This comment form is no longer interactive because the comment period is closed.

2016-02 Modifications to CIP Standards | FERC Order No. 843 (Malicious Code Example) SAR

Description:

Start Date: 06/14/2018
End Date: 07/13/2018

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End

Filter:

Hot Answers

RSC no Dominion, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 7/13/2018

- 0 - 0

SPP Standards Review Group, Segment(s) 2, 4, 1, 3, 5, 6, 7/13/2018

- 0 - 0

Other Answers

 SRP understands the main objective of the SAR is to clarify compliance expectations regarding third-party transient electronic devices. SRP also agrees with the scope of modifying CIP-003-7, Attachment 1, Section 5. 

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

AEP is concerned by the inclusion of the phrase “transient electronic devices”, as that would imply a scope broader than that of other CIP standards. In fact, it essentially creates an entirely new category of devices. Rather than this language, AEP suggests instead using the NERC defined terms Transient Cyber Assets and Removable Media as the obligations are further qualified.

It appears that these two proposed SARs would be applied to the project along with the existing SAR, bringing the total number of SARs for this project to three. AEP is not aware of any precedent of multiple, concurrent SARs governing a NERC project at a single point in time. A SAR helps set a project’s direction and scope, and while a project’s SAR may be revised over time, AEP does not believe Appendix 3A (Standards Process Manual) provides an allowance for multiple, concurrent SARs to govern a single NERC project. Rather, the SPM allows a project’s existing SAR to be revised to accommodate any changes believed to be necessary.

Thomas Foltz, On Behalf of: AEP, , Segments 3, 5

- 0 - 0

NCPA is concerned by the inclusion of the phrase “transient electronic devices”, as that would imply a scope broader than that of other CIP standards. In fact, it essentially creates an entirely new category of devices. Rather than this language, the NERC defined terms Transient Cyber Assets and Removable Media should be used.

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 5, 6

- 0 - 0

NCPA is concerned by the inclusion of the phrase “transient electronic devices”, as that would imply a scope broader than that of other CIP standards. In fact, it essentially creates an entirely new category of devices. Rather than this language, the NERC defined terms Transient Cyber Assets and Removable Media should be used.

Dennis Sismaet, On Behalf of: Northern California Power Agency, , Segments 5, 6

- 0 - 0

Reclamation recommends incorporating all requirements for low impact BCS into existing standards in the table and part format. For example, low impact malicious code requirements would properly be added to CIP-007; low impact transient cyber asset requirements would properly be added to CIP-010

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

David Ramkalawan, On Behalf of: David Ramkalawan, , Segments 5

- 0 - 0

David Jendras, On Behalf of: Ameren - Ameren Services, , Segments 1, 3, 6

- 0 - 0

Andrew Gallo, On Behalf of: Andrew Gallo, , Segments 1, 3, 4, 5, 6

- 0 - 0

The NSRF aggress with the scope of the SAR addressing FERC’s directive by modifying Section 5 of Attachment 1 to CIP-003-7 to clarify that responsible entities must implement controls to mitigate the risk of malicious code that could result from the use of third-party transient electronic devices

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

None

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Vivian Moser, On Behalf of: Vivian Moser, , Segments 1, 3, 5, 6

- 0 - 0

PSEG supports the proposed CIP-003-7 SAR because it provides sufficient scope and direction for the SDT to address the FERC Order No. 843 directive regarding third-party transient electronic devices.

PSEG REs, Segment(s) 5, 6, 3, 1, 11/2/2017

- 0 - 0

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Warren Cross, On Behalf of: ACES Power Marketing, WECC, Texas RE, SERC, RF, Segments 2, 4, 5, 6

- 0 - 0

Upon review of the proposed SAR, BC Hydro offers the following comments in support of the position that this SAR needs to be more specific.

1. As the existing version of CIP-003-7 already specifies in its Section 5 of Attachment 1 mandatory prescriptions to implement “one or more plan(s) to achieve the objective of mitigating the risk of the introduction of malicious code” including third-party transient electronic devices (i.e. “Transient Cyber Asset(s) managed by a party other than the Responsible Entity” per Section 5.2), BC Hydro does not share FERC’s concern and recommends that the SAR provide more clarity on the scope and reasoning behind FERC’s requested modifications, i.e. “to include an explicit requirement that responsible entities implement controls to mitigate the risk of malicious code that could result from third-party transient electronic devices”. (P 39 on Page 24 of FERC Order No. 843)

2. BC Hydro would like to understand the value add of revising CIP-003-7 when very similar language is already there.  BC Hydro notes that Requirement 4 of the CIP-010-2(3) reliability standard in regards to high and medium impact BES Cyber Systems, Attachment 1, Section 2 and sub-Section 2.2 also contains very similar language and is not being revised.

BC Hydro, Segment(s) 1, 2, 3, 5, 5/6/2015

- 0 - 0

Hot Answers

RSC no Dominion, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 7/13/2018

- 0 - 0

SPP Standards Review Group, Segment(s) 2, 4, 1, 3, 5, 6, 7/13/2018

- 0 - 0

Other Answers

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Thomas Foltz, On Behalf of: AEP, , Segments 3, 5

- 0 - 0

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 5, 6

- 0 - 0

Dennis Sismaet, On Behalf of: Northern California Power Agency, , Segments 5, 6

- 0 - 0

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

David Ramkalawan, On Behalf of: David Ramkalawan, , Segments 5

- 0 - 0

David Jendras, On Behalf of: Ameren - Ameren Services, , Segments 1, 3, 6

- 0 - 0

Andrew Gallo, On Behalf of: Andrew Gallo, , Segments 1, 3, 4, 5, 6

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

None

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Vivian Moser, On Behalf of: Vivian Moser, , Segments 1, 3, 5, 6

- 0 - 0

PSEG REs, Segment(s) 5, 6, 3, 1, 11/2/2017

- 0 - 0

None that we are aware of.

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Warren Cross, On Behalf of: ACES Power Marketing, WECC, Texas RE, SERC, RF, Segments 2, 4, 5, 6

- 0 - 0

At this time, this may change as the full scope of the SAR is developed.

BC Hydro, Segment(s) 1, 2, 3, 5, 5/6/2015

- 0 - 0

Hot Answers

RSC no Dominion, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 7/13/2018

- 0 - 0

The SPP Standards Review Group (“SSRG”) understands the FERC order requires NERC address the narrowly defined issue related to risk of malicious code that could result from third-party transient electronic devices. Given the potential for other gaps within CIP-003-7 that relate to the mitigation of malicious code, the SSRG suggests the Standard Drafting Team consider utilizing this SAR to review the overarching issue of mitigating malicious code and explore whether additional changes are also appropriate to be included in proposed revisions to the standard.

Also, the Standards Drafting Team understands that changes to Section 5 of Attachment 1, as directed by FERC, will apply to Low Impact BES Cyber System Assets, which are by definition low risk. The Standards Drafting Team should ensure that the changes proposed to Section 5 of Attachment 1 do not inadvertently pull in other classifications of BES Cyber System Assets.

 Finally, the SSRG recommends that Implementation Guidance should be developed.  

SPP Standards Review Group, Segment(s) 2, 4, 1, 3, 5, 6, 7/13/2018

- 0 - 0

Other Answers

FERC Order 843, paragraph 34 states, "should a Responsible Entity find that a third party’s processes and practices for protecting its transient electronic devices inadequate, the Responsible Entity must be required to take mitigating action prior to connecting third-party transient electronic devices to a low impact BES Cyber System.” According to NERC, “failure to take mitigating action in this circumstance could result in a finding of noncompliance with Section 5 of Attachment 1.” However, the SAR does not specify this to be the reasoning for the modification. The SAR should be revised to include this reasoning to better understand the intent behind the requested modification.  

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Thomas Foltz, On Behalf of: AEP, , Segments 3, 5

- 0 - 0

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 5, 6

- 0 - 0

Dennis Sismaet, On Behalf of: Northern California Power Agency, , Segments 5, 6

- 0 - 0

.

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

David Ramkalawan, On Behalf of: David Ramkalawan, , Segments 5

- 0 - 0

David Jendras, On Behalf of: Ameren - Ameren Services, , Segments 1, 3, 6

- 0 - 0

Andrew Gallo, On Behalf of: Andrew Gallo, , Segments 1, 3, 4, 5, 6

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

None

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Vivian Moser, On Behalf of: Vivian Moser, , Segments 1, 3, 5, 6

- 0 - 0

PSEG REs, Segment(s) 5, 6, 3, 1, 11/2/2017

- 0 - 0

The purpose of the SAR is to address FERC Order No. 843 which uses the phrase “third-party transient electronic devices.”   We would strongly urge the SDT to not use this phrase when modifying CIP-003-7 but instead use the NERC glossary defined term “Transient Cyber Asset”.   It is our opinion that using the NERC defined term of Transient Cyber Asset will allow the SDT to satisfy the requirements of the FERC order without creating an entirely new and unbounded class of assets. 

FMPA, Segment(s) , 10/23/2017

- 0 - 0

Warren Cross, On Behalf of: ACES Power Marketing, WECC, Texas RE, SERC, RF, Segments 2, 4, 5, 6

- 0 - 0

BC Hydro, Segment(s) 1, 2, 3, 5, 5/6/2015

- 0 - 0