - 0

This standard is unnecessary.   IRO-010 and TOP-003 already require a mutually agreeable security protocol. 

 

Dennis Sismaet, Northern California Power Agency, 6, 4/30/2018

- 0 - 0

- 0 - 0

Teresa Krabe, On Behalf of: Lower Colorado River Authority, , Segments 1, 5

- 0 - 0

CenterPoint Energy Houston Electric, LLC (“CenterPoint Energy”) does not agree with the revision and suggests adding the phrase “except under CIP Exceptional Circumstances” to the first sentence to be consistent with the earlier version.   CenterPoint Energy recommends changing the first sentence to:

“The Responsible Entity shall implement one or more documented plan(s) to mitigate the risk of unauthorized disclosure or modification of Real-time Assessment and Real-time monitoring data while being transmitted between any Control Centers, except under CIP Exceptional Circumstances.”

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Russell Noble, Cowlitz County PUD, 3, 4/30/2018

- 0 - 0

There is concern about the overlap between CIP-012 and TOP-003-3/IRO-010-2. These Standards dictate what generators must comply with from our RC, BA, and TOP in the way of data communication. As a generator, we must comply with our TOP-003 and IRO-010 instructions for data communication. Should these standards be combined? Will the RC, BA, and TOP take responsibility to ensure security of the data being transmitted on their equipment that we are required to use? In the current language, there is a lack of ownership responsibility. For 1.3, the RC, BA, and TOP (as the authorizing entities that own the equipment and instruct generators on how to comply for IRO-010 and TOP-003) should be responsible (for identifying not only their RC, BA, and TOP) responsibilities, but the Generator Operator’s responsibilities as well.

Heather Morgan, EDP Renewables North America LLC, 5, 4/30/2018

- 0 - 0

No Comment

John Merrell, Tacoma Public Utilities (Tacoma, WA), 1, 4/30/2018

- 0 - 0

PacifiCorp supports MEC’s comments and adds the following:    In November 2005, it was decided that all Reliability Transmission Controllers (RTCs, now called RCs) would need to have Secure ICCP implemented by October 2006, and that all connecting utilities would need to have Secure ICCP by October 2008.

 

Encryption between routers was discussed, but some utilities managed their own edge routers and others were managed by AT&T therefore, coordination between entities could not be secured. Eventually Secure ICCP was removed from the Data Exchange/EMS Work Group (DEMSWG) agendas. There is no awareness of any WECC utilities which are making use of Secure ICCP today, and only a limited number utilities have the capability.

 

The WECC Data Exchange/EMS Work Group (DEMSWG) worked with vendors to perform inter-operability testing and also train utilities in how to obtain and install certificates. This effort is referenced in comments for item 3 below.

 

Please provide additional clarity where ICCP is used for Real-time Assessment and Real-time monitoring data being transmitted between any Control Centers owned or operated by different Responsible Entities.  (Please note the distinction between ICCP and Secure ICCP used above)

 

Sandra Shaffer, 4/30/2018

- 0 - 0

no comment

Jack Cashin, American Public Power Association, 4, 4/30/2018

- 0 - 0

Texas RE appreciates the SDT’s efforts to develop a workable data security standard.  In particular, Texas RE believes that the SDT’s various revisions have substantially improved the proposed CIP-012-1 Standard from the initial version.  Despite these improvements, Texas RE remains concerned that the proposed Standard, as currently drafted, is not sufficiently clear that in identifying both the security protections used to mitigate the risk of unauthorized disclosures and the locations where the Responsible Entities applied such protections, Responsible Entities will need to protect both data throughout the transmission process, as well as communications links.  That is, Texas RE continues to believe that FERC Order No, 822 contemplated both physical protection of communications links and additional protections for data to ensure there is adequate “security protection used to mitigate the risk of unauthorized disclosure or modification” of data while being transmitted between Control Centers.  As such, Texas RE recommends inserting the phrase “including protections for communications links and data” into the proposed CIP-012-1 R1.1 so that it reads “[i]dentification of security protection, including protections for communications links and data, used to mitigate the risk of unauthorized disclosure or modification of Real-time Assessment and Real-time monitoring data while being transmitted between Control Centers.” 

 

Texas RE continues to be concerned that Operations Planning Analysis (OPA) data is not included in CIP-012-1.  Texas RE noticed the Violation Time Horizon is for Operations Planning.   Since the SDT has indicated reasons for excluding OPA data, should the relevant Violation Time Horizon be Real-time Operation?

Rachel Coyne, Texas Reliability Entity, Inc., 10, 4/30/2018

- 0 - 0

We support the MRO NSRF comments and add these. One, until the definition of Control Center is set, we will vote no due to uncertain scope for this requirement. Two, "security protection used to mitigate risk" is too ambiguous for an enforceable standard. We respect the SDT's challenge in writing language that is not overly prescriptive but yet enforceable.  However, we respectfully request SDT to consider including two concepts in R1. First concept is to include clarity on currently in place ICCP. The Requirement states "while being transmitted between any Control Centers." The draft Implementation Guidance has content talking about "both ends of the link" but doesn't enlighten on what the expectations are for the data while on the link. We are concerned with latency (primarily for generation control) if secure encryption is expected over the ICCP. Also, it is our understanding the secure ICCP may not be widely implemented. Second concept is to include examples that include but are not limiting for security protection.

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 4/30/2018

- 0 - 0

Yes, with comments.  Some of Southern Company’s partner utilities do not currently use a VPN for their data connections – this will require Southern to engage in discussions and potentially renegotiate contract terms regarding these connections.  We recognize that other utilities will be held to the same standard and, therefore, will be motivated to work toward maintaining compliance.  We recognize this as something we will need to spend time to address.    

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

The SDT team has done a good job of responding to industry comments regarding CIP-012.

 

Does an entity need to draft a new plan to mitigate these areas of concerns:

 

- security protection used to mitigate the risk of unauthorized disclosure or modification of Real-time Assessment and Real-time monitoring data while being transmitted between Control Centers;

- where the Responsible Entity applied security protection for transmitting Real-time Assessment and Real-time monitoring data between Control Centers;

- The responsibilities of each Responsible Entity for applying security protection to the transmission of Real-time Assessment and Real-time monitoring data between Control Centers that are owned or operated by different Responsible Entities.

 

Does not the current set of standards address those additional vulnerabilities in the entity’s IT Security Plan? That current plan should be updated to include these additional risks, threats and integrated solution(s) that are already by performed by the entity.

Warren Cross, On Behalf of: ACES Power Marketing, MRO, WECC, Texas RE, SERC, SPP RE, RF, Segments 1, 3, 4, 5

- 0 - 0

Reclamation disagrees that having a plan adds to the reliability of protecting data used for Real-time Assessment and Real-time monitoring. A plan is an unwarranted layer of compliance that is not needed. Reclamation recommends replacing the term “plan” with “process” and rewriting R1 and its parts as follows:

  • R1. Each Responsible Entity shall implement one or more documented processes to mitigate the risk of unauthorized disclosure or modification of BES Data being transmitted between any Control Centers. This requirement excludes oral and non-electronic communications.

    • R1.1. Identify the security protection used to mitigate the risk of unauthorized disclosure of BES Data being transmitted between Control Centers;

    • R1.2. Identify where the Responsible Entity applied security protection for transmitting BES Data between Control Centers; and

    • R1.3. Identify the responsibilities of each Responsible Entity whose Control Center(s) are involved in the transmission of BES Data.

Reclamation also recommends adding the following definition to the NERC Glossary of Terms:

  • BES Data: BES reliability operating services information affecting Operational Planning Analysis, Real-time Assessments, and Real-time monitoring.

Wendy Center, U.S. Bureau of Reclamation, 5, 4/30/2018

- 0 - 0

RSC no Dominion, NextEra and HQ, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 4/30/2018

- 0 - 0

Comments: The deletion of R2 removed the exemption for “except under CIP Exceptional Circumstances," however the CIP Exceptional Circumstances language still exists in the VSL/VRF tables. The CIP Exceptional Circumstance language should be explicitly added to the R1 requirement to align with the VSL/VRF, and clearly indicate the intent of the requirement.

Jamie Prater, 4/30/2018

- 0 - 0

David Ramkalawan, 4/30/2018

- 0 - 0

Patricia Lynch, On Behalf of: Patricia Lynch, , Segments 5, 6

- 0 - 0

PNM agrees with FMPA's comment which stated “... the VRF/VSL still contains language related to CIP Exceptional Circumstances which was part of R2 which was struck from the standard.” 

Lynn Goldstein, 4/30/2018

- 0 - 0

PNM agrees with FMPA's comment which stated “... the VRF/VSL still contains language related to CIP Exceptional Circumstances which was part of R2 which was struck from the standard."

Laurie Williams, 4/30/2018

- 0 - 0

SPP Standards Review Group, Segment(s) , 4/30/2018

- 0 - 0

Hot Answers

Brandon Gleason, Electric Reliability Council of Texas, Inc., 2, 4/30/2018

- 0 - 0

Overall, SRP does not agree with twenty-four (24) calendar months for the implementation of Requirements R1, as R1 and R2 from the second draft have been merged. Although SRP recognizes the SDT is not specifying the controls to be used to protect confidentiality and integrity, the only examples provided in the implementation guidance includes encryption. If there are other methods available to achieve the security objective, SRP asks the SDT to provide them. However, the only method available to achieve the proposed required objective, on the ICCP network, is to implement encryption. As FERC order 822 states on page 37, “if several registered entities have joint responsibility for a cryptographic key management system used between their respective Control Centers, they should have the prerogative to come to a consensus on which organization administers that particular key management system.” Furthermore, the FERC order states on page 38, “While responsible entities are required to exchange real-time and operational planning data necessary to operate the bulk electric system using mutually agreeable security protocols, there is no technical specification for how this transfer of information should incorporate mandatory security controls.” These are activities and specifications that must be created and agreed upon by all registered entities involved in the data transfer. As such the timeline is reliant on registered entities working together on a common solution and would not be achievable within 24 calendar months.

 

Additionally, if encryption fails, SRP would lose Real-time Assessment and Real-time monitoring and control data. There are many opportunities for encryption to fail that must be addressed. The implementation of encryption requires a pilot to truly understand and address the mechanisms of failure, the impacts encryption would cause on the exchange of the data, and the computing resources required. A pilot also requires a great amount of coordination to execute, not only within the industry, but may also include carriers, vendors, and possibly third-party encryption key program managers.

 

Because of the aforementioned reasons and concerns, SRP is recommending a phased implementation for CIP-012-1. A 24 month implementation is appropriate, but only for Requirement R1. The 24 months for R1 would provide time to coordinate and create an industry-wide solution. SRP is proposing the SDT include an additional 12 months for the plan implementation aspect of Requirement R1. The additional 12 months would be used for a pilot and course correction if needed, in addition to understanding, formulating, and executing maintenance strategies.

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

- 0 - 0

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 4/23/2018

- 0 - 0

Aaron Austin, 4/23/2018

- 0 - 0

24 months allows the Responsible Entity sufficient time to both develop and successfully implement the plan.  This would include coordination with neighboring entities and potentially adding new controls to the communication links.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 6/14/2017

- 0 - 0

WECC has heard concerns voiced that a 24 calendar month implementation plan is not enough time to implemnt the technical solution, however, a alternative time frame has not been suggested.

Steven Rueckert, Western Electricity Coordinating Council, 10, 4/25/2018

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 1, 3, 4, 5

- 0 - 0

City Light supports SRP comments

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

Faz Kasraie, On Behalf of: Seattle City Light, WECC, Segments 5

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 4/27/2018

- 0 - 0

BPA appreciates the increase to 24 months but recommends 36 months due to BPA’s large amount of applicable data, access to funds and budget cycle, and resources to perform work required.

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

- 0 - 0

See MRO NSRF comments.

- 0 - 0

CSU does not agree with twenty-four (24) calendar months for the implementation of Requirements R1, as R1 and R2 from the second draft have been merged. Although CU recognizes the SDT is not specifying the controls to be used to protect confidentiality and integrity, the only examples provided in the implementation guidance includes encryption. If there are other methods available to achieve the security objective, SRP asks the SDT to provide them. However, the only method available to achieve the proposed required objective, on the ICCP network, is to implement encryption. As FERC order 822 states on page 37, “if several registered entities have joint responsibility for a cryptographic key management system used between their respective Control Centers, they should have the prerogative to come to a consensus on which organization administers that particular key management system.” Furthermore, the FERC order states on page 38, “While responsible entities are required to exchange real-time and operational planning data necessary to operate the bulk electric system using mutually agreeable security protocols, there is no technical specification for how this transfer of information should incorporate mandatory security controls.” These are activities and specifications that must be created and agreed upon by all registered entities involved in the data transfer. As such the timeline is reliant on registered entities working together on a common solution and would not be achievable within 24 calendar months.

Additionally, if encryption fails, CSU would lose Real-time Assessment and Real-time monitoring and control data. There are many opportunities for encryption to fail that must be addressed. The implementation of encryption requires a pilot to truly understand and address the mechanisms of failure, the impacts encryption would cause on the exchange of the data, and the computing resources required. A pilot also requires a great amount of coordination to execute, not only within the industry, but may also include carriers, vendors, and possibly third-party encryption key program managers.

Because of the aforementioned reasons and concerns, CSU is recommending a phased implementation for CIP-012-1. A 24 month implementation is appropriate, but only for Requirement R1. The 24 months for R1 would provide time to coordinate and create an industry-wide solution. CSU is proposing the SDT include an additional 12 months for the plan implementation aspect of Requirement R1. The additional 12 months would be used for a pilot and course correction if needed, in addition to understanding, formulating, and executing maintenance strategies.

Colorado Springs Utilities, Segment(s) 5, 3, 1, 6, 10/26/2017

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 4/27/2018

- 0 - 0

Adrian Andreoiu, On Behalf of: BC Hydro and Power Authority, WECC, Segments 1, 3, 5

- 0 - 0

See Response to Question 1.

Marty Hostler, Northern California Power Agency, 4, 4/27/2018

- 0 - 0

Duke Energy suggests a staggered implementation plan for CIP-012 specifically concerning coordination with neighboring entities. We consider it possible for an entity to gather necessary data, convening of internal work groups, and drafting of security protection plans in the proposed 24 month Implementation Plan. However, we feel that the coordination with other entities that will be necessary for R1.3 will take longer than the proposed 24 months, especially with internal work already taking place. We recommend the drafting team consider a staggered implementation plan for internal work (18 months) compared to external coordination work (36 months). We feel that this amount of time will is necessary to implement all aspects of the proposed standard.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Douglas Johnson, 4/30/2018

- 0 - 0

David Gordon, 4/30/2018

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Until the security protections scope is clearer and the definition of Control Center is final, it is not possible to determine if 24 months is adequate.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 4/30/2018

- 0 - 0

Vivian Moser, 4/30/2018

- 0 - 0

24 months should be the minimum implementation time used, no shorter.

Daniel Gacek, Exelon, 1, 4/30/2018

- 0 - 0

The proposed standard and implementation plan are silent on physical security for the equipment being used to provide the data protection. For example, protection for a router that is located in an other Entities facility

Brian Evans-Mongeon, Utility Services, Inc., 4, 4/30/2018

- 0 - 0

AECI supports comments provided by NRECA

AECI, Segment(s) 1, 3, 6, 5, 4/30/2018

- 0 - 0

Without further clarity involving security protections of the data (i.e. ICCP protections) NV Energy is unable to determine if the 24 calendar months is sufficient.

Kevin Salsbury, On Behalf of: Berkshire Hathaway - NV Energy, , Segments 5

- 0 - 0

Due to the time and cost of acquiring and implementing needed technological solutions and the coordination that will be required between Responsible Entities, a 24 month implementation period would be the minimal amount of time needed to properly implement the proposed Requirements.

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

James Anderson, 4/30/2018

- 0 - 0

Concerns about the contracts with third parties for carriers used between applicable control centers.  If they are dedicated or shared circuits based on the implementation guidance document this should not be an issue until it is actually put into practical use.

Ellen Oswald, 4/30/2018

- 0 - 0

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Tri-State anticipates implementation of CIP-012 could be extremely burdensome and would recommend increasing the implementation period to 36 months. Depending on the number of connections to other entities, the negotiation process could take some significant resources and time. 

Tri-State suggests the SDT send a survey to industry requesting feedback to gauge the number of connections to other entities industry has and the amount of time entities expect they will need to implement CIP-012.

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Recommend 36 months for 1) review and 2) develop new contract and 3) budgetary cycles 4) Implementation cycles (planned outages, etc.)

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 4/30/2018

- 0 - 0

See Response to Question 1.

Dennis Sismaet, Northern California Power Agency, 6, 4/30/2018

- 0 - 0

- 0 - 0

Teresa Krabe, On Behalf of: Lower Colorado River Authority, , Segments 1, 5

- 0 - 0

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Cowlitz PUD supports the comments submitted by the Bonneville Power Administration.

Russell Noble, Cowlitz County PUD, 3, 4/30/2018

- 0 - 0

Heather Morgan, EDP Renewables North America LLC, 5, 4/30/2018

- 0 - 0

Tacoma Power supports comments provided by APPA.

John Merrell, Tacoma Public Utilities (Tacoma, WA), 1, 4/30/2018

- 0 - 0

PacifiCorp support MEC’s comments and add the following: Until the definition of Control Center is final and clarity is added where ICCP is used for Real-time Assessment and Real-time monitoring data being transmitted between any Control Centers owned or operated by different Responsible Entities, it is not possible to determine if 24 months is adequate.   (Please note the distinction between ICCP and Secure ICCP used in question 2 above)

Sandra Shaffer, 4/30/2018

- 0 - 0

The proposed standard and implementation plan are silent on physical security for the equipment being used to provide the data protection. For example, physical security protection for a router located in another Entity’s facility. Trouble shooting such issues could affect the implementation schedule. 

Jack Cashin, American Public Power Association, 4, 4/30/2018

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 4/30/2018

- 0 - 0

Until the security protections scope is clearer and the definition of Control Center is final, it is not possible to determine if 24 months is adequate.

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 4/30/2018

- 0 - 0

Yes, without additional comment.

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

No comment.

Warren Cross, On Behalf of: ACES Power Marketing, MRO, WECC, Texas RE, SERC, SPP RE, RF, Segments 1, 3, 4, 5

- 0 - 0

Reclamation supports a 24-month implementation period.

Wendy Center, U.S. Bureau of Reclamation, 5, 4/30/2018

- 0 - 0

RSC no Dominion, NextEra and HQ, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 4/30/2018

- 0 - 0

Jamie Prater, 4/30/2018

- 0 - 0

David Ramkalawan, 4/30/2018

- 0 - 0

Patricia Lynch, On Behalf of: Patricia Lynch, , Segments 5, 6

- 0 - 0

Lynn Goldstein, 4/30/2018

- 0 - 0

Laurie Williams, 4/30/2018

- 0 - 0

SPP Standards Review Group, Segment(s) , 4/30/2018

- 0 - 0

Hot Answers

When addressing the security protections, the rationale should include that logical and physical controls can be used. This should include the team’s rationale for allowing these alternatives.

Brandon Gleason, Electric Reliability Council of Texas, Inc., 2, 4/30/2018

- 0 - 0

 SRP agrees with the Technical Rationale and Justification for CIP-012 provided by the SDT. However, SRP continues to maintain that an additional 12 months be considered for the plan implementation aspect of Requirement R1. PDF page 6, paragraph 3 of section title Identification of Where Security Protection is Applied by the Responsible Entity states "The SDT understands that in data exchanges between Control Centers, a single entity may not be responsible for both ends of the communication link." With the intent of the standard being to secure communications between Control Centers (including communication between two separate entities Control Centers), this will call for inter-entity cooperation to ensure both sides of link are secure. This is where the additional 12 months would be necessary, for coordination of efforts from both entities.    

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

- 0 - 0

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 4/23/2018

- 0 - 0

AEP requests the SDT consider including some statements in Technical Rationale to address the possibility that data requests made related to TOP-003 and/or IRO-010 include other data that is not Real-time Assessment data or Real-time monitoring data and how the Responsible Entity could exclude this other data from the security requirements.

Aaron Austin, 4/23/2018

- 0 - 0

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

See the NSRF comments provided in the Implementation Guidance section.

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 6/14/2017

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 4/25/2018

- 0 - 0

To be consistent with other CIP standards, please combine Technical Rational and Justification document with the Implementation Guidance document and then incorporate the new document into the draft standard. Please clarify that CIP-012 is a standalone standard that is not associated with all the other CIP standards.

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 1, 3, 4, 5

- 0 - 0

City Light supports SRP comments

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

Faz Kasraie, On Behalf of: Seattle City Light, WECC, Segments 5

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 4/27/2018

- 0 - 0

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

- 0 - 0

See MRO NSRF comments.

- 0 - 0

 CSU agrees with the Technical Rationale and Justification for CIP-012 provided by the SDT. However, CSU continues to maintain that an additional 12 months be considered for the plan implementation aspect of Requirement R1. PDF page 6, paragraph 3 of section title Identification of Where Security Protection is Applied by the Responsible Entity states "The SDT understands that in data exchanges between Control Centers, a single entity may not be responsible for both ends of the communication link." With the intent of the standard being to secure communications between Control Centers (including communication between two separate entities Control Centers), this will call for inter-entity cooperation to ensure both sides of link are secure. This is where the additional 12 months would be necessary, for coordination of efforts from both entities.    

Colorado Springs Utilities, Segment(s) 5, 3, 1, 6, 10/26/2017

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 4/27/2018

- 0 - 0

Adrian Andreoiu, On Behalf of: BC Hydro and Power Authority, WECC, Segments 1, 3, 5

- 0 - 0

See Response to Question 1.

Marty Hostler, Northern California Power Agency, 4, 4/27/2018

- 0 - 0

Duke Energy suggests a clarifying addition to the diagram on page 3 (Control Centers in Scope) of the Technical Rationale and Justification document. In order to make the diagram more closely align to the statement made on page 8 of the Implementation Guidance which states:

“Entity Alpha does not need to consider any communications to other non-Control Center facilities such as generating plants or substations. These communications are out of scope for CIP-012-1.”

The statement above indicates that communications from a Control Center, to a non-Control Center (generation or sub) are out of scope. We suggest that a dotted line be added to the diagram on page 3 (Control Centers in Scope) of the Technical Rational and Justification document to show that communications from a GOP Control Center to a GOP Control Room should be considered out of scope. It is possible that a scenario could exist where GOP Control Centers pass information through a GOP Control Room out to Field Assets.  

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Douglas Johnson, 4/30/2018

- 0 - 0

David Gordon, 4/30/2018

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

We support MRO NSRF comments.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 4/30/2018

- 0 - 0

Vivian Moser, 4/30/2018

- 0 - 0

Daniel Gacek, Exelon, 1, 4/30/2018

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 4/30/2018

- 0 - 0

AECI supports comments provided by NRECA

AECI, Segment(s) 1, 3, 6, 5, 4/30/2018

- 0 - 0

NV Energy does believe the need for this Standard is necessary, and the Rationale and Justification document provides a sufficient amount of information for the need, and protections to consider. The documents focus is not to provide detailed implementation methods, but just provide the “why” for the Standard and its Requirement.

Kevin Salsbury, On Behalf of: Berkshire Hathaway - NV Energy, , Segments 5

- 0 - 0

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

To be consistent with other CIP standards, please combine Technical Rational and Justification document with the Implementation Guidance document and then incorporate the new document into the draft standard. Please clarify that CIP-012 is a standalone standard that is not associated with all the other CIP standards.

James Anderson, 4/30/2018

- 0 - 0

 By adding control to the statement "Real-time monitoring" from TOP-003 and IRO-010 won't this set an expectation that control data will be part of those standards by default. The implementation guidance for CIP-012-1 in the identification of security protection section has taken out the wording of control so just in the documents providing guidance has contradictions of the Real-time monitoring of data.  Recommendation that if control is to be part of "Real-time monitoring"  then make the modifications across the board including in the Glossary.   The way it is right now adds to the misunderstanding and different interruption that and entity could have in trying to create an implementation plan.     

Ellen Oswald, 4/30/2018

- 0 - 0

FMPA agrees with the following comments from Lakeland Electric:

NERC SDTs need to start revising language related to the number of regions with the removal of the SPP RE (p. 3). 

General Considerations for Requirement R1:  document should be documented plan

Alignment with IRO and TOP standards:  last sentence “Real-time Monitoring “, the M should not be capitalized as it is not a NERC defined term. 

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 4/30/2018

- 0 - 0

See Response to Question 1.

Dennis Sismaet, Northern California Power Agency, 6, 4/30/2018

- 0 - 0

- 0 - 0

Teresa Krabe, On Behalf of: Lower Colorado River Authority, , Segments 1, 5

- 0 - 0

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Russell Noble, Cowlitz County PUD, 3, 4/30/2018

- 0 - 0

Heather Morgan, EDP Renewables North America LLC, 5, 4/30/2018

- 0 - 0

No Comment

John Merrell, Tacoma Public Utilities (Tacoma, WA), 1, 4/30/2018

- 0 - 0

PacifiCorp supports MEC’s comments and adds the following: With reference to the Technical Rationale “Control Center Ownership”, the WECC Data Exchange/EMS Work Group (DEMSWG) worked with vendors to perform inter-operability testing and also train utilities in how to obtain and install certificates. Initially companies could not implement Secure ICCP on a UNIX server because the implementation required a SISCO stack and an Intel windows based server. Obtaining a new certificate would require 10 days and would expire in 1 year. This certificate expiration presented a problem of renewal in a timely manner and because of this many utilities were wanting expiration periods from 3 to 15 years. There was concern if a certificate expired during the night or weekend as to what would happen to the data transfer. Eventually the inability to guarantee a valid certificate at all times doomed the implementation of Secure ICCP.

Sandra Shaffer, 4/30/2018

- 0 - 0

Jack Cashin, American Public Power Association, 4, 4/30/2018

- 0 - 0

Texas RE is concerned BCAs and EACMs used for CIP-012-1 may be considered out of scope for the rest of the CIP Reliability Standards based on a statement on Page 6: “The SDT also recognizes that CIP-012 security protection may be applied to a Cyber Asset that is not an identified BES Cyber Asset or EACMS. The identification of the Cyber Asset as the location where security protection is applied does not expand the scope of Cyber Assets identified as applicable under the CIP Cyber Security Standards CIP-002 through CIP-011.”

 

There appears to be a typo in the footer as it shows Reliability Standard CIP-002-1, instead of CIP-012-1.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 4/30/2018

- 0 - 0

We support MRO NSRF comments.

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 4/30/2018

- 0 - 0

Yes, without additional comment.

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

No comment.

Warren Cross, On Behalf of: ACES Power Marketing, MRO, WECC, Texas RE, SERC, SPP RE, RF, Segments 1, 3, 4, 5

- 0 - 0

Reclamation recommends the changes proposed in the response to Question 1 be implemented in the Technical Rationale for consistency.

Reclamation also recommends correcting the grammar in “General Considerations for Requirement R1

from: “Requirement R1 focuses on implemented a document plan…”

to: “Requirement R1 focuses on implementing a documented process…”

Wendy Center, U.S. Bureau of Reclamation, 5, 4/30/2018

- 0 - 0

Recommend removing the diagram because it does not represent enough examples. We believe the scope is understandable without the diagram

RSC no Dominion, NextEra and HQ, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 4/30/2018

- 0 - 0

Jamie Prater, 4/30/2018

- 0 - 0

David Ramkalawan, 4/30/2018

- 0 - 0

Patricia Lynch, On Behalf of: Patricia Lynch, , Segments 5, 6

- 0 - 0

Lynn Goldstein, 4/30/2018

- 0 - 0

Laurie Williams, 4/30/2018

- 0 - 0

The SPP Standards Review Group suggests revising language in the General Considerations for Requirement R1 to read as follows:

Requirement R1 focuses on implementing a documented plan to protect information that is critical to the Real-time operations of the Bulk Electric System while in transit between applicable Control Centers.

SPP Standards Review Group, Segment(s) , 4/30/2018

- 0 - 0

Hot Answers

When addressing the security protections that can be used in meeting CIP-012, examples of physical protection should be included in guidance. This should include details on how they can be used to address various parts of the communication between Control Centers. {C}

Brandon Gleason, Electric Reliability Council of Texas, Inc., 2, 4/30/2018

- 0 - 0

Overall, SRP does not agree with twenty-four (24) calendar months for the implementation of Requirements R1, as R1 and R2 from the second draft have been merged. Although SRP recognizes the SDT is not specifying the controls to be used to protect confidentiality and integrity, the only examples provided in the implementation guidance includes encryption. If there are other methods available to achieve the security objective, SRP asks the SDT to provide them. However, the only method available to achieve the proposed required objective, on the ICCP network, is to implement encryption. As FERC order 822 states on page 37, “if several registered entities have joint responsibility for a cryptographic key management system used between their respective Control Centers, they should have the prerogative to come to a consensus on which organization administers that particular key management system.” Furthermore, the FERC order states on page 38, “While responsible entities are required to exchange real-time and operational planning data necessary to operate the bulk electric system using mutually agreeable security protocols, there is no technical specification for how this transfer of information should incorporate mandatory security controls.” These are activities and specifications that must be created and agreed upon by all registered entities involved in the data

transfer. As such the timeline is reliant on registered entities working together on a common solution and would not be achievable within 24 calendar months.

 

Additionally, if encryption fails, SRP would lose Real-time Assessment and Real-time monitoring and control data. There are many opportunities for encryption to fail that must be addressed. The implementation of encryption requires a pilot to truly understand and address the mechanisms of failure, the impacts encryption would cause on the exchange of the data, and the computing resources required. A pilot also requires a great amount of coordination to execute, not only within the industry, but may also include carriers, vendors, and possibly third-party encryption key program managers.

 

Because of the aforementioned reasons and concerns, SRP is recommending a phased implementation for CIP-012-1. A 24 month implementation is appropriate, but only for Requirement R1. The 24 months for R1 would provide time to coordinate and create an industry-wide solution. SRP is proposing the SDT include an additional 12 months for the plan implementation aspect of Requirement R1. The additional 12 months would be used for a pilot and course correction if needed, in addition to understanding, formulating, and executing maintenance strategies.

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

- 0 - 0

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 4/23/2018

- 0 - 0

AEP requests the SDT consider including some statements in Implementation Guidance to address the possibility that data requests made related to TOP-003 and/or IRO-010 include other data that is not Real-time Assessment data or Real-time monitoring data and how the Responsible Entity could exclude this other data from the security requirements.

Aaron Austin, 4/23/2018

- 0 - 0

On page 5 under section “Identification of Where Security Protection is Applied by the Responsible Entity”, language should be added to address the situation where a Responsible Entity does not manage either end of a communication link, indicating that this Responsible Entity does not have compliance obligations to R1.2.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

The NSRF would like to thank the drafting team for their guidance and especially under the Reference Model and Reference Model discussion within the Implementation Guidance document. Since the Requirement within this Standard is purposely non-prescriptive due to the various operating conditions for which security can be applied it is important to have model applications for entities to apply the Standard to their particular operations and in a consistent manner among the industry.

 

The NSRF notes that the drafting team stated in their previous draft response that they will submit the Implementation Guidance for ERO endorsement, thank you. However, the NSRF notes that the current “Technical Rationale for Reliability Standards” initiative underway may alter how “Compliance Guidance” during the drafting/balloting process is handled. The Reference Model section of CIP-012 is a good example of providing drafting team application and intent that is essential to the understanding of a Standard. Although the preferred approach would be to have Implementation Guidance issued prior to a Standards’ effective date, we would hope that when moving forward with the “Technical Rationale for Reliability Standards Initiative” that in cases, such as mentioned with the CIP-012, that these types of sections would be included within the Technical Rationale section or by another means for clarification of Standard application.

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 6/14/2017

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 4/25/2018

- 0 - 0

To be consistent with other CIP standards, please combine Technical Rational and Justification document with the Implementation Guidance document and then incorporate the new document into the draft standard. Please clarify that CIP-012 is a standalone standard that is not associated with all the other CIP standards.

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 1, 3, 4, 5

- 0 - 0

City Light supports SRP comments

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

Faz Kasraie, On Behalf of: Seattle City Light, WECC, Segments 5

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 4/27/2018

- 0 - 0

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

- 0 - 0

See MRO NSRF comments.

- 0 - 0

Overall, CSU does not agree with twenty-four (24) calendar months for the implementation of Requirements R1, as R1 and R2 from the second draft have been merged. Although CSU recognizes the SDT is not specifying the controls to be used to protect confidentiality and integrity, the only examples provided in the implementation guidance includes encryption. If there are other methods available to achieve the security objective, CSU asks the SDT to provide them. However, the only method available to achieve the proposed required objective, on the ICCP network, is to implement encryption. As FERC order 822 states on page 37, “if several registered entities have joint responsibility for a cryptographic key management system used between their respective Control Centers, they should have the prerogative to come to a consensus on which organization administers that particular key management system.” Furthermore, the FERC order states on page 38, “While responsible entities are required to exchange real-time and operational planning data necessary to operate the bulk electric system using mutually agreeable security protocols, there is no technical specification for how this transfer of information should incorporate mandatory security controls.” These are activities and specifications that must be created and agreed upon by all registered entities involved in the data transfer. As such the timeline is reliant on registered entities working together on a common solution and would not be achievable within 24 calendar months.

Additionally, if encryption fails, CSU would lose Real-time Assessment and Real-time monitoring and control data. There are many opportunities for encryption to fail that must be addressed. The implementation of encryption requires a pilot to truly understand and address the mechanisms of failure, the impacts encryption would cause on the exchange of the data, and the computing resources required. A pilot also requires a great amount of coordination to execute, not only within the industry, but may also include carriers, vendors, and possibly third-party encryption key program managers.

Because of the aforementioned reasons and concerns, CSU is recommending a phased implementation for CIP-012-1. A 24 month implementation is appropriate, but only for Requirement R1. The 24 months for R1 would provide time to coordinate and create an industry-wide solution. CSU is proposing the SDT include an additional 12 months for the plan implementation aspect of Requirement R1. The additional 12 months would be used for a pilot and course correction if needed, in addition to understanding, formulating, and executing maintenance strategies.

Colorado Springs Utilities, Segment(s) 5, 3, 1, 6, 10/26/2017

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 4/27/2018

- 0 - 0

Adrian Andreoiu, On Behalf of: BC Hydro and Power Authority, WECC, Segments 1, 3, 5

- 0 - 0

See Response to Question 1.

Marty Hostler, Northern California Power Agency, 4, 4/27/2018

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Douglas Johnson, 4/30/2018

- 0 - 0

MMWEC supports comments submitted by NPCC.

David Gordon, 4/30/2018

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

We support MRO NSRF comments. Additionally, The Implementation Guidance doesn’t address our comments to question 1. And, the Implementation Guidance starts with “as noted in the Technical Rationale.” Does this cross reference blur the lines between the two?

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 4/30/2018

- 0 - 0

Vivian Moser, 4/30/2018

- 0 - 0

Suggestion for last paragraph under Identification of Where Security Protection is Applied by the Responsible Entity.  Split into two separate paragraphs.  One describing how to handle “when exchanging data between two entities” and another focused on “when a Responsible Entity owns and operates both Control Centers.”  

Daniel Gacek, Exelon, 1, 4/30/2018

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 4/30/2018

- 0 - 0

AECI supports comments provided by NRECA

AECI, Segment(s) 1, 3, 6, 5, 4/30/2018

- 0 - 0

NV Energy believes the document is necessary for CIP-012-1, due to its complexity. The document still requires additional clarity on protections associated with data protection on ICCP communication. The document reflects a lack of research into current technology availability, feasibility, and costs for this common type of Control Center communication.

Kevin Salsbury, On Behalf of: Berkshire Hathaway - NV Energy, , Segments 5

- 0 - 0

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

To be consistent with other CIP standards, please combine Technical Rational and Justification document with the Implementation Guidance document and then incorporate the new document into the draft standard. Please clarify that CIP-012 is a standalone standard that is not associated with all the other CIP standards.

James Anderson, 4/30/2018

- 0 - 0

Currently it is good guidance document but until an entity does actual implementation and experiences any issues that arise from the implementation of CIP-012 requirement one can only assume the outcome.

Ellen Oswald, 4/30/2018

- 0 - 0

FMPA agrees with the following comments from Lakeland Electric:

The draft Implementation Guidance document provides references to the TOP-003 and IRO-010 for the operating information/data that should be protected.  It appears that there may be opportunities for differences in interpretation depending on what specifications are requested by the RC or the TOP per IRO-010 R1: “A list of data and information needed by the Reliability Coordinator to support its Operational Planning Analyses, Real-time monitoring, and Real-time Assessments including non-BES data and external network data, as deemed necessary by the Reliability Coordinator. And, TOP-003  R1 1.1. A list of data and information needed by the Transmission Operator to support its Operational Planning Analyses, Real-time monitoring, and Real-time Assessments including non-BES data and external network data as deemed necessary by the Transmission Operator.”  It seems that the list of items enumerated in the NERC Glossary definition for Real-time Assessment:  “The assessment shall reflect applicable inputs including, but not limited to: load, generation output levels, known Protection System and Special Protection System status or degradation, Transmission outages, generator outages, Interchange, Facility Ratings, and identified phase angle and equipment limitations” should be the starting point instead of the R1 requirements referenced in the CIP-012.  If an entity needed to add more, there should be some way of incorporating more, but the baseline should be the inputs listed in the RTA definition.

Does an entity that is only participating in sharing information via the ICCP network and that does not need to send data to a backup control center (ie, a TOP operating out of a substation control house or a GOP that may operate two facilities) need to meet the same requirements as an entity with actual Control Center/Backup Control Center NERC obligations?  It seems to me that the scope for the low impact Control Centers might be limited and reduced in scope.

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 4/30/2018

- 0 - 0

See Response to Question 1.

Dennis Sismaet, Northern California Power Agency, 6, 4/30/2018

- 0 - 0

- 0 - 0

Teresa Krabe, On Behalf of: Lower Colorado River Authority, , Segments 1, 5

- 0 - 0

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Russell Noble, Cowlitz County PUD, 3, 4/30/2018

- 0 - 0

Heather Morgan, EDP Renewables North America LLC, 5, 4/30/2018

- 0 - 0

Implementation of R1.3 will require a standardized solution/technology between entities and a hierarchy of entity responsibilities. Recommend the SDT add guidance and a requirement to identify the entity who is the controlling authority for the secure communications between two or more entities.

John Merrell, Tacoma Public Utilities (Tacoma, WA), 1, 4/30/2018

- 0 - 0

PacifiCorp supports MEC’s comments.

Sandra Shaffer, 4/30/2018

- 0 - 0

no comment

Jack Cashin, American Public Power Association, 4, 4/30/2018

- 0 - 0

Texas RE is not comfortable commenting on Implementation Guidance until the standard language is in its final form.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 4/30/2018

- 0 - 0

We support MRO NSRF comments. Additionally, The Implementation Guidance doesn’t address our comments to question 1. And, the Implementation Guidance starts with “as noted in the Technical Rationale.” Does this cross reference blur the lines between the two?

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 4/30/2018

- 0 - 0

Yes, without additional comment.

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

Yes. For the requirement to be less prescriptive, additional technical and implementation guidance is needed to provide clarity on the SDT intent and audited scope.

Warren Cross, On Behalf of: ACES Power Marketing, MRO, WECC, Texas RE, SERC, SPP RE, RF, Segments 1, 3, 4, 5

- 0 - 0

Reclamation recommends the term “plan” be replaced with the term “process” throughout the CIP-012-1 standard, Technical Rationale, Implementation Guidance, and associated documents. A plan is an unwarranted layer of compliance that does not improve the reliability of the BES. The processes an entity chooses to implement are what improve the reliability of the BES.

Wendy Center, U.S. Bureau of Reclamation, 5, 4/30/2018

- 0 - 0

Request a definition of “logical protection” or replace all instances of “logical protection” with “encryption”

RSC no Dominion, NextEra and HQ, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 4/30/2018

- 0 - 0

Jamie Prater, 4/30/2018

- 0 - 0

David Ramkalawan, 4/30/2018

- 0 - 0

Patricia Lynch, On Behalf of: Patricia Lynch, , Segments 5, 6

- 0 - 0

Lynn Goldstein, 4/30/2018

- 0 - 0

Laurie Williams, 4/30/2018

- 0 - 0

SPP Standards Review Group, Segment(s) , 4/30/2018

- 0 - 0

Hot Answers

No answer or comments.

Brandon Gleason, Electric Reliability Council of Texas, Inc., 2, 4/30/2018

- 0 - 0

SRP does not agree the current standard and implementation plan can be executed in a cost effective manner. Encryption has been the only presented solution provided by auditors and SDT guidance to protect both confidentiality and integrity for the data within this scope. If the implementation timeframe remains at 24 months, more resources and capital will be required versus a phased implementation. A phased implementation provides the ability to not only ensure the most effective plan, but also provides the ability to plan more accurately within budget cycles. More importantly, if encryption fails, SRP would lose Real-time Assessment and Real-time monitoring and control data.  SRP is concerned a 24 month implementation timeline would impact reliability as there are many opportunities for encryption to fail that must be addressed. This has a direct correlation on cost when addressing those opportunities during this timeframe.

 

Additionally, SRP would like to see reference models of methods that do not require encryption as a method to protect communications between Control Centers

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

what is cost effective to some, may not be cost effective to others. How do you define cost effective?

Additional Comments

If we identify multiple types of security protection for R1.1, and one of the forms of protection fails for whatever reason, however, Seminole believes we are still “protecting” the data transmission to the intent of the Standard via our other form(s) of protection, how is the drafting team addressing this?

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

- 0 - 0

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 4/23/2018

- 0 - 0

No Comment

Aaron Austin, 4/23/2018

- 0 - 0

While the standard is flexible on methodology, the requirement to coordinate with the other Responsible Entity may limit the inherent flexibility by requiring one Responsible Entity to make Capital Investments to meet the security requirements of the other Responsible Entity.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 6/14/2017

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 4/25/2018

- 0 - 0

More flexibility and less guidance could lead to inconsistency on requirement implementation among different entities.

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 1, 3, 4, 5

- 0 - 0

City Light supports SRP comments

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

Faz Kasraie, On Behalf of: Seattle City Light, WECC, Segments 5

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 4/27/2018

- 0 - 0

BPA believes that if the data must be protected throughout the transmission, it would seem that could only be accomplished with encryption. For cases where the existing equipment is not capable of encryption, replacement will be costly and implementation lengthy.

Due to BPA’s large amount of applicable data, access to funds and budget cycle, and resources to perform work required, the solution will be costly.

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

- 0 - 0

- 0 - 0

CSU does not agree the current standard and implementation plan can be executed in a cost effective manner. Encryption has been the only presented solution provided by auditors and SDT guidance to protect both confidentiality and integrity for the data within this scope. If the implementation timeframe remains at 24 months, more resources and capital will be required versus a phased implementation. A phased implementation provides the ability to not only ensure the most effective plan, but also provides the ability to plan more accurately within budget cycles. More importantly, if encryption fails, CSU would lose Real-time Assessment and Real-time monitoring and control data.  CSU is concerned a 24 month implementation timeline would impact reliability as there are many opportunities for encryption to fail that must be addressed. This has a direct correlation on cost when addressing those opportunities during this timeframe.

Additionally, CSU would like to see reference models of methods that do not require encryption as a method to protect communications between Control Centers.

Colorado Springs Utilities, Segment(s) 5, 3, 1, 6, 10/26/2017

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 4/27/2018

- 0 - 0

Adrian Andreoiu, On Behalf of: BC Hydro and Power Authority, WECC, Segments 1, 3, 5

- 0 - 0

See Response to Question 1.

Marty Hostler, Northern California Power Agency, 4, 4/27/2018

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Douglas Johnson, 4/30/2018

- 0 - 0

David Gordon, 4/30/2018

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Without clarity on ICCP between Control Centers we cannot be certain of what is expected, the costs or flexibility.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 4/30/2018

- 0 - 0

Vivian Moser, 4/30/2018

- 0 - 0

Daniel Gacek, Exelon, 1, 4/30/2018

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 4/30/2018

- 0 - 0

AECI supports comments provided by NRECA

AECI, Segment(s) 1, 3, 6, 5, 4/30/2018

- 0 - 0

Without additional expectations of ICCP communication protections, NV Energy is unable to determine the overall costs of CIP-012-1 implementation.

Kevin Salsbury, On Behalf of: Berkshire Hathaway - NV Energy, , Segments 5

- 0 - 0

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

More flexibility and less guidance could lead to inconsistency on requirement implementation among different entities.

James Anderson, 4/30/2018

- 0 - 0

Ellen Oswald, 4/30/2018

- 0 - 0

FMPA agrees with the following comments from Lakeland Electric:

Depending on the outcome of the new definition of Control Center, there may be unintended consequences on the implementation of CIP-012 for small entities who only have BES Assets containing low impact BES Cyber Systems (i.e., Control Centers) --especially with the consideration of non-BES data and external network data.  Industry is strongly motivated to protect the “right things” and maintain the BES so that it can continue to operate reliably, safely, and securely.  Industry would be wise to carefully consider expansion of scope beyond what is truly required to protect the BES/critical infrastructure.

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 4/30/2018

- 0 - 0

See Response to Question 1.

Dennis Sismaet, Northern California Power Agency, 6, 4/30/2018

- 0 - 0

- 0 - 0

Teresa Krabe, On Behalf of: Lower Colorado River Authority, , Segments 1, 5

- 0 - 0

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Cowlitz PUD supports the comments submitted by the Bonneville Power Administration.

Russell Noble, Cowlitz County PUD, 3, 4/30/2018

- 0 - 0

Heather Morgan, EDP Renewables North America LLC, 5, 4/30/2018

- 0 - 0

No Comment

John Merrell, Tacoma Public Utilities (Tacoma, WA), 1, 4/30/2018

- 0 - 0

In the absence of clarity where ICCP is used for Real-time Assessment and Real-time monitoring data being transmitted between any Control Centers owned or operated by different Responsible Entities PacifiCorp cannot be certain of what is expected, regarding the costs or flexibility.

 

Sandra Shaffer, 4/30/2018

- 0 - 0

no comment

Jack Cashin, American Public Power Association, 4, 4/30/2018

- 0 - 0

Texas RE does not have comments on this question.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 4/30/2018

- 0 - 0

Without clarity on ICCP between Control Centers we cannot be certain of what is expected, the costs or flexibility.

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 4/30/2018

- 0 - 0

Yes, without additional comment.

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

Cost effective manner as compared to what? Additional resources will be required and those resources will be needed to monitored 24x7 for those controls to be effective. I would think most entities would budget that as a considerable expense.

Warren Cross, On Behalf of: ACES Power Marketing, MRO, WECC, Texas RE, SERC, SPP RE, RF, Segments 1, 3, 4, 5

- 0 - 0

Wendy Center, U.S. Bureau of Reclamation, 5, 4/30/2018

- 0 - 0

RSC no Dominion, NextEra and HQ, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 4/30/2018

- 0 - 0

Jamie Prater, 4/30/2018

- 0 - 0

David Ramkalawan, 4/30/2018

- 0 - 0

Patricia Lynch, On Behalf of: Patricia Lynch, , Segments 5, 6

- 0 - 0

Lynn Goldstein, 4/30/2018

- 0 - 0

Laurie Williams, 4/30/2018

- 0 - 0

SPP Standards Review Group, Segment(s) , 4/30/2018

- 0 - 0