This comment form is no longer interactive because the comment period is closed.

2016-02 Modifications to CIP Standards | CIP-002-6 Draft 2

Description:

Start Date: 03/16/2018
End Date: 04/30/2018

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End
2016-02 Modifications to CIP Standards CIP-002-6 AB 2 ST 2016-02 Modifications to CIP Standards CIP-002-6 09/14/2017 10/13/2017 04/20/2018 04/30/2018

Filter:

Hot Answers

SPP Standards Review Group, Segment(s) , 4/30/2018

- 0 - 0

Proposed modifications are accepted. No impact on existing categorization of SRP BES Cyber Systems at control centers. SRP control center(s) are categorized “High Impact” due to Criterion 1.1-1.4, hence Criterion 2.12 is not applicable

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Linda Jacobson-Quinn, City of Farmington, 3, 3/21/2018

- 0 - 0

Val Ridad, Silicon Valley Power - City of Santa Clara, 3, 4/12/2018

- 0 - 0

Jeff Ipsaro, Silicon Valley Power - City of Santa Clara, 4, 4/12/2018

- 0 - 0

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 4/21/2018

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 4/23/2018

- 0 - 0

Aaron Austin, 4/23/2018

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 4/23/2018

- 0 - 0

While the SDT recognized oDominion Energy's previous comment, a response has not been provided.  As previously asked, “The use of an aggregate weighted value of 6000 contains no justified rationale and appears to be an arbitrary selection. There is no methodology provided that demonstrates how the value is derived.”

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 6/14/2017

- 0 - 0

Jonathan Aragon, 4/25/2018

- 0 - 0

No.  For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only servers to create additional compliance burden to determine an irrelevant criteria.

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 1, 3, 4, 5

- 0 - 0

- 0 - 0

City Light supports APPA comments

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

Faz Kasraie, On Behalf of: Seattle City Light, WECC, Segments 5

- 0 - 0

Glen Farmer, On Behalf of: Avista - Avista Corporation, , Segments 1, 3, 5

- 0 - 0

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Adrian Andreoiu, On Behalf of: BC Hydro and Power Authority, WECC, Segments 1, 3, 5

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Douglas Johnson, 4/30/2018

- 0 - 0

David Gordon, 4/30/2018

- 0 - 0

LCRA Compliance, Segment(s) 1, 5, 6, 5/6/2015

- 0 - 0

One, we agree with establishing a threshold criterion for 2.12. We would like the Standards Drafting Team to provide some background regarding the technical basis for setting the threshold at the 6000 aggregate weighted value for applicable BES Cyber Systems. Two, though we are voting affirmative, we respectfully request the SDT to not ballot CIP-002 again until the Control Center definition has passed. If the Control Center definition is not resolved by the next ballot on CIP-002, we will consider a negative vote. This is because the Control Center definition is the foundation for the Attachment 1 criteria for Control Centers. Approving a standard without clarity of the foundation term is not advisable.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 4/30/2018

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

ITC believes the criteria should be set at 3000 (to match criterion 2.5). Under the proposed 6000 point criterian entities with a high number of 100KV lines (up to 23) would have control centers excluded from Medium impact criteria and thus would not have to meet most CIP security requirements.

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 4/30/2018

- 0 - 0

Daniel Gacek, Exelon, 1, 4/30/2018

- 0 - 0

Entergy, Segment(s) 1, 5, 12/13/2017

- 0 - 0

AECI supports comments provided by NRECA

AECI, Segment(s) 1, 3, 6, 5, 4/30/2018

- 0 - 0

NVE agrees with modification of the criterion. For industry reference, we do believe rationalization for 6000 point threshold should be made available within the Attachment, or through industry outreach (Technical justification document, Industry webinar, etc.)

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 4/30/2018

- 0 - 0

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

No.  For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only servers to create additional compliance burden to determine an irrelevant criteria.

 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

James Anderson, 4/30/2018

- 0 - 0

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

No comment

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Andrey Komissarov, On Behalf of: Sempra - San Diego Gas and Electric - WECC - Segments 7

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 4/30/2018

- 0 - 0

No Response

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Dmitriy Bazylyuk, 4/30/2018

- 0 - 0

David Ramkalawan, 4/30/2018

- 0 - 0

Teresa Krabe, Lower Colorado River Authority, 5, 4/30/2018

- 0 - 0

Heather Morgan, On Behalf of: EDP Renewables North America LLC, , Segments 5

- 0 - 0

No Comment

John Merrell, Tacoma Public Utilities (Tacoma, WA), 1, 4/30/2018

- 0 - 0

We agree with revising this criterion to be a threshold based analysis, and feel it provides a good objective criteria to determine in scope assets.  We would like the Standards Drafting Team to provide some background regarding the technical basis for setting the threshold at the 6000 aggregate weighted value for applicable BES Cyber Systems.

 

Also, we’d like the Standards Drafting Team to consider timing when posting CIP-002-6 for final ballot.  Without the Control Center definition being resolved and approved prior to the final approval for CIP-002-6, we will consider a negative vote on CIP-002-6. This is because the Control Center definition is the foundation for the Attachment 1 criteria for Control Centers, and would not be advisable to approve the standard without clarity of the term.

Sandra Shaffer, 4/30/2018

- 0 - 0

Jack Cashin, American Public Power Association, 4, 4/30/2018

- 0 - 0

No

 

The proposed modifications could lead to Transmission Owners (TO) performing functional obligations of Transmission Operators that currently have medium impact BES Cyber Systems because of 2.12; to become low impact.  

For example:

·         The use of the term “and” means that a TO that monitors but does not control is no longer classified as a medium BES Cyber Asset.

·         A TO that monitors and control a substation (A) that has three 345 kV lines and two 138 kV lines. Its “aggregated weighted value” would be 1300+1300+1300+250+250=4,400. This TO also monitors and controls another substation (B) with one 345 kV lines and one 138 kV lines. Its “aggregated weighted value” would be 1300+250=1,550. 4,400 (A)+1,550 (B) =5,950, which is less than 6,000. Therefore, even though this TO may meet the definition of Control Center, the Control Center’s BES Cyber Systems would now be low impact even though the substation itself would have medium impact BES Cyber Systems (medium impact criteria 2.5).

 

Texas RE inquires as to whether this is the intent of the SDT.

 

Rachel Coyne, Texas Reliability Entity, Inc., 10, 4/30/2018

- 0 - 0

One, we agree with establishing a threshold criterion for 2.12. We would like the Standards Drafting Team to provide some background regarding the technical basis for setting the threshold at the 6000 aggregate weighted value for applicable BES Cyber Systems. Two, though we are voting affirmative, we respectfully request the SDT to not ballot CIP-002 again until the Control Center definition has passed. If the Control Center definition is not resolved by the next ballot on CIP-002, we will consider a negative vote. This is because the Control Center definition is the foundation for the Attachment 1 criteria for Control Centers. Approving a standard without clarity of the foundation term is not advisable.

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 4/30/2018

- 0 - 0

Yes, without additional comment.

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

Reclamation recommends simplifying the Impact Rating Criteria using the following methodology:

BES Cyber Systems are to be rated as high, medium, or low impact as follows:

  • A high impact BES Cyber System is a Control Center that has one or more of the following characteristics:

    • Is identified as supporting an IROL or is necessary to avoid an Adverse Reliability Impact.

    • Supports generation with an aggregate capacity greater than 3000MW;

    • Supports a sum greater than 2500kV of transmission lines above 230kV;

    • Is used to operate transmission lines of 500kV or above;

  • A medium impact BES Cyber System has one or more of the following characteristics:

    • Supports a RAS that could negatively affect an IROL or that can perform automatic Load shedding of 300MW or more.

    • Supports a sum between 1500 – 2500kV of transmission lines above 230kV;

    • Supports generation with the aggregate capacity between 1500 – 3000MW;

  • A low impact BES Cyber System has one or more of the following characteristics:

    • Supports a sum less than 1500kV of transmission lines above 230kV;
    • Supports transmission only between 110 – 230kV;
    • Supports generation with an aggregate capacity between 75 – 1500MW;
    • Supports any single generator greater than 20MW not already identified as a Medium Impact BES Cyber System;
    • Supports any Facilities that are designated a blackstart resource;
    • Supports any other RAS not already identified as a medium impact BES Cyber System.

Wendy Center, U.S. Bureau of Reclamation, 5, 4/30/2018

- 0 - 0

RSC no Dominion, NextEra and HQ, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 4/30/2018

- 0 - 0

Patricia Lynch, On Behalf of: Patricia Lynch, , Segments 5, 6

- 0 - 0

Hot Answers

SPP Standards Review Group, Segment(s) , 4/30/2018

- 0 - 0

If these standards would have applied to us, SRP would have discussed the timeline and impacts as a group and formed a consensus before commenting.  We would have asked for additional time to prepare to meet compliance (for planning, coordination, and out other logistics).

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Linda Jacobson-Quinn, City of Farmington, 3, 3/21/2018

- 0 - 0

Val Ridad, Silicon Valley Power - City of Santa Clara, 3, 4/12/2018

- 0 - 0

Jeff Ipsaro, Silicon Valley Power - City of Santa Clara, 4, 4/12/2018

- 0 - 0

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 4/21/2018

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 4/23/2018

- 0 - 0

Aaron Austin, 4/23/2018

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 4/23/2018

- 0 - 0

  1. Dominion Energy recommends converting the footnotes contained in Section 6 to NERC defined terms.  This would clarify the terms in a central location and avoid confusion.

  2. It is unclear why an unplanned change would warrant more time than a planned change.  The risk is the same for both situations.   Please provide clarification on why unplanned and planned changes have different implementation periods.

  3. In some scenarios, it appears that a change may result in reclassifying a BCS which would require significant changes to meet compliance obligations. 

    Clarify why an entity may have a 12 month implementation plan in the case of an unplanned change, but could potentially only have a few weeks implementation plan for the entire substation if a new transmission line causes the substation to go from low to medium impact.  The “few weeks” example was provided because cyber assets will likely be the last phase of a project and the substation BCS will not be complete without the new cyber assets.  Additionally, all compliance related tasks would need to be completed during the same timeframe as operational installation and testing.

    For planned changes, we recommend defining an implementation period not to exceed 1 year after the in-service date that allows for compliance activities to be performed.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 6/14/2017

- 0 - 0

AZPS recommends that the implementation time period be 24 calendar months from the date of notification or detection of the unplanned changes regardless of whether or not the Entity has previously identified a low, medium, or high impact BES Cyber System associated with that same BES asset type as the effort required would involve the design and implementation of  technology, procurement, and contracting efforts, which could easily exceed 12 months.   

Jonathan Aragon, 4/25/2018

- 0 - 0

Since CIP-002-5.1a became effective the SMEs responsible for evaluating and identifying Low BES Cyber Assets have incrementally increased the types of devices in scope as industry/regional expectations developed, SME changes and associated interpretations occurred, and their own CIP-002-5.1a knowledge has increased. 

Adding regulation to be compliant upon installation will have the opposite effect of SMEs: who will now prefer “no change” over performing a thorough and fresh review for each CIP-002 iteration.

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 1, 3, 4, 5

- 0 - 0

- 0 - 0

City Light supports APPA comments

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

Faz Kasraie, On Behalf of: Seattle City Light, WECC, Segments 5

- 0 - 0

Glen Farmer, On Behalf of: Avista - Avista Corporation, , Segments 1, 3, 5

- 0 - 0

BPA disagrees with the location/treatment of the implementation timelines (i.e. Applicability section) for description of Planned and Unplanned Changes  and associated Scenario of Unplanned Changed Implementation Period table.  From an audit standpoint, BPA suggests standard template formatting and numbering be applied.

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Adrian Andreoiu, On Behalf of: BC Hydro and Power Authority, WECC, Segments 1, 3, 5

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Douglas Johnson, 4/30/2018

- 0 - 0

MMWEC supports comments submitted by NPCC.

David Gordon, 4/30/2018

- 0 - 0

Want to see Commission date defined in the NERC Glossary of terms. Would like to see  “Commission date” language to be used in the CIP-007 and CIP-010 standards that it impacts ( baselining, SIEM logging, Patch Source tracking) and the language in those standards changed concurrently with the CIP-002-6.  Section 6 of CIP-002-6 uses the word “this Relaibility Standard” in the first sentence which implies CIP-002-6 only but the standard is impacting not just “this CIP-002” but affects other standards as well.

LCRA Compliance, Segment(s) 1, 5, 6, 5/6/2015

- 0 - 0

Though we are voting affirmative, we respectfully request the SDT consider a revision. Planned and unplanned changes include footnotes. We recommend revising both footnotes from “Examples of … include:”  to “Examples of … include, but are not limited to:”

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 4/30/2018

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 4/30/2018

- 0 - 0

Exelon notices that the Unplanned Changes as described in the footnote, are all externally initiated changes.  Are there any internally initiated changes that could also qualify as unplanned?  Also, there may be unplanned changes that involve decommissioning of an asset.  Should this also be expounded on here?

Daniel Gacek, Exelon, 1, 4/30/2018

- 0 - 0

The proposed Section 6 for Planned and Unplanned Changes is good.  The issue is that the definitions, examples, and timeframes do not specifically address the timeframes for acquisition of an existing facility and differences between company posture.  Recommend defining acquisitions as either a Planned Change, Unplanned Change, or as a separate event with timeframes.

Entergy, Segment(s) 1, 5, 12/13/2017

- 0 - 0

AECI supports comments provided by NRECA

AECI, Segment(s) 1, 3, 6, 5, 4/30/2018

- 0 - 0

 NVE believed the timelines determined for planned and unplanned changes are reasonable.

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 4/30/2018

- 0 - 0

Xcel Energy generally agrees with the proposed timelines for implementation of planned and unplanned changes, further clarifications of what constitutes an unplanned change would be appreciated.  The concern involves the potential maintenance or replacement of BES Assets in a BES System.  As an example, would the replacement of a failed relay at a Medium Impact substation allow for a 12 month implementation period and remove compliance obligations for that system in that period? In order to remediate any ambiguous language in Section 6, Xcel Energy suggests changing the "Unplanned" language to read:

For Unplanned Changes, resulting in a new BES Cyber System or a change in categorization for an existing BES Cyber System, the Responsible Entity shall comply with all newly applicable requirements in this Reliability Standard according to the timelines in the table below....

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

Since CIP-002-5.1a became effective the SMEs responsible for evaluating and identifying Low BES Cyber Assets have incrementally increased the types of devices in scope as industry/regional expectations developed, SME changes and associated interpretations occurred, and their own CIP-002-5.1a knowledge has increased. 

Adding regulation to be compliant upon installation will have the opposite effect of SMEs: who will now prefer “no change” over performing a thorough and fresh review for each CIP-002 iteration.

James Anderson, 4/30/2018

- 0 - 0

Tri-State does not understand the sentence/paragraph following the Implementation Table in Section 6. For example, there's a reference to requirements with periodic obligations. Does this pertain only to those found in CIP-002 or those found throughout the CIP Standards? If it only refers to those found in CIP-002, then Tri-State would recommend explicitly stating that. Tri-State also believes the language is overly verbose and complex.

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

No comment

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Andrey Komissarov, On Behalf of: Sempra - San Diego Gas and Electric - WECC - Segments 7

- 0 - 0

It might be pertinent that the STD takes in consideration the change in the categorization for an existing BES cyber System considered in CIP-002-6 as an unplanned changes and gives an implementation period to comply with the new applicable requirements relative to the new categorisation.  A change in the categorization for an existing BES cyber System can be from Low to Medium and can involve an certain amount of new applicable requirements that can involve for an entity a certain period of time to be compliant even tough the BES Cyber sytem is already impacting the BES.

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 4/30/2018

- 0 - 0

CenterPoint Energy Houston Electric, LLC (“CenterPoint Energy”) agrees with moving the implementation timelines for planned and unplanned changes to CIP-002-6.  However, CenterPoint Energy believes the implementation timeline for planned changes resulting in a higher categorization as proposed in CIP-002-6 is not consistent with the concept in the current CIP Version 5/6 implementation plan.  Paragraph 3 on page 4 of the “Implementation Plan for Version 5 CIP Cyber Security Standards” states that for planned changes resulting in a higher categorization, the responsible entity shall comply with all applicable requirements “on the update of the identification and categorization of the affected BES Cyber System,” not “upon the commission date of the planned change” as proposed in CIP-002-6.

CenterPoint Energy recommends removing the phrase “or a change in categorization for an existing BES Cyber System” from the second paragraph in section 6 to keep it focused on planned changes resulting in a new BES Cyber System and adding the following paragraph for planned changes resulting in a higher categorization:

“For planned changes resulting in a higher categorization, the responsible entity shall comply with all applicable requirements in the CIP Cyber Security Standards on the update of the identification and categorization of the affected BES Cyber System and any applicable and associated Physical Access Control Systems, Electronic Access Control and Monitoring Systems and Protected Cyber Assets.”

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Dmitriy Bazylyuk, 4/30/2018

- 0 - 0

David Ramkalawan, 4/30/2018

- 0 - 0

Yes with the following questions to be addressed:

1.Does a new EMS need to be CIP compliant before the first cut-over test?

2.Assuming the cut-over test in Q1 fails, does the system need to remain CIP compliant until the next test? The time between cut-over tests may be months.

Teresa Krabe, Lower Colorado River Authority, 5, 4/30/2018

- 0 - 0

“Initial performance of those obligations following a Planned Change shall occur within the first period following the commissioned date of the Planned Change.” Further clarification is needed regarding what the “first period” means. For instance, does this mean calendar quarter? Next day? Day of?

 

Additionally, further clarification is needed on what “impacting the BES” means with respect to, “the commissioned date is the date a new or modified Bulk Electric System asset or Cyber Asset is capable of impacting the BES.” Does this mean that, according to the entity’s interpration, the new or modififed BES asset or Cyber Asset could, within 15 minutes, adversely impact the reliable operation of the BES?  Or does impacting the BES mean something else ?

Heather Morgan, On Behalf of: EDP Renewables North America LLC, , Segments 5

- 0 - 0

No Comment

John Merrell, Tacoma Public Utilities (Tacoma, WA), 1, 4/30/2018

- 0 - 0

We support the proposed implementation timelines for planned and unplanned changes.  However, please consider the following revision to planned and unplanned changes footnotes. We recommend revising both footnotes from “Examples of … include:”  to “Examples of … include, but are not limited to:”

Sandra Shaffer, 4/30/2018

- 0 - 0

Jack Cashin, American Public Power Association, 4, 4/30/2018

- 0 - 0

Texas RE inquires as to why the section regarding planned and unplanned changes was removed from the implementation plan.  Since they no longer reside in one of the enforceable parts of the standard, this will cause confusion upon implementation.  Texas RE recommends keeping this section in the implementation plan.

 

Texas RE also noticed that PCAs were removed from the graphic on page 7, but is still in the list of Cyber Assets on page 9.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 4/30/2018

- 0 - 0

Though we are voting affirmative, we respectfully request the SDT consider a revision. Planned and unplanned changes include footnotes. We recommend revising both footnotes from “Examples of … include:”  to “Examples of … include, but are not limited to:”

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 4/30/2018

- 0 - 0

Yes, without additional comment.

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

Wendy Center, U.S. Bureau of Reclamation, 5, 4/30/2018

- 0 - 0

Update says

<< 

For requirements that contain periodic obligations, initial performance of those obligations following an Unplanned Change shall occur within the first period following the date that the Implementation Period ends, as defined in the table above

>> 

Request clarification on this “first period.” If the obligation is quarterly and the Implementation Period is 24 months, would this first period be the first quarter after those 24 months?

 

Request clarification on “CIP Cyber Security Standards.” Does this include only CIP-002 – CIP-011? Or more CIP Standards?

<< 

This general process of categorization of BES Cyber Systems based on impact on the reliable operation of the BES is consistent with risk management approaches for the purpose of application of cyber security requirements in the remainder of the Version 5 CIP Cyber Security Standards.

>> 

 

It might be pertinent that the STD takes in consideration the change in the categorization for an existing BES cyber System considered in CIP-002-6 as an unplanned changes and gives an implementation period to comply with the new applicable requirements relative to the new categorisation.  A change in the categorization for an existing BES cyber System can be from Low to Medium and can involve an certain amount of new applicable requirements that can involve for an entity a certain period of time to be compliant even tough the BES Cyber sytem is already impacting the BES.

RSC no Dominion, NextEra and HQ, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 4/30/2018

- 0 - 0

Patricia Lynch, On Behalf of: Patricia Lynch, , Segments 5, 6

- 0 - 0

Hot Answers

SPP Standards Review Group, Segment(s) , 4/30/2018

- 0 - 0

SRP agrees

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Linda Jacobson-Quinn, City of Farmington, 3, 3/21/2018

- 0 - 0

Val Ridad, Silicon Valley Power - City of Santa Clara, 3, 4/12/2018

- 0 - 0

Jeff Ipsaro, Silicon Valley Power - City of Santa Clara, 4, 4/12/2018

- 0 - 0

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 4/21/2018

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 4/23/2018

- 0 - 0

Aaron Austin, 4/23/2018

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 4/23/2018

- 0 - 0

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 6/14/2017

- 0 - 0

AZPS proposed that the first sentence following the table in Section 6 be modified to state:  “With the exception of the initial implementation of CIP-002-6 as set forth in “Implementation Plan”, for requirements that contain periodic obligation, initial performance of those obligations following an Unplanned Change, etc.

Jonathan Aragon, 4/25/2018

- 0 - 0

Without industry concurrence on the standard revisions, it is premature to comment on the implementation plan.

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 1, 3, 4, 5

- 0 - 0

- 0 - 0

City Light supports APPA comments

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

Faz Kasraie, On Behalf of: Seattle City Light, WECC, Segments 5

- 0 - 0

Glen Farmer, On Behalf of: Avista - Avista Corporation, , Segments 1, 3, 5

- 0 - 0

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Adrian Andreoiu, On Behalf of: BC Hydro and Power Authority, WECC, Segments 1, 3, 5

- 0 - 0

Duke Energy suggests the drafting team consider an Implemenation Plan of 6 calendar months. Additional time will be necessary to identify impacted areas, and then to make necessary changes to applicable documentation. We think that 6 calendar months is a more reasonable timeframe given the potential level of work.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Douglas Johnson, 4/30/2018

- 0 - 0

David Gordon, 4/30/2018

- 0 - 0

Since the proposed changes impact other standards, we will need to rework the current processes and have adequate time for testing the new processes.  Need the effective  day to be at least first day of the first calendar quarter that is twelve (12)  calendar months after  approval.

LCRA Compliance, Segment(s) 1, 5, 6, 5/6/2015

- 0 - 0

  1. The SDT believes proposed modifications in CIP-002-6 provide entities with flexibility to meet the reliability objectives in a cost effective manner. Do you agree? If you do not agree, or if you agree but have suggestions for improvement to enable more cost effective approaches, please provide your recommendation and, if appropriate, technical or procedural justification.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 4/30/2018

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

- 0 - 0

Section 6 Planned and Unplanned changes uses the term commission date and then defines it in the next sentence.  Suggest removing the term “commision date”  and replacing it with “the date a new or modified Bulk Electric System asset or Cyber Asset is capable of impacting the BES”.  It is confusing to use a term in only one place and then applying a definition that is different than what some people may be use to.

Brian Evans-Mongeon, Utility Services, Inc., 4, 4/30/2018

- 0 - 0

Daniel Gacek, Exelon, 1, 4/30/2018

- 0 - 0

Entergy, Segment(s) 1, 5, 12/13/2017

- 0 - 0

AECI supports comments provided by NRECA

AECI, Segment(s) 1, 3, 6, 5, 4/30/2018

- 0 - 0

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 4/30/2018

- 0 - 0

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

Without industry concurrence on the standard revisions, it is premature to comment on the implementation plan.

James Anderson, 4/30/2018

- 0 - 0

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

No comment

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Andrey Komissarov, On Behalf of: Sempra - San Diego Gas and Electric - WECC - Segments 7

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 4/30/2018

- 0 - 0

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

The changes would likely take more time than 3 months to implement. 12 calendar months would be reasonable to make sure the processes and documentation are ready.

Dmitriy Bazylyuk, 4/30/2018

- 0 - 0

David Ramkalawan, 4/30/2018

- 0 - 0

Teresa Krabe, Lower Colorado River Authority, 5, 4/30/2018

- 0 - 0

Heather Morgan, On Behalf of: EDP Renewables North America LLC, , Segments 5

- 0 - 0

Tacoma Power supports comments provided by APPA.

John Merrell, Tacoma Public Utilities (Tacoma, WA), 1, 4/30/2018

- 0 - 0

Sandra Shaffer, 4/30/2018

- 0 - 0

APPA supports the proposed Implementation Plan and offer input to improve the clarity of that plan. Section 6 addressing Planned and Unplanned changes uses the term commission date and then defines it in the next sentence. Public power recommends removing the term “commision date”  and replacing it with “the date a new or modified Bulk Electric System asset or Cyber Asset is capable of impacting the BES.”  This change will provide sufficient clarity in implementing the Standard.

Jack Cashin, American Public Power Association, 4, 4/30/2018

- 0 - 0

Texas RE is not opposed to the timeline set forth in the implementation plan.  Please see Texas RE’s comment in #2 regarding planned and unplanned changes.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 4/30/2018

- 0 - 0

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 4/30/2018

- 0 - 0

Given that the standard is directed toward moving the scope of applicability down (medium to low), Southern agrees with the proposal.

 

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

Reclamation recommends the Implementation Plan for the revised standard become effective the first day of the first calendar quarter that is 18 calendar months after the effective date of the applicable governmental authority’s order approving the standard to allow entities time to apply the revised Impact Rating Criteria.

Wendy Center, U.S. Bureau of Reclamation, 5, 4/30/2018

- 0 - 0

RSC no Dominion, NextEra and HQ, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 4/30/2018

- 0 - 0

Patricia Lynch, On Behalf of: Patricia Lynch, , Segments 5, 6

- 0 - 0

Hot Answers

SPP Standards Review Group, Segment(s) , 4/30/2018

- 0 - 0

This question might be applicable to entities who are expected to have planned and unplanned facilities non-compliant with CIP-002-6. Flexibility is, having the time and human resources to form compliance with CIP-002-6 before the deadlines. SRP does not expect such changes in our footprint. SRP agrees with the proposed modifications in CIP-002-6.

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Other Answers

Linda Jacobson-Quinn, City of Farmington, 3, 3/21/2018

- 0 - 0

Val Ridad, Silicon Valley Power - City of Santa Clara, 3, 4/12/2018

- 0 - 0

Jeff Ipsaro, Silicon Valley Power - City of Santa Clara, 4, 4/12/2018

- 0 - 0

 

ADDITITIONAL COMMENTS

  1. Would a modification to an entity’s procedure for categorizing BES Cyber Systems that brought in additional or medium or low impact BCAs be a “planned change” for purposes of CIP-002?

  2. It is Seminole’s understanding that NERC is attempting to disconnect the Guidelines and Technical Basis from being connected to the Standard as this section is not part of the Standard.  The drafting team should make the Guidelines and Technical Basis a separate document.

  3. Are the Appendix Interpretations part of the Standard?  Are they being approved by FERC via this ballot action?  If not, then they should be separated from the Standard. 

  4. How are interpretations attached to Standards different than the Compliance Application Notices (“CANS”) that NERC used to attach but they tried to get away from attaching?

Kristine Ward, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 4/21/2018

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 4/23/2018

- 0 - 0

No comment

Aaron Austin, 4/23/2018

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 4/23/2018

- 0 - 0

Dominion Energy is unable to respond because we are not impacted by the change for 2.12.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 6/14/2017

- 0 - 0

AZPS agrees that the proposed modifications provide entities with flexibility to meet the reliability objectives, provided the implementation period is reasonable (i.e., 24 months). Otherwise it may require entities to expend significant resources to meet timeframes that may be unnecessarily short.

Jonathan Aragon, 4/25/2018

- 0 - 0

For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only servers to create additional compliance burden to determine an irrelevant criteria.

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 1, 3, 4, 5

- 0 - 0

- 0 - 0

City Light supports APPA comments

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

Faz Kasraie, On Behalf of: Seattle City Light, WECC, Segments 5

- 0 - 0

Glen Farmer, On Behalf of: Avista - Avista Corporation, , Segments 1, 3, 5

- 0 - 0

BPA has no comment

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Adrian Andreoiu, On Behalf of: BC Hydro and Power Authority, WECC, Segments 1, 3, 5

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Douglas Johnson, 4/30/2018

- 0 - 0

David Gordon, 4/30/2018

- 0 - 0

Would have like to see  a timeframe like 14 calendar days within the “Commission Date” to comply rather than the “Commission Date”.

LCRA Compliance, Segment(s) 1, 5, 6, 5/6/2015

- 0 - 0

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 4/30/2018

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 4/30/2018

- 0 - 0

Daniel Gacek, Exelon, 1, 4/30/2018

- 0 - 0

Entergy, Segment(s) 1, 5, 12/13/2017

- 0 - 0

AECI supports comments provided by NRECA

AECI, Segment(s) 1, 3, 6, 5, 4/30/2018

- 0 - 0

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 4/30/2018

- 0 - 0

Amy Casuscelli, On Behalf of: Xcel Energy, Inc. - MRO, WECC, SPP RE - Segments 1, 3, 5, 6

- 0 - 0

For entities where TO Control Centers already meet High Impact criteria (by way of High Watermark), this clarification only servers to create additional compliance burden to determine an irrelevant criteria.

 

An alternate proposal to the drafted criterion would precede the Criterion with: “Where TO Control Centers are not determined to meet High Impact criteria then…..[perform aggregate weighting evaluation to determine IRC 2.12]”, which would allow an entity to avoid the unnecessary compliance burden of performing this evaluation for High Impact TO Control Centers.

James Anderson, 4/30/2018

- 0 - 0

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

No comment

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Andrey Komissarov, On Behalf of: Sempra - San Diego Gas and Electric - WECC - Segments 7

- 0 - 0

Nicolas Turcotte, Hydro-Qu?bec TransEnergie, 1, 4/30/2018

- 0 - 0

No Response

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Dmitriy Bazylyuk, 4/30/2018

- 0 - 0

David Ramkalawan, 4/30/2018

- 0 - 0

Teresa Krabe, Lower Colorado River Authority, 5, 4/30/2018

- 0 - 0

Heather Morgan, On Behalf of: EDP Renewables North America LLC, , Segments 5

- 0 - 0

No Comment

John Merrell, Tacoma Public Utilities (Tacoma, WA), 1, 4/30/2018

- 0 - 0

Sandra Shaffer, 4/30/2018

- 0 - 0

Jack Cashin, American Public Power Association, 4, 4/30/2018

- 0 - 0

Texas RE does not have comments on this question.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 4/30/2018

- 0 - 0

Terry Harbour, Berkshire Hathaway Energy - MidAmerican Energy Co., 1, 4/30/2018

- 0 - 0

Given that the standard is directed toward moving the scope of applicability down (medium to low), Southern agrees with the proposal.

 

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

Reclamation recommends the simplified Impact Rating Criteria described in the response to Question 1 will provide a more cost-effective manner of categorizing BES Cyber Systems and their associated BES Cyber Assets by reducing the cost of implementing the standard and the overall impact of CIP-002-6 and allowing entities to reduce the time spent “review[ing] the identifications in Requirement R1 and its parts (and update[ing] them if there are changes identified) at least once every 15 calendar months.”

Wendy Center, U.S. Bureau of Reclamation, 5, 4/30/2018

- 0 - 0

RSC no Dominion, NextEra and HQ, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 4/30/2018

- 0 - 0

Patricia Lynch, On Behalf of: Patricia Lynch, , Segments 5, 6

- 0 - 0