This comment form is no longer interactive because the comment period is closed.

2016-02 Modifications to CIP Standards | CIP-003-8

Description:

Start Date: 08/23/2018
End Date: 10/09/2018

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End
2016-02 Modifications to CIP Standards CIP-003-8 Draft 1 IN 1 ST 2016-02 Modifications to CIP Standards CIP-003-8 Draft 1 08/23/2018 09/21/2018 09/28/2018 10/09/2018

Filter:

Hot Answers

Daniel Gacek, Exelon, 1, 10/9/2018

- 0 - 0

Constantin Chitescu, On Behalf of: Ontario Power Generation Inc., , Segments 5

- 0 - 0

Other Answers

- 0 - 0

Jonathan Robbins, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Santee Cooper, Segment(s) 1, 3, 5, 6, 9/28/2018

- 0 - 0

None

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

ReliabilityFirst agrees with the proposed modification.

Anthony Jablonski, ReliabilityFirst , 10, 10/1/2018

- 0 - 0

PPL NERC Registered Affiliates, Segment(s) 1, 3, 5, 6, 9/6/2018

- 0 - 0

FirstEnergy, Segment(s) 4, 3, 5, 6, 9/5/2018

- 0 - 0

Leanna Lamatrice, 10/3/2018

- 0 - 0

The NSRF recommends the following change for clarity to the draft 5.2.2 (added text is bracketed) “For any method used pursuant to 5.2.1, Responsible Entities shall determine whether any additional mitigation actions are necessary and[, if any,] implement such actions prior to connecting the Transient Cyber Asset.”

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company, RF, Segments 1, 3, 4, 5

- 0 - 0

James Anderson, 10/5/2018

- 0 - 0

The proposed language is too vague, will not add value, and is not auditable. Reclamation recommends any changes pertaining to low impact TCA and RM should align with CIP-010 Attachment 1 and provide equal or less stringent controls for low impact BES Cyber Systems as for medium and high impact BES Cyber Systems.

Richard Jackson, U.S. Bureau of Reclamation, 1, 10/5/2018

- 0 - 0

Dennis Sismaet, Northern California Power Agency, 6, 10/5/2018

- 0 - 0

AECI supports the comments provided by NRECA.

AECI, Segment(s) 1, 3, 6, 5, 4/30/2018

- 0 - 0

Idaho Power Company does not believe that this is an auditable approach by the way the standards are written. A Responsible Entity that believed any additional mitigation actions were necessary would implement those additional measures. Stating the requirements in this manner seems vague and lacks the auditability of a normal requirement. It would be more appropriate to have a Responsible Entity document the steps that were taken prior to allowing a third party to connect a TCA.

Laura Nelson, 10/8/2018

- 0 - 0

LES supports the NSRF comments:

The NSRF recommends the following change for clarity to the draft 5.2.2 (added text is bracketed) “For any method used pursuant to 5.2.1, Responsible Entities shall determine whether any additional mitigation actions are necessary and[, if any,] implement such actions prior to connecting the Transient Cyber Asset.”

Eric Ruskamp, Lincoln Electric System, 6, 10/8/2018

- 0 - 0

Vivian Moser, 10/8/2018

- 0 - 0

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 10/8/2018

- 0 - 0

There appears to be a disconnect between the intent as noted in the Guidelines and Technical Basis and the requirement documented in CIP-003-8, Attachment 1, 5.2.2.  The intent is that, “if there are deficiencies identified” then mitigation actions must be completed.  The requirement does not contain the ‘if then’ syntax.

Consider revising 5.2.2 as follows:
If deficiencies are identified for any method used pursuant to 5.2.1, then the Responsible Entity shall implement mitigation actions to address the deficiencies prior to connecting the Transient Cyber Asset.

Consider revising CIP-003-8, Attachment 2, Section 5 (2) as follows:

Examples of evidence for Attachment 1, Section 5.2.2 may include, but are not limited to, documentation from change management systems, electronic mail, or contracts that identify mitigation actions that were implemented prior to connecting the Transient Cyber Asset managed by a party and that were implemented to address deficiencies of any method used pursuant to 5.2.1

Tyson Archie, Platte River Power Authority, 5, 10/8/2018

- 0 - 0

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

NRECA recommends the following change for clarity to the draft 5.2.2 (added text is bracketed) “For any method used pursuant to 5.2.1, Responsible Entities shall determine whether any additional mitigation actions are necessary and[, if any,] implement such actions prior to connecting the Transient Cyber Asset.”

Barry Lawson, 10/8/2018

- 0 - 0

The proposed language is too vague, will not add value, and is not auditable. Reclamation recommends any changes pertaining to low impact TCA and RM should align with CIP-010 Attachment 1 and provide equal controls for low impact BES Cyber Systems as for medium and high impact BES Cyber Systems.

Larry Watt, Lakeland Electric, 1, 10/9/2018

- 0 - 0

Please refer to comments from the MRO NERC Standards Review Forum (NSRF).

- 0 - 0

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 10/9/2018

- 0 - 0

Heather Morgan, On Behalf of: EDP Renewables North America LLC, , Segments 5

- 0 - 0

faranak sarbaz, Los Angeles Department of Water and Power, 1, 10/9/2018

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 10/9/2018

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Anton Vu, Los Angeles Department of Water and Power, 6, 10/9/2018

- 0 - 0

RSC no Dominion and HQ, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 10/9/2018

- 0 - 0

Douglas Johnson, 10/9/2018

- 0 - 0

Sandra Shaffer, 10/9/2018

- 0 - 0

ACES Standard Collaborations, Segment(s) 5, 1, 3, 10/9/2018

- 0 - 0

Maryanne Darling-Reich, On Behalf of: Black Hills Corporation - WECC - Segments 1, 3, 5, 6

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 10/9/2018

- 0 - 0

SMEC agrees with NRECA Comment:

recommends the following change for clarity to the draft 5.2.2 (added text is bracketed) “For any method used pursuant to 5.2.1, Responsible Entities shall determine whether any additional mitigation actions are necessary and[, if any,] implement such actions prior to connecting the Transient Cyber Asset.”

Lana Smith, On Behalf of: San Miguel Electric Cooperative, Inc., Texas RE, Segments 5

- 0 - 0

Tho Tran, 10/9/2018

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 10/9/2018

- 0 - 0

Recommends the following change for clarity to the draft 5.2.2 (added text is bracketed) “For any method used pursuant to 5.2.1, Responsible Entities shall determine whether any additional mitigation actions are necessary and[, if any,] implement such actions prior to connecting the Transient Cyber Asset.”

Andrea Barclay, 10/9/2018

- 0 - 0

David Jendras, Ameren - Ameren Services, 3, 10/9/2018

- 0 - 0

ITC is in agreement with statements made by the NSRF:

The NSRF recommends the following change for clarity to the draft 5.2.2 (added text is bracketed) “For any method used pursuant to 5.2.1, Responsible Entities shall determine whether any additional mitigation actions are necessary and[, if any,] implement such actions prior to connecting the Transient Cyber Asset.”

 

Stephanie Burns, 10/9/2018

- 0 - 0

The final bullet of 5.2.1 “Other method(s) to mitigate the introduction of malicious code” addresses the issue.  If the entity deems it necessary to use another method, they already have this provision in place.  Section 5.2.2 only confuses the matter.

Andrey Komissarov, 10/9/2018

- 0 - 0

Eli Rivera, On Behalf of: Central Electric Cooperative, Inc. (Redmond, Oregon), Texas RE, Segments 1

- 0 - 0

William Sanders, 10/9/2018

- 0 - 0

Douglas Webb, 10/9/2018

- 0 - 0

Amber Orr, 10/9/2018

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

Ryan Walter, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Hot Answers

Daniel Gacek, Exelon, 1, 10/9/2018

- 0 - 0

Constantin Chitescu, On Behalf of: Ontario Power Generation Inc., , Segments 5

- 0 - 0

Other Answers

- 0 - 0

Jonathan Robbins, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Santee Cooper, Segment(s) 1, 3, 5, 6, 9/28/2018

- 0 - 0

None

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

ReliabilityFirst agrees with the proposed modification.

Anthony Jablonski, ReliabilityFirst , 10, 10/1/2018

- 0 - 0

PPL NERC Registered Affiliates, Segment(s) 1, 3, 5, 6, 9/6/2018

- 0 - 0

FirstEnergy, Segment(s) 4, 3, 5, 6, 9/5/2018

- 0 - 0

Leanna Lamatrice, 10/3/2018

- 0 - 0

The NSRF request that the entire Guideline and Technical Basis section should be removed from the Standard as it may be interpreted as how to meet the Compliance obligations of the Requirements.  FERC Order 693 section 253 states, “The most critical element of a Reliability Standard is the Requirements. As NERC explains, “the Requirements within a standard define what an entity must do to be compliant . . . [and] binds an entity to certain obligations of performance under section 215 of the FPA.”  This information should reside out side the Standard as a NERC Compliance Guidance document.

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company, RF, Segments 1, 3, 4, 5

- 0 - 0

James Anderson, 10/5/2018

- 0 - 0

Richard Jackson, U.S. Bureau of Reclamation, 1, 10/5/2018

- 0 - 0

Dennis Sismaet, Northern California Power Agency, 6, 10/5/2018

- 0 - 0

AECI supports the comments provided by NRECA.

AECI, Segment(s) 1, 3, 6, 5, 4/30/2018

- 0 - 0

The Guidelines and Technical Bases states contracts would serve as evidence, but, in the experience of Idaho Power Company, providing procedural or contractual evidence does not seem to be a satisfactory evidence artifact to provide to the auditors when they are asking for evidence that a task was performed prior to connecting a TCA they often require something that shows a task was performed. The way it is written makes the auditability vague and subject to a lot of judgement which can create frustration for Responsible Entities if that approach is not consistent.

Laura Nelson, 10/8/2018

- 0 - 0

Eric Ruskamp, Lincoln Electric System, 6, 10/8/2018

- 0 - 0

Vivian Moser, 10/8/2018

- 0 - 0

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 10/8/2018

- 0 - 0

There appears to be a disconnect between the intent as noted in the Guidelines and Technical Basis and the requirement documented in CIP-003-8, Attachment 1, 5.2.2.  See Comment for Q1.

Tyson Archie, Platte River Power Authority, 5, 10/8/2018

- 0 - 0

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Barry Lawson, 10/8/2018

- 0 - 0

The Guidelines and Technical Bases states contracts and vendor change management informatino would serve as evidence, but, in the experience of Lakeland Electric, providing procedural or contractual evidence does not seem to be a satisfactory evidence artifact to provide to the auditors when they are asking for evidence that a task was performed.  The way it is written makes the auditability vague and subject to a lot of judgement which can create frustration for Responsible Entities if that approach is not consistent.

Larry Watt, Lakeland Electric, 1, 10/9/2018

- 0 - 0

Please refer to comments from the MRO NERC Standards Review Forum (NSRF).

- 0 - 0

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 10/9/2018

- 0 - 0

Heather Morgan, On Behalf of: EDP Renewables North America LLC, , Segments 5

- 0 - 0

faranak sarbaz, Los Angeles Department of Water and Power, 1, 10/9/2018

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 10/9/2018

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Anton Vu, Los Angeles Department of Water and Power, 6, 10/9/2018

- 0 - 0

RSC no Dominion and HQ, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 10/9/2018

- 0 - 0

Douglas Johnson, 10/9/2018

- 0 - 0

Sandra Shaffer, 10/9/2018

- 0 - 0

ACES Standard Collaborations, Segment(s) 5, 1, 3, 10/9/2018

- 0 - 0

Maryanne Darling-Reich, On Behalf of: Black Hills Corporation - WECC - Segments 1, 3, 5, 6

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 10/9/2018

- 0 - 0

Lana Smith, On Behalf of: San Miguel Electric Cooperative, Inc., Texas RE, Segments 5

- 0 - 0

Tho Tran, 10/9/2018

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 10/9/2018

- 0 - 0

Andrea Barclay, 10/9/2018

- 0 - 0

David Jendras, Ameren - Ameren Services, 3, 10/9/2018

- 0 - 0

ITC is in agreement with statements made by the NSRF:

The NSRF request that the entire Guideline and Technical Basis section should be removed from the Standard as it may be interpreted as how to meet the Compliance obligations of the Requirements.  FERC Order 693 section 253 states, “The most critical element of a Reliability Standard is the Requirements. As NERC explains, “the Requirements within a standard define what an entity must do to be compliant . . . [and] binds an entity to certain obligations of performance under section 215 of the FPA.”  This information should reside out side the Standard as a NERC Compliance Guidance document.

Stephanie Burns, 10/9/2018

- 0 - 0

Andrey Komissarov, 10/9/2018

- 0 - 0

Eli Rivera, On Behalf of: Central Electric Cooperative, Inc. (Redmond, Oregon), Texas RE, Segments 1

- 0 - 0

William Sanders, 10/9/2018

- 0 - 0

Douglas Webb, 10/9/2018

- 0 - 0

Amber Orr, 10/9/2018

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

Ryan Walter, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Hot Answers

Daniel Gacek, Exelon, 1, 10/9/2018

- 0 - 0

Constantin Chitescu, On Behalf of: Ontario Power Generation Inc., , Segments 5

- 0 - 0

Other Answers

 

Attachment 2 Section 5 part 2 indicates that contracts must be modified.  Contract may take over 6 months to modify. Consider changing the implementation to span 12 months.

 

- 0 - 0

Jonathan Robbins, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Santee Cooper, Segment(s) 1, 3, 5, 6, 9/28/2018

- 0 - 0

None

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

ReliabilityFirst agrees with the proposed modification.

Anthony Jablonski, ReliabilityFirst , 10, 10/1/2018

- 0 - 0

PPL NERC Registered Affiliates, Segment(s) 1, 3, 5, 6, 9/6/2018

- 0 - 0

FirstEnergy, Segment(s) 4, 3, 5, 6, 9/5/2018

- 0 - 0

Leanna Lamatrice, 10/3/2018

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company, RF, Segments 1, 3, 4, 5

- 0 - 0

James Anderson, 10/5/2018

- 0 - 0

Reclamation recommends CIP-003-8 become effective no earlier than 18 calendar months after the effective date of the applicable governmental authority’s order approving the standard.

Richard Jackson, U.S. Bureau of Reclamation, 1, 10/5/2018

- 0 - 0

Since CIP-003-8 incorporates the same language for Planned and Unplanned Changes in Section 5, as in the proposed CIP-002-6 standard, the revised standard should become effective the first day of the first calendary quarter that is twenty-four (24) calendar months after the effective date of the applicable governmental authority's order approving the standard.

This is to allow additional needed time for entities to prepare, plan, budget, procure, and hire additional labor resources to meet all the applicable reliability standards in becoming a Medium or High Impact entity from an existing Low-Impact entity.  Cost estimates from consultants range anywhere from $100,000.00 for consultant fees only, to $1 million or more depending on computer hardware, facility hardening, and security software.   This is especially burdensome for smaller entities, such as NCPA, who need more time, money, and approvals from it's governing board to make sure we have the funds and resources to properly prepare for and meet the new CIP reliability requirements.

Dennis Sismaet, Northern California Power Agency, 6, 10/5/2018

- 0 - 0

AECI supports the comments provided by NRECA.

AECI, Segment(s) 1, 3, 6, 5, 4/30/2018

- 0 - 0

Efforts for TCAs associated with low impact assets and BES Cyber Systems is substantially more work than it was for the high and medium impact locations and systems. The workload is simply due to the sheer volume of locations and people that need to be included in the scope of the procedures. Idaho Power Company is working through the procedural efforts, but a 24-month implementation period seems more appropriate due to the work load of the low impact TCA process build out.

Laura Nelson, 10/8/2018

- 0 - 0

Eric Ruskamp, Lincoln Electric System, 6, 10/8/2018

- 0 - 0

Vivian Moser, 10/8/2018

- 0 - 0

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 10/8/2018

- 0 - 0

Tyson Archie, Platte River Power Authority, 5, 10/8/2018

- 0 - 0

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Barry Lawson, 10/8/2018

- 0 - 0

Efforts for TCAs associated with low impact assets and BES Cyber Systems is substantially more work than it was for the high and medium impact locations and systems. The workload is simply due to the sheer volume of locations and people that need to be included in the scope of the procedures.  Procedural efforts are in progress, but a 24-month implementation period seems more appropriate due to the work load of the low impact TCA process build out.  Alsor for consideration, Attachment 2 Section 5 part 2 indicates that contracts must be modified.  Contract may take over 6 months to modify. Consider changing the implementation to span a minimum of 12 months.  

Larry Watt, Lakeland Electric, 1, 10/9/2018

- 0 - 0

- 0 - 0

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 10/9/2018

- 0 - 0

Heather Morgan, On Behalf of: EDP Renewables North America LLC, , Segments 5

- 0 - 0

faranak sarbaz, Los Angeles Department of Water and Power, 1, 10/9/2018

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 10/9/2018

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Anton Vu, Los Angeles Department of Water and Power, 6, 10/9/2018

- 0 - 0

RSC no Dominion and HQ, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 10/9/2018

- 0 - 0

Douglas Johnson, 10/9/2018

- 0 - 0

Sandra Shaffer, 10/9/2018

- 0 - 0

This change causes an RE to review, change, update, and approve their CIP-003 documentation.  Depending on when the standard is approved, this may not fall within the RE’s 15 month programmatic review of CIP-003.  Consequently, depending on the how the RE’s program is designed, programmatic reviews are performed, and changes are implemented, this could have a significant resource impact.  The number Low Impact BES CS are much greater than M and H making this change much broader and a greater level of effort than we believe the SDT anticipates. 

ACES Standard Collaborations, Segment(s) 5, 1, 3, 10/9/2018

- 0 - 0

Maryanne Darling-Reich, On Behalf of: Black Hills Corporation - WECC - Segments 1, 3, 5, 6

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 10/9/2018

- 0 - 0

Lana Smith, On Behalf of: San Miguel Electric Cooperative, Inc., Texas RE, Segments 5

- 0 - 0

Tho Tran, 10/9/2018

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 10/9/2018

- 0 - 0

Andrea Barclay, 10/9/2018

- 0 - 0

David Jendras, Ameren - Ameren Services, 3, 10/9/2018

- 0 - 0

Do not believe 12 months is a good precedent.

Stephanie Burns, 10/9/2018

- 0 - 0

Andrey Komissarov, 10/9/2018

- 0 - 0

CenterPoint Energy Houston Electric, LLC (“CenterPoint Energy”) recommends the effective date for CIP-003-8 to be 12 calendar months after FERC approval to allow entities time to coordinate with third-parties that connect their Transient Cyber Assets to low impact BES Cyber Systems.

Eli Rivera, On Behalf of: Central Electric Cooperative, Inc. (Redmond, Oregon), Texas RE, Segments 1

- 0 - 0

William Sanders, 10/9/2018

- 0 - 0

Douglas Webb, 10/9/2018

- 0 - 0

Amber Orr, 10/9/2018

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

Ryan Walter, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Hot Answers

Daniel Gacek, Exelon, 1, 10/9/2018

- 0 - 0

Constantin Chitescu, On Behalf of: Ontario Power Generation Inc., , Segments 5

- 0 - 0

Other Answers

- 0 - 0

No comments regarding modifications. 

Jonathan Robbins, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Section 5.1 Planned and Unplanned Changes specifies24 calendar months from the date of notification or detection of the Unplanned Change to become compliant with the new rating. 

Consider first in the case of a Planner (RC, PC or TP) designating a whole generating station as necessary to avoid Adverse Reliablity Impact (2.3) or critical to IROLs (2.6)  Nothing about the BES Cyber Systems at that generating station has changed.  Nothing can be corrected because the change is not based on megawatts or time.  Instead, all the BES Cyber Systems must be made to conform to 8 additional standards.  Some of these existing Low Impact BES Cyber Systems may have to be replaced because they are unsupported by patches and anti-malware.

24 Months is not enough time to take a Low Impact Facility and bring it into compliance as a Medium, especially for a generation facility.  Budgets, new BES System design, equipment delivery, installation of equipment and patching, writing procedures, policy and processes, creating evidence and documentation are required to go from a Low Impact to a Medium Impact System and remain in compliance.  Financially, the impact of this change will cost anywhere from hundreds of thousands to millions at a generating station of any size.  This needs to be a minimum of 48 Months to be completed cost effectively. 

Santee Cooper, Segment(s) 1, 3, 5, 6, 9/28/2018

- 0 - 0

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

ReliabilityFirst agrees with the proposed modification.

Anthony Jablonski, ReliabilityFirst , 10, 10/1/2018

- 0 - 0

PPL NERC Registered Affiliates, Segment(s) 1, 3, 5, 6, 9/6/2018

- 0 - 0

FirstEnergy, Segment(s) 4, 3, 5, 6, 9/5/2018

- 0 - 0

Leanna Lamatrice, 10/3/2018

- 0 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

NO, WE DO NOT ARGEE, as the language of the “Planned Changes” treats High, Medium and Low Impact BES Cyber Systems/Assets all the same.  Specifically, when it comes to Low Impact System/Assets, the changes mandate less flexibility and would require immediate, “upon commissioning” compliance and rather than being documented and discovered during the once every 15 calendar months assessment, necessitate real-time tracking of all modification projects that might add to or change Low Impact BES Cyber Systems/Assets.

Additionally:

  • Much of the language dates back to the Implementation Plan of CIP-002 rev 2 and the document,  Implementation Plan for Newly Identified Critical Cyber Assets when the focus was on much more critical and essential cyber assets that could potentially, significantly impact the reliability of the BES.  Applying these same implementation/new milestones (and thus immediately “upon commissioning”) and requirements to Low Impact BES Cyber Systems/Assets in not appropriate to the risk. 

  • To put things in perspective, Low Impact BES Cyber Systems/Assets typically would have previously been considered “non-critical” cyber assets under the earlier CIP versions/requirements and thus required zero protections, ever.  Although, this may have resulted previously in some gap in protection, it is with this background that newly identified Low Impact BES Cyber Systems/Assets needs to be viewed. 

  • As such, a compliance implementation milestone table needs to be again utilized for not only Unplanned Changes, but Planned Changes as well.

  • Additionally, keeping in line with the once every 15 calendar months assessment of cyber systems/assets, Planned additions of Low Impact BES Cyber Systems/Assets should not require individual real-time tracking (that would be necessitated with compliance upon commissioning) and instead should be discovered during the once every 15 calendar months assessment and then compliant some time thereafter, following the assessment.  …12 months seems a reasonable duration for this.

  • Further, in contrast and to put things in better perspective, allowing 12 months for a High-Impact BES Cyber System/Asset (Or 24 months if a new asset type) for an Unplanned Change and yet requiring a Low Impact BES Cyber System/Asset as part of a “planned” modification to be compliant upon commissioning makes little sense, especially in a risk-based environment.

  • Planned additions of new (or recently re-categorized) Low Impact systems/assets should have an implementation table commensurate with their low-to-minimal-to-possibly virtually non-existent impact.

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company, RF, Segments 1, 3, 4, 5

- 0 - 0

NO, WE DO NOT ARGEE, as the language of the “Planned Changes” treats High, Medium and Low Impact BES Cyber Systems/Assets all the same.  Specifically, when it comes to Low Impact System/Assets, the changes mandate less flexibility and would require immediate, “upon commissioning” compliance and rather than being documented and discovered during the once every 15 calendar months assessment, necessitate real-time tracking of all modification projects that might add to or change Low Impact BES Cyber Systems/Assets.

Additionally:

  • Much of the language dates back to the Implementation Plan of CIP-002 rev 2 and the document,  Implementation Plan for Newly Identified Critical Cyber Assets when the focus was on much more critical and essential cyber assets that could potentially, significantly impact the reliability of the BES.  Applying these same implementation/new milestones (and thus immediately “upon commissioning”) and requirements to Low Impact BES Cyber Systems/Assets in not appropriate to the risk. 

  • To put things in perspective, Low Impact BES Cyber Systems/Assets typically would have previously been considered “non-critical” cyber assets under the earlier CIP versions/requirements and thus required zero protections, ever.  Although, this may have resulted previously in some gap in protection, it is with this background that newly identified Low Impact BES Cyber Systems/Assets needs to be viewed. 

  • As such, a compliance implementation milestone table needs to be again utilized for not only Unplanned Changes, but Planned Changes as well.

  • Additionally, keeping in line with the once every 15 calendar months assessment of cyber systems/assets, Planned additions of Low Impact BES Cyber Systems/Assets should not require individual real-time tracking (that would be necessitated with compliance upon commissioning) and instead should be discovered during the once every 15 calendar months assessment and then compliant some time thereafter, following the assessment.  …12 months seems a reasonable duration for this.

  • Further, in contrast and to put things in better perspective, allowing 12 months for a High-Impact BES Cyber System/Asset (Or 24 months if a new asset type) for an Unplanned Change and yet requiring a Low Impact BES Cyber System/Asset as part of a “planned” modification to be compliant upon commissioning makes little sense, especially in a risk-based environment.

  • Planned additions of new (or recently re-categorized) Low Impact systems/assets should have an implementation table commensurate with their low-to-minimal-to-possibly virtually non-existent impact.

James Anderson, 10/5/2018

- 0 - 0

Prior to proposing additional modifications, Reclamation recommends each SDT take additional time to effectively define the scope of each Standard Authorization Request to minimize the costs associated with the planning and adjustments required to achieve compliance with frequently changing requirements. This will provide entities with economical relief by allowing technical compliance with current standards.

Richard Jackson, U.S. Bureau of Reclamation, 1, 10/5/2018

- 0 - 0

There is no reason to change the existing two year time period in preparing to meet the new Medium or High impact CIP reliability requirements.  The new requirement to start the clock running when a contract with a customer is signed to provide control center operation services to manage their generation facilities doesn't make sense if the net real power from the additional 100 MW nameplate capacity only results in 50 MW of net real power during the following summer months.  It is possible that all the work, time, and money spent to go from Low to Medium impact based on a signed contract would be wasted if the net real power never reaches the 1500 MW threshold.

It would be better to keep the existing two year transition period which starts when the net real power reaches the 1500 MW threshold, regardless, when the control center operation service contract gets signed.

Dennis Sismaet, Northern California Power Agency, 6, 10/5/2018

- 0 - 0

AECI supports the comments provided by NRECA.

AECI, Segment(s) 1, 3, 6, 5, 4/30/2018

- 0 - 0

Laura Nelson, 10/8/2018

- 0 - 0

Eric Ruskamp, Lincoln Electric System, 6, 10/8/2018

- 0 - 0

Vivian Moser, 10/8/2018

- 0 - 0

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 10/8/2018

- 0 - 0

Section 5.1 Planned and Unplanned Changes specifies 24 calendar months from the date of notification or detection of the Unplanned Change to become compliant with the new rating. 

Consider first in the case of a Planner (RC, PC or TP) designating a whole generating station as necessary to avoid Adverse Reliablity Impact (2.3) or critical to IROLs (2.6)  Nothing about the BES Cyber Systems at that generating station has changed.  Nothing can be corrected because the change is not based on megawatts or time.  Instead, all the BES Cyber Systems must be made to conform to 8 additional standards.  Some of these existing Low Impact BES Cyber Systems may have to be replaced because they are unsupported by patches and anti-malware.

24 Months is not enough time to take a Low Impact Facility and bring it into compliance as a Medium, especially for a generation facility.  Budgets, new BES System design, equipment delivery, installation of equipment and patching, writing procedures, policy and processes, creating evidence and documentation are required to go from a Low Impact to a Medium Impact System and remain in compliance.  Financially, the impact of this change will cost anywhere from hundreds of thousands to millions at a generating station of any size.  This needs to be a minimum of 48 Months to be completed cost effectively. 

Tyson Archie, Platte River Power Authority, 5, 10/8/2018

- 0 - 0

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Barry Lawson, 10/8/2018

- 0 - 0

Section 5.1 Planned and Unplanned Changes specifies24 calendar months from the date of notification or detection of the Unplanned Change to become compliant with the new rating. 

Consider first in the case of a Planner (RC, PC or TP) designating a whole generating station as necessary to avoid Adverse Reliablity Impact (2.3) or critical to IROLs (2.6)  Nothing about the BES Cyber Systems at that generating station has changed.  Nothing can be corrected because the change is not based on megawatts or time.  Instead, all the BES Cyber Systems must be made to conform to 8 additional standards.  Some of these existing Low Impact BES Cyber Systems may have to be replaced because they are unsupported by patches and anti-malware.

24 Months is not enough time to take a Low Impact Facility and bring it into compliance as a Medium, especially for a generation facility.  Budgets, new BES System design, equipment delivery, installation of equipment and patching, writing procedures, policy and processes, creating evidence and documentation are required to go from a Low Impact to a Medium Impact System and remain in compliance.  Financially, the impact of this change will cost anywhere from hundreds of thousands to millions at a generating station of any size.  This needs to be a minimum of 48 Months to be completed cost effectively. 

Larry Watt, Lakeland Electric, 1, 10/9/2018

- 0 - 0

- 0 - 0

NO, WE DO NOT ARGEE, as the language of the “Planned Changes” treats High, Medium and Low Impact BES Cyber Systems/Assets all the same.  Specifically, when it comes to Low Impact System/Assets, the changes mandate less flexibility and would require immediate, “upon commissioning” compliance and rather than being documented and discovered during the once every 15 calendar months assessment, necessitate real-time tracking of all modification projects that might add to or change Low Impact BES Cyber Systems/Assets.

Additionally:

  • Much of the language dates back to the Implementation Plan of CIP-002 rev 2 and the document,  Implementation Plan for Newly Identified Critical Cyber Assets when the focus was on much more critical and essential cyber assets that could potentially, significantly impact the reliability of the BES.  Applying these same implementation/new milestones (and thus immediately “upon commissioning”) and requirements to Low Impact BES Cyber Systems/Assets in not appropriate to the risk. 

  • To put things in perspective, Low Impact BES Cyber Systems/Assets typically would have previously been considered “non-critical” cyber assets under the earlier CIP versions/requirements and thus required zero protections, ever.  Although, this may have resulted previously in some gap in protection, it is with this background that newly identified Low Impact BES Cyber Systems/Assets needs to be viewed. 

  • As such, a compliance implementation milestone table needs to be again utilized for not only Unplanned Changes, but Planned Changes as well.

  • Additionally, keeping in line with the once every 15 calendar months assessment of cyber systems/assets, Planned additions of Low Impact BES Cyber Systems/Assets should not require individual real-time tracking (that would be necessitated with compliance upon commissioning) and instead should be discovered during the once every 15 calendar months assessment and then compliant some time thereafter, following the assessment.  …12 months seems a reasonable duration for this.

  • Further, in contrast and to put things in better perspective, allowing 12 months for a High-Impact BES Cyber System/Asset (Or 24 months if a new asset type) for an Unplanned Change and yet requiring a Low Impact BES Cyber System/Asset as part of a “planned” modification to be compliant upon commissioning makes little sense, especially in a risk-based environment.

  • Planned additions of new (or recently re-categorized) Low Impact systems/assets should have an implementation table commensurate with their low-to-minimal-to-possibly virtually non-existent impact.

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 10/9/2018

- 0 - 0

Heather Morgan, On Behalf of: EDP Renewables North America LLC, , Segments 5

- 0 - 0

faranak sarbaz, Los Angeles Department of Water and Power, 1, 10/9/2018

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 10/9/2018

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Anton Vu, Los Angeles Department of Water and Power, 6, 10/9/2018

- 0 - 0

RSC no Dominion and HQ, Segment(s) 10, 2, 4, 5, 7, 1, 3, 6, 0, 10/9/2018

- 0 - 0

Douglas Johnson, 10/9/2018

- 0 - 0

Sandra Shaffer, 10/9/2018

- 0 - 0

By changing the Implementation Plan to be effective based on the RE’s 15 month review of CIP-003 or 15 calendar months, instead of the planned dates, it allows the RE to plan for changes to it’s program during a normal review period.

 

We thank the SDT for allowing us to provide comments on these standards and providing clarity.

ACES Standard Collaborations, Segment(s) 5, 1, 3, 10/9/2018

- 0 - 0

Maryanne Darling-Reich, On Behalf of: Black Hills Corporation - WECC - Segments 1, 3, 5, 6

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 10/9/2018

- 0 - 0

Lana Smith, On Behalf of: San Miguel Electric Cooperative, Inc., Texas RE, Segments 5

- 0 - 0

Tho Tran, 10/9/2018

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 10/9/2018

- 0 - 0

Andrea Barclay, 10/9/2018

- 0 - 0

David Jendras, Ameren - Ameren Services, 3, 10/9/2018

- 0 - 0

Stephanie Burns, 10/9/2018

- 0 - 0

Andrey Komissarov, 10/9/2018

- 0 - 0

No response.

Eli Rivera, On Behalf of: Central Electric Cooperative, Inc. (Redmond, Oregon), Texas RE, Segments 1

- 0 - 0

William Sanders, 10/9/2018

- 0 - 0

Douglas Webb, 10/9/2018

- 0 - 0

Amber Orr, 10/9/2018

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

Ryan Walter, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0