This comment form is no longer interactive because the comment period is closed.

2016-02 Modifications to CIP Standards | CIP-002-6 (Draft 4)

Description:

Start Date: 11/01/2019
End Date: 12/16/2019

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End
2016-02 Modifications to CIP Standards CIP-002-6 AB 4 ST 2016-02 Modifications to CIP Standards CIP-002-6 09/14/2017 07/02/2019 12/06/2019 12/16/2019

Filter:

Hot Answers

I don't believe the standard was unclear before.  I believe NERC, FERC, and Regional Entities were over reaching and should have been more reasonable and less overreaching.  For instance:

New IRC 2.12 does not need to say BES Transmission lines or Monitored and Controlled.  CIP-002-5.1a Page 2 Applicability Section 4.2.2 already says “All BES Facilities” it does not say non-BES facilities!  Further, the GTB (CIP-002-5.1a GTB page 18) already mentions both Control and Monitor have to occur for a generator's or transmission line’s capability to be included in an IRC 2.11 or 2.12 evaluation.

I believe this is all being done because FERC incorrectly produced section 3 page 10 of https://ferc.gov/legal/staff-reports/2017/10-06-17-CIP-audits-report.pdf.  FERC’s report says “For example, Criteria 2.11 requires categorization as Medium Impact of all Control Centers or backup Control Centers, not already categorized as High Impact, used to perform the functional obligations of the Generator Operator for an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. To determine whether a generation Control Center or back-up Control Center meets the 1500 MW threshold, the MW capacity of both BES generation and non-BES generation are considered. During audit fieldwork, staff found that some entities were only considering BES generation in applying Criteria 2.11, and therefore excluding all “non-BES generation” in their calculations. Foot note 9.”  Footnote 9 on Page 10 says “CIP-002-5.1a Attachment 1 does not define, or differentiate between, the terms “BES Generation,” and “Non-BES Generation.”  Why would a GOP perform functional obligations of a GOP for a non-BES Generator? Non-registered entities that run generation don’t need to!  You don’t have a CFR for a non-BES unit!  There are no NERC obligations for a non-BES Unit!

In my view FERC’s footnote 9 is misleading: CIP-002-5.1a GTB page 17 clearly says: While the NERC Glossary term “Facilities” already includes the BES characteristic, the additional use of the term BES here is meant to reinforce the scope of applicability of these Facilities where it is used, especially in this applicability scoping section. This in effect sets the scope of Facilities, systems, and equipment that is subject to the standards. This section is especially significant in CIP-002-5.1a and represents the total scope of Facilities, systems, and equipment to which the criteria in Attachment 1 applyThe IRCs are all in Attachment 1, thus only BES Generator and Lines are to be considered for IRC 2.11 and 2.12!).  Consequently, there is no need to consider non-BES generation since Items in Attachment 1 pertain to BES Facilities only.

Additionally, FERC and NERC still have not answered my questions raised during drafting team phone/webinar meetings "What Generator or Transmission Operator Services does a GOP/TOP provide a non-BES generator/transmission line/substation?"

Why would a GOP/TOP provide said unnecessary services when entities that are not NERC registered who own and run generators and transmission lines don't need to provide GOP/TOP services to the very same/similar non-BES assets? 

It is unfair to require GOP/TOPs to incur extra NERC Compliance costs for their Control Centers due to non-BES assets capability inclusion.  NERC rules clear state "A reliability standard shall not give any market participant an unfair competitive advantage".  Making GOPs/TOPs pay Control Center compliance costs for non-BES assets they operate is unfair as non-GOPs that own and run the same/similar units do not have to pay extra NERC cost for non-BES assets' they control and monitor from a central location(s).

It ironic that NERC recently had another Project recently up for Ballot “Moving Technical Rational Sections” out of standards.  Why? NERC/FERC are already ignoring the GTB and the applicability sections too?  Waste of money and more confusion; have to reference several documents to comply with a single standard.

Marty Hostler, Northern California Power Agency, 4, 12/16/2019

- 0 - 0

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 12/16/2019

- 0 - 0

Other Answers

Terry Volkmann, Glencoe Light and Power Commission, 1, 11/4/2019

- 0 - 0

The changes add clairification, however, the extremely long sentances are awkward and will cause confusion in application of the approved standards.

Kevin Conway, On Behalf of: Public Utility District No. 1 of Pend Oreille County, , Segments 1, 3, 5, 6

- 0 - 0

EWEB believes that criterion 2.12 places undue hardship on utilities that have a robust system. EWEB’s system is designed to provide reliable load; however, due to the new, ambiguous aggregate rating, EWEB would be classified as a Medium Impact entity. The new criterion places undue hardships on smaller utilities that do not have the resources available to efficiently comply with the CIP Medium Impact Standards.

Instead of the SDT pulling more entities into the Medium Impact Category, EWEB suggests that the CIP Low requirements be enhanced to establish greater Critical Infrastructure Protection. The difference between the CIP Low and CIP Medium Requirements is drastic, closing this gap would enhance security without over-burdening smaller entities that pose little to no threat to the BES.

An alternative to the aggregate weight of number of lines a Transmission Owner has could be the total distance of lines owned in kV categories.

James Baldwin, On Behalf of: Eugene Water and Electric Board, WECC, Segments 1, 3

- 0 - 0

Chinedu Ochonogor, 12/1/2019

- 0 - 0

Kjersti Drott, 12/2/2019

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 12/3/2019

- 0 - 0

None

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Laura Nelson, 12/6/2019

- 0 - 0

Jeff Ipsaro, Silicon Valley Power - City of Santa Clara, 4, 12/6/2019

- 0 - 0

Richard Jackson, U.S. Bureau of Reclamation, 1, 12/6/2019

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 12/6/2019

- 0 - 0

Val Ridad, Silicon Valley Power - City of Santa Clara, 3, 12/6/2019

- 0 - 0

Andrea Barclay, 12/9/2019

- 0 - 0

We agree with the drafting team, but we believe that Criterion 2.12 should be expanded to include any Control Center that operates a Medium Impact substation should be considered Medium Impact BES Cyber System (BCS).

David Jendras, Ameren - Ameren Services, 3, 12/9/2019

- 0 - 0

Maryanne Darling-Reich, On Behalf of: Black Hills Corporation - MRO, WECC - Segments 1, 3, 5, 6

- 0 - 0

Tho Tran, On Behalf of: Lee Maurer, Oncor Electric Delivery, 1

- 0 - 0

Bruce Reimer, Manitoba Hydro , 1, 12/10/2019

- 0 - 0

The “aggregate weighted value” concept of Criterion 2.12 is acceptable. However, Criterion 2.12 uses the phrase, “used to perform the reliability tasks of a Transmission Operator in real-time to monitor and control BES Transmission Lines” while Criterion 1.3 uses the different phrase, “used to perform the functional obligations of the Transmission Operator.” The two criteria should use the same language in order to prevent gaps in applicability between the two criteria.

Anthony Jablonski, ReliabilityFirst , 10, 12/10/2019

- 0 - 0

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 12/11/2019

- 0 - 0

Kent Feliks, AEP, 3, 12/12/2019

- 0 - 0

Stacy Lee, City of College Station, 1, 12/12/2019

- 0 - 0

Exelon agrees with and supports the proposed modification in CIP-002-6 Attachment 1, Criterion 2.12.

Daniel Gacek, Exelon, 1, 12/12/2019

- 0 - 0

Westar Energy and Kansas City Power & Light support Edison Electric Institute’s response.

Westar-KCPL, Segment(s) 1, 3, 5, 6, 12/18/2018

- 0 - 0

Tim Womack, 12/12/2019

- 0 - 0

N/A

Carl Pineault, On Behalf of: Hydro-Qu?bec Production, , Segments 1, 5

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 12/13/2019

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 10/31/2019

- 0 - 0

Southern Company agrees with the proposed modification and appreciates the establishment of a bright line criteria between Low and Medium Impact Control Centers.  The proposed change provides Registered Entities clarity which will help ensure that they have properly and consistently classified their BES facilities and assets.

 

Southern Company, Segment(s) 1, 3, 5, 6, 12/13/2019

- 0 - 0

Barry Lawson, 12/13/2019

- 0 - 0

Duke Energy generally agrees with the proposed modifications in CIP-002-6 Attachment 1, Criterion 2.12. 

Masuncha Bussey, On Behalf of: Duke Energy - SERC - Segments 1, 3, 5, 6

- 0 - 0

None

Michael Johnson, On Behalf of: Marco Rios, Pacific Gas and Electric Company, 1,3,5

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 1, 3, 4, 5

- 0 - 0

Kagen DelRio, On Behalf of: Luis Fondacci, North Carolina Electric Membership Corporation, 3,4,5; doug white, North Carolina Electric Membership Corporation, 3,4,5; John Cook, North Carolina Electric Membership Corporation, 3,4,5

- 0 - 0

Bobbi Welch, Midcontinent ISO, Inc., 2, 12/16/2019

- 0 - 0

As previously submitted, Texas RE is concerned the proposed modifications could lead to Transmission Owners (TO) performing functional obligations of Transmission Operators (TOP) or just TOP that currently have medium impact BES Cyber Systems because of 2.12; to become low impact.  

  • TO’s performing functional obligations of TOP’s and TOP Control Centers operating BES Transmission Lines less than 200 kV will go from having medium impact BES Cyber Systems to low impact BES Cyber Systems if the BES Transmission Lines do not have an "aggregate weighted value" exceeding 6000 according to the table in 2.12.

  • Texas RE is concerned this will have a negative impact on reliability since less BES assets and BES Cyber Systems would be protected under the proposed revisions and become low impact.

    • There are no baselining, vulnerability assessment, ports and services, security patching, malicious code prevention, etc… Requirements for assets that contain low impact BES Cyber Systems.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 12/16/2019

- 0 - 0

EEI agrees with and supports the proposed modification in CIP-002-6 Attachment 1, Criterion 2.12.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

RSC, Segment(s) 10, 2, 4, 5, 7, 3, 1, 0, 6, 12/12/2019

- 0 - 0

- 0 - 0

AECI, Segment(s) 1, 3, 6, 5, 5/31/2019

- 0 - 0

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 12/16/2019

- 0 - 0

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1, 3, 5, 6

- 0 - 0

Similar to Criteria 2.5, Criteria 2.12 should only count lines connected to substations by three or more BES transmission lines.  As written, the criteria overestimates the impact of small distribution substations that have a transmission line looped through the substation rather than just tapping the transmission line. As an example, consider a 115 kV transmission line connecting two major substations.  Connected to this transmission line are five small unit substations serving load.  Under the SDT proposal, if local distribution substations are tapped off of the line, the total weighted value would be 250.  If the line is looped through each distribution substation, the line would instead have a weighted value of 1500.  The looped through line typically has much better reliability, so weighting it six times worse seems inconsistent with improved reliability.

A previous Considerations of Comments stated that the value of 6000 was based on NERC’s document “Integrated Risk Assessment Approach – Refinement to Severity Risk Index. https://www.nerc.com/docs/pc/rmwg/SRI_Equation_Refinement_May6_2011.pdf” However, the SRI does not actually address lines less than 200 kV.  The SRI was written in 2011, based on TADS data available at the time.  TADS did not include complete reliability information on lines less than 200 kV until 2014.  Lines below 200 kV typically configured differently than lines above 200 kV, with lower voltage lines often directly serving load.   The  SRI equation includes terms for both lost transmission lines and for lost load. Since lower voltage lines are much more likely than higher voltage lines to directly serve load, extrapolating data from higher voltages will incorrectly categorize risk.

Marc Donaldson, Tacoma Public Utilities (Tacoma, WA), 3, 12/16/2019

- 0 - 0

Lana Smith, San Miguel Electric Cooperative, Inc., 5, 12/16/2019

- 0 - 0

Alan Johnson, On Behalf of: NRG - NRG Energy, Inc., MRO, WECC, Texas RE, NPCC, SERC, RF, Segments 5, 6

- 0 - 0

ACES Standard Collaborations, Segment(s) 1, 5, 3, 12/16/2019

- 0 - 0

Sandra Shaffer, 12/16/2019

- 0 - 0

Constantin Chitescu, Ontario Power Generation Inc., 5, 12/16/2019

- 0 - 0

See EEI comments.

Clay Walker, On Behalf of: Cleco Corporation - SERC - Segments 1, 3, 5, 6

- 0 - 0

Pam Feuerstein, Intermountain REA, 3, 12/16/2019

- 0 - 0

In Section 2.12 , the phrase "...BES Transmission Lines with a..." should be revised to "...BES Transmission Lines and any other transmission lines operated at 60 kV and above with a...".

Spencer Tacke, Modesto Irrigation District, 4, 12/16/2019

- 0 - 0

Hot Answers

Planned an unplanned language was never in the SAR and never should have been debated.  And never should be.  NERC/FERC was trying to take a GOP emphirical operations based data IRC 2.11 and change it to an unproven theoritically based criteria (Planned Changes).  Totally unreasonable over regulation attempts.

 

Please I praise the STD for reverting back to the old implementation plan.  But it was changed a little bit or word order changes.  Why couldn't language be really reverted back to current state" ?

Marty Hostler, Northern California Power Agency, 4, 12/16/2019

- 0 - 0

We understand future revisions CIP-002 are currently being planned to address this, but would like to offer our comments pertaining to the subject as addressed in this revision.  We prefer the draft version CIP-002-6 from 06/03/2019 where the proposed planned and unplanned language was made into subsections of the Effective Dates section. We feel that making this change gave entities a stronger legal basis for determining compliance due dates and operational definitions for newly identified BES Cyber Systems when planned or unplanned changes occur.  The examples in the planned changes section contradict what the definition paragraph states for planned changes -  

“Planned changes refer to any changes of the electric system or BES Cyber System which were planned and implemented by the responsible entity and subsequently identified through the annual assessment under CIP-002-6, Requirement R2.”

The “and” in the statement above seems to remove the requirement to have the BES Cyber System complaint prior to the date that the system can impact the Bulk Electric System.  This would imply that there is a task to assess the new BES Cyber System’s compliance to the CIP standards before the required 15 month R2 review.  This seems to create risk to the BES, considering that the BES Cyber System could be in operation for a period of time where it may or may not have all of the CIP controls applied to it.

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 12/16/2019

- 0 - 0

Other Answers

Terry Volkmann, Glencoe Light and Power Commission, 1, 11/4/2019

- 0 - 0

Kevin Conway, On Behalf of: Public Utility District No. 1 of Pend Oreille County, , Segments 1, 3, 5, 6

- 0 - 0

James Baldwin, On Behalf of: Eugene Water and Electric Board, WECC, Segments 1, 3

- 0 - 0

Chinedu Ochonogor, 12/1/2019

- 0 - 0

Kjersti Drott, 12/2/2019

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 12/3/2019

- 0 - 0

None

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Laura Nelson, 12/6/2019

- 0 - 0

Jeff Ipsaro, Silicon Valley Power - City of Santa Clara, 4, 12/6/2019

- 0 - 0

Reclamation supports the concept of different compliance implementation dates for planned versus unplanned changes. Reclamation recommends the compliance implementation date be calculated from the date the modified BES Cyber System is capable of impacting the BES. This will allow time for testing and returning existing equipment to service without the need to document compliance of equipment that is not capable of causing an adverse reliability impact.

Richard Jackson, U.S. Bureau of Reclamation, 1, 12/6/2019

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 12/6/2019

- 0 - 0

Val Ridad, Silicon Valley Power - City of Santa Clara, 3, 12/6/2019

- 0 - 0

GSOC has identified a potential gap in the language intended to address initial performance of periodic requirements. The language in the planned changes section of the implementation plan refers to all CIP Reliability Standards.  However, the current language in the initial performance of certain periodic requirements appears to address only CIP-002-6 and does not address periodic requirements contained in CIP-003-CIP-011. Accordingly, responsible entity obligations relative to periodic requirements contained in CIP-003-CIP-011 are unclear. To facilitate a clear understanding of responsible entity obligations relative to other periodic requirements, GSOC recommends that the initial performance of certain periodic requirements be revised to state:

After a cyber asset has been categorized under CIP-002-6, Requirement R1, responsible entities shall initially comply with any applicable periodic requirements in CIP Reliability Standards in accordance with the periodicity specified in the applicable requirement.

Andrea Barclay, 12/9/2019

- 0 - 0

Ameren supports EEI comments for this question; therefore we support the proposed modification.

David Jendras, Ameren - Ameren Services, 3, 12/9/2019

- 0 - 0

Maryanne Darling-Reich, On Behalf of: Black Hills Corporation - MRO, WECC - Segments 1, 3, 5, 6

- 0 - 0

Tho Tran, On Behalf of: Lee Maurer, Oncor Electric Delivery, 1

- 0 - 0

Bruce Reimer, Manitoba Hydro , 1, 12/10/2019

- 0 - 0

Anthony Jablonski, ReliabilityFirst , 10, 12/10/2019

- 0 - 0

The existing language from the CIP-002-5.1a Implementation Plan moved into the CIP-002-6 Implementation Plan provides shorter implementation periods than the Planned and Unplanned Changes section stricken from CIP-002-6 Draft 3. Specifically, Draft 3 provided 24 calendar months for unplanned changes resulting in new BES Cyber Systems or a higher categorization for existing BES Cyber Systems, whereas the new Implementation Plan only provides 12 months. The wording of Question 2 does not make that clear. Request industry be advised of this impact.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 12/11/2019

- 0 - 0

Kent Feliks, AEP, 3, 12/12/2019

- 0 - 0

Stacy Lee, City of College Station, 1, 12/12/2019

- 0 - 0

Exelon supports the proposed modification.

Daniel Gacek, Exelon, 1, 12/12/2019

- 0 - 0

Westar Energy and Kansas City Power & Light support Edison Electric Institute’s response.

Westar-KCPL, Segment(s) 1, 3, 5, 6, 12/18/2018

- 0 - 0

Tim Womack, 12/12/2019

- 0 - 0

Carl Pineault, On Behalf of: Hydro-Qu?bec Production, , Segments 1, 5

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 12/13/2019

- 0 - 0

We agree with the change, however it should be clear that the implementation schedule is applicable to any of the unplanned change type listed on the table of CIP-002-6 on page 3 and is enforceable going forward, not just during transition from CIP-002-5.1a to CIP-002-6.

FE Voter, Segment(s) 1, 3, 5, 6, 4, 10/31/2019

- 0 - 0

Southern agrees with reverting this wording back to the “current state”.  Moving this proposed change to a separate SAR will give the SDT and the industry much needed time to fully explore additional options and appropriately weigh any compliance risk associated with the change. 

Southern Company, Segment(s) 1, 3, 5, 6, 12/13/2019

- 0 - 0

NRECA has identified a potential gap in the language intended to address initial performance of periodic requirements. The language in the “Planned Changes” section of the implementation plan refers to all CIP Reliability Standards.  However, the current language in the “Initial Performance of Periodic Requirements” section appears to address only CIP-002-6 and does not address periodic requirements contained in CIP-003-CIP-011. Accordingly, responsible entity obligations relative to periodic requirements contained in CIP-003-CIP-011 are unclear. To facilitate a clear understanding of responsible entity obligations relative to other periodic requirements, NRECA recommends that the “Initial Performance of Periodic Requirements” section be revised to state:

“After a cyber asset has been categorized under CIP-002-6, Requirement R1, responsible entities shall initially comply with any applicable periodic requirements in CIP Reliability Standards in accordance with the periodicity specified in the applicable requirement.”

Additionally, NRECA believes further clarification and guidance is needed to ensure consistent application of “Planned” and “Unplanned” changes, especially as it relates to who made the change(s) and if this impacted any adjacent or other facilities not included in the direct scope of the planned project.  NRECA recommends that the SDT examine how this can be clarified in the standard, Supplemental Material, or Guidelines and Technical Basis. 

Barry Lawson, 12/13/2019

- 0 - 0

Duke Energy generally agrees with the proposed modifications. However, the speed in which solar sites are being built does not allow sufficient time to build physical security controls without delaying solar connection to the grid. Duke would like to see an implementation plan for newly build generation which allows the registered entity a specified amount of time (6 months) to complete compliance tasks and documentation.

Duke Energy would like the unplanned change definition to include purchases of new generation as well. The registered entity knows the purchase is taking place, but the plant will need to be included in the Duke program after the purchase date.

Masuncha Bussey, On Behalf of: Duke Energy - SERC - Segments 1, 3, 5, 6

- 0 - 0

PG&E appreciates the SDT reverting the Planned and Unplanned Changes back to the original CIP-005-5 conditions until an appropriate SAR can be proposed to address the conditions raised in the July 2019 CIP-002-6 comment and ballot.

Michael Johnson, On Behalf of: Marco Rios, Pacific Gas and Electric Company, 1,3,5

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 1, 3, 4, 5

- 0 - 0

NCEMC supports NRECA's Comments

Kagen DelRio, On Behalf of: Luis Fondacci, North Carolina Electric Membership Corporation, 3,4,5; doug white, North Carolina Electric Membership Corporation, 3,4,5; John Cook, North Carolina Electric Membership Corporation, 3,4,5

- 0 - 0

Bobbi Welch, Midcontinent ISO, Inc., 2, 12/16/2019

- 0 - 0

Texas RE recommends including additional examples under Planned Changes to include Generation Facilities and Control Centers. Responsible Entities have struggled with the interpretation of what “upon the commissioning” means.

 

Texas RE noticed the following:

  • “Responsible Entities” is capitalized throughout the Standard but not in the Implementation Plan.  Texas RE recommends the term be capitalized and the language explaining “Responsible Entities” added for clarity and consistency.

  • In the table for “unplanned changes” the term “Medium-Impact” is capitalized/hyphenated and should not be for consistency.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 12/16/2019

- 0 - 0

EEI supports the proposed modification.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

RSC, Segment(s) 10, 2, 4, 5, 7, 3, 1, 0, 6, 12/12/2019

- 0 - 0

- 0 - 0

AECI supports comments filed by NRECA as such:

NRECA has identified a potential gap in the language intended to address initial performance of periodic requirements. The language in the “Planned Changes” section of the implementation plan refers to all CIP Reliability Standards.  However, the current language in the “Initial Performance of Periodic Requirements” section appears to address only CIP-002-6 and does not address periodic requirements contained in CIP-003-CIP-011. Accordingly, responsible entity obligations relative to periodic requirements contained in CIP-003-CIP-011 are unclear. To facilitate a clear understanding of responsible entity obligations relative to other periodic requirements, NRECA recommends that the “Initial Performance of Periodic Requirements” section be revised to state:

“After a cyber asset has been categorized under CIP-002-6, Requirement R1, responsible entities shall initially comply with any applicable periodic requirements in CIP Reliability Standards in accordance with the periodicity specified in the applicable requirement.”

Additionally, NRECA believes further clarification and guidance is needed to ensure consistent application of “Planned” and “Unplanned” changes, especially as it relates to who made the change(s) and if this impacted any adjacent or other facilities not included in the direct scope of the planned project.  NRECA recommends that the SDT examine how this can be clarified in the standard, Supplemental Material, or Guidelines and Technical Basis.

AECI, Segment(s) 1, 3, 6, 5, 5/31/2019

- 0 - 0

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 12/16/2019

- 0 - 0

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1, 3, 5, 6

- 0 - 0

Marc Donaldson, Tacoma Public Utilities (Tacoma, WA), 3, 12/16/2019

- 0 - 0

San Miguel agrees with comments submitted by NRECA.

Lana Smith, San Miguel Electric Cooperative, Inc., 5, 12/16/2019

- 0 - 0

Alan Johnson, On Behalf of: NRG - NRG Energy, Inc., MRO, WECC, Texas RE, NPCC, SERC, RF, Segments 5, 6

- 0 - 0

ACES Standard Collaborations, Segment(s) 1, 5, 3, 12/16/2019

- 0 - 0

:  We understand future revisions CIP-002 are currently being planned to address this, but would like to offer our comments pertaining to the subject as addressed in this revision.  We prefer the draft version CIP-002-6 from 06/03/2019 where the proposed planned and unplanned language was made into subsections of the Effective Dates section. We feel that making this change gave entities a stronger legal basis for determining compliance due dates and operational definitions for newly identified BES Cyber Systems when planned or unplanned changes occur.  The proposed language for planned and unplanned changes in the current implementation planned removed the rigor to ensure that BES Cyber Systems that can impact the Bulk Electric System are compliant to the CIP Standards within the timeframes specified for planned or unplanned changes.  The examples in the planned changes section contradict what the definition paragraph states for planned changes -  

“Planned changes refer to any changes of the electric system or BES Cyber System which were planned and implemented by the responsible entity and subsequently identified through the annual assessment under CIP-002-6, Requirement R2.”

The “and” in the statement above seems to remove the requirement to have the BES Cyber System complaint prior to the date that the system can impact the Bulk Electric System.  This would imply that there is a task to assess the new BES Cyber System’s compliance to the CIP standards before the required 15 month R2 review.  This seems to create risk to the BES, considering that the BES Cyber System could be in operation for a period of time where it may or may not have all of the CIP controls applied to it.    

Sandra Shaffer, 12/16/2019

- 0 - 0

Constantin Chitescu, Ontario Power Generation Inc., 5, 12/16/2019

- 0 - 0

See EEI comments.

Clay Walker, On Behalf of: Cleco Corporation - SERC - Segments 1, 3, 5, 6

- 0 - 0

Pam Feuerstein, Intermountain REA, 3, 12/16/2019

- 0 - 0

Spencer Tacke, Modesto Irrigation District, 4, 12/16/2019

- 0 - 0

Hot Answers

No NERC needs to include real cost estimate.  Take a look at a recent WECC Controls webinar and include those cost too in all standards.

Marty Hostler, Northern California Power Agency, 4, 12/16/2019

- 0 - 0

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 12/16/2019

- 0 - 0

Other Answers

Terry Volkmann, Glencoe Light and Power Commission, 1, 11/4/2019

- 0 - 0

Kevin Conway, On Behalf of: Public Utility District No. 1 of Pend Oreille County, , Segments 1, 3, 5, 6

- 0 - 0

Instead of the SDT pulling more entities into the Medium Impact Category, EWEB suggests that the CIP Low requirements be enhanced to establish greater Critical Infrastructure Protection. The difference between the CIP Low and CIP Medium Requirements is drastic, closing this gap would enhance security without over-burdening smaller entities that pose little to no threat to the BES.

James Baldwin, On Behalf of: Eugene Water and Electric Board, WECC, Segments 1, 3

- 0 - 0

Chinedu Ochonogor, 12/1/2019

- 0 - 0

Kjersti Drott, 12/2/2019

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 12/3/2019

- 0 - 0

None

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Laura Nelson, 12/6/2019

- 0 - 0

Jeff Ipsaro, Silicon Valley Power - City of Santa Clara, 4, 12/6/2019

- 0 - 0

Richard Jackson, U.S. Bureau of Reclamation, 1, 12/6/2019

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 12/6/2019

- 0 - 0

Val Ridad, Silicon Valley Power - City of Santa Clara, 3, 12/6/2019

- 0 - 0

Andrea Barclay, 12/9/2019

- 0 - 0

Ameren supports EEI comments for this question; therefore we will not submit comments on cost effectiveness of the proposed changes.

David Jendras, Ameren - Ameren Services, 3, 12/9/2019

- 0 - 0

Maryanne Darling-Reich, On Behalf of: Black Hills Corporation - MRO, WECC - Segments 1, 3, 5, 6

- 0 - 0

Tho Tran, On Behalf of: Lee Maurer, Oncor Electric Delivery, 1

- 0 - 0

Bruce Reimer, Manitoba Hydro , 1, 12/10/2019

- 0 - 0

Anthony Jablonski, ReliabilityFirst , 10, 12/10/2019

- 0 - 0

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 12/11/2019

- 0 - 0

Kent Feliks, AEP, 3, 12/12/2019

- 0 - 0

Stacy Lee, City of College Station, 1, 12/12/2019

- 0 - 0

Exelon supports the proposed modification in terms of the flexibility it provides to meet reliability objectives in a cost effective manner..

Daniel Gacek, Exelon, 1, 12/12/2019

- 0 - 0

Westar Energy and Kansas City Power & Light support Edison Electric Institute’s response.

Westar-KCPL, Segment(s) 1, 3, 5, 6, 12/18/2018

- 0 - 0

Tim Womack, 12/12/2019

- 0 - 0

Carl Pineault, On Behalf of: Hydro-Qu?bec Production, , Segments 1, 5

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 12/13/2019

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 10/31/2019

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 12/13/2019

- 0 - 0

Barry Lawson, 12/13/2019

- 0 - 0

Duke Energy generally does not agree that the proposed modifications in CIP-002-6 are cost effective. Duke Energy generally does not agree that they pose a financial burden.

Masuncha Bussey, On Behalf of: Duke Energy - SERC - Segments 1, 3, 5, 6

- 0 - 0

As provided in PG&E comments as part of the July 2019 comment and ballot period, PG&E believes the 24 month time-frame is sufficient to apply the necessary Requirement changes when the impact rating goes from low to medium, or medium to high.  While PG&E has not experienced changes in impact rating that would elevate a BCS impact rating, our experience on the application of the Requirements for medium and high BCS does not suggest a longer time-frame would be necessary.

Michael Johnson, On Behalf of: Marco Rios, Pacific Gas and Electric Company, 1,3,5

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 1, 3, 4, 5

- 0 - 0

Kagen DelRio, On Behalf of: Luis Fondacci, North Carolina Electric Membership Corporation, 3,4,5; doug white, North Carolina Electric Membership Corporation, 3,4,5; John Cook, North Carolina Electric Membership Corporation, 3,4,5

- 0 - 0

Bobbi Welch, Midcontinent ISO, Inc., 2, 12/16/2019

- 0 - 0

Texas RE does not have comments on this question.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 12/16/2019

- 0 - 0

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

RSC, Segment(s) 10, 2, 4, 5, 7, 3, 1, 0, 6, 12/12/2019

- 0 - 0

- 0 - 0

AECI, Segment(s) 1, 3, 6, 5, 5/31/2019

- 0 - 0

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 12/16/2019

- 0 - 0

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1, 3, 5, 6

- 0 - 0

Marc Donaldson, Tacoma Public Utilities (Tacoma, WA), 3, 12/16/2019

- 0 - 0

Lana Smith, San Miguel Electric Cooperative, Inc., 5, 12/16/2019

- 0 - 0

Alan Johnson, On Behalf of: NRG - NRG Energy, Inc., MRO, WECC, Texas RE, NPCC, SERC, RF, Segments 5, 6

- 0 - 0

ACES Standard Collaborations, Segment(s) 1, 5, 3, 12/16/2019

- 0 - 0

none

Sandra Shaffer, 12/16/2019

- 0 - 0

Constantin Chitescu, Ontario Power Generation Inc., 5, 12/16/2019

- 0 - 0

See EEI comments.

Clay Walker, On Behalf of: Cleco Corporation - SERC - Segments 1, 3, 5, 6

- 0 - 0

Pam Feuerstein, Intermountain REA, 3, 12/16/2019

- 0 - 0

Spencer Tacke, Modesto Irrigation District, 4, 12/16/2019

- 0 - 0

Hot Answers

New IRC 2.12 does not need to say BES Transmission lines or Monitored and Controlled.  CIP-002-5.1a Page 2 Applicability Section 4.2.2 already says “All BES Facilities” it does not say non-BES facilities!  Further, the GTB (CIP-002-5.1a GTB page 18) already mentions both Control and Monitor have to occur for a generator's or transmission line’s capability to be included in an IRC 2.11 or 2.12 evaluation.

I believe this is all being done because FERC incorrectly produced section 3 page 10 of https://ferc.gov/legal/staff-reports/2017/10-06-17-CIP-audits-report.pdf.  FERC’s report says “For example, Criteria 2.11 requires categorization as Medium Impact of all Control Centers or backup Control Centers, not already categorized as High Impact, used to perform the functional obligations of the Generator Operator for an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. To determine whether a generation Control Center or back-up Control Center meets the 1500 MW threshold, the MW capacity of both BES generation and non-BES generation are considered. During audit fieldwork, staff found that some entities were only considering BES generation in applying Criteria 2.11, and therefore excluding all “non-BES generation” in their calculations. Foot note 9.”  Footnote 9 on Page 10 says “CIP-002-5.1a Attachment 1 does not define, or differentiate between, the terms “BES Generation,” and “Non-BES Generation.”  Why would a GOP perform functional obligations of a GOP for a non-BES Generator? Non-registered entities that run generation don’t need to!  You don’t have a CFR for a non-BES unit!  There are no NERC obligations for a non-BES Unit!

In my view FERC’s footnote 9 is misleading: CIP-002-5.1a GTB page 17 clearly says: While the NERC Glossary term “Facilities” already includes the BES characteristic, the additional use of the term BES here is meant to reinforce the scope of applicability of these Facilities where it is used, especially in this applicability scoping section. This in effect sets the scope of Facilities, systems, and equipment that is subject to the standards. This section is especially significant in CIP-002-5.1a and represents the total scope of Facilities, systems, and equipment to which the criteria in Attachment 1 applyThe IRCs are all in Attachment 1, thus only BES Generator and Lines are to be considered for IRC 2.11 and 2.12!).  Consequently, there is no need to consider non-BES generation since Items in Attachment 1 pertain to BES Facilities only.

Additionally, FERC and NERC still have not answered my questions raised during drafting team phone/webinar meetings "What Generator or Transmission Operator Services does a GOP/TOP provide a non-BES generator/transmission line/substation?"

Why would a GOP/TOP provide said unnecessary services when entities that are not NERC registered who own and run generators and transmission lines don't need to provide GOP/TOP services to the very same/similar non-BES assets? 

It is unfair to require GOP/TOPs to incur extra NERC Compliance costs for their Control Centers due to non-BES assets capability inclusion.  NERC rules clear state "A reliability standard shall not give any market participant an unfair competitive advantage".  Making GOPs/TOPs pay Control Center compliance costs for non-BES assets they operate is unfair as non-GOPs that own and run the same/similar units do not have to pay extra NERC cost for non-BES assets' they control and monitor from a central location(s).

It ironic that NERC recently had another Project recently up for Ballot “Moving Technical Rational Sections” out of standards.  Why? NERC/FERC are already ignoring the GTB and the applicability sections too?  Waste of money and more confusion; have to reference several documents to comply with a single standard.

Marty Hostler, Northern California Power Agency, 4, 12/16/2019

- 0 - 0

NV Energy believes additional guidance is necessary regarding Planned and Unplanned Changes with respect to acquisition of new BES assets from another Entity.

Would any BES Cyber Systems compliance issues discovered after acquisition of the Assets already commissioned by the selling Entity be subject to immediate compliance with CIP Cyber Security Standards, or would this discovery by the purchasing Entity constitute an Unplanned Change with 12 months to achieve compliance?

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 12/16/2019

- 0 - 0

Other Answers

Terry Volkmann, Glencoe Light and Power Commission, 1, 11/4/2019

- 0 - 0

I find the standard difficult to read with the various references back and forth between the Standard and Attachment 1. Ideally, the references should be mimized.  This may be an issue in enforcement, and could cause some confusion to some entities.

Kevin Conway, On Behalf of: Public Utility District No. 1 of Pend Oreille County, , Segments 1, 3, 5, 6

- 0 - 0

James Baldwin, On Behalf of: Eugene Water and Electric Board, WECC, Segments 1, 3

- 0 - 0

Chinedu Ochonogor, 12/1/2019

- 0 - 0

Kjersti Drott, 12/2/2019

- 0 - 0

ATC supports the commetns of EEI.

LaTroy Brumfield, American Transmission Company, LLC, 1, 12/3/2019

- 0 - 0

None

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Laura Nelson, 12/6/2019

- 0 - 0

Jeff Ipsaro, Silicon Valley Power - City of Santa Clara, 4, 12/6/2019

- 0 - 0

Reclamation recommends the SDT add the definitions of Planned Changes and Unplanned Changes to the NERC Glossary of Terms.

Richard Jackson, U.S. Bureau of Reclamation, 1, 12/6/2019

- 0 - 0

Sandra Pacheco, Silicon Valley Power - City of Santa Clara, 5, 12/6/2019

- 0 - 0

Val Ridad, Silicon Valley Power - City of Santa Clara, 3, 12/6/2019

- 0 - 0

Andrea Barclay, 12/9/2019

- 0 - 0

Ameren agrees with and supports EEI comments for this question. 

David Jendras, Ameren - Ameren Services, 3, 12/9/2019

- 0 - 0

Maryanne Darling-Reich, On Behalf of: Black Hills Corporation - MRO, WECC - Segments 1, 3, 5, 6

- 0 - 0

N/A

Tho Tran, On Behalf of: Lee Maurer, Oncor Electric Delivery, 1

- 0 - 0

Bruce Reimer, Manitoba Hydro , 1, 12/10/2019

- 0 - 0

The posted version has incorrect grammar in R1, Parts 1.1 and 1.2. Please change Part 1.1 from “Identify each of the high impact BES Cyber System” to “Identify each high impact BES Cyber System”. Please change Part 1.2 from “Identify each of the medium impact BES Cyber System” to “Identify each medium impact BES Cyber System”.  Also please consider requiring explicit identification of associated systems (currently EACMS, PACS, PCA) for inclusion in the standard language (e.g. R1 P1.4) for high and medium impact BES Cyber Systems. Suggested wording: “Identify each EACMS, PACS, and PCA associated with a high impact BES Cyber System or a medium impact BES Cyber System.” This addition would serve to remind Responsible Entities that such identifications are required, and will permit assessing a violation, if applicable, against only one Requirement.

Anthony Jablonski, ReliabilityFirst , 10, 12/10/2019

- 0 - 0

We request additional guidance regarding Planned and Unplanned Changes with respect to acquisition of new BES assets from another Entity.

Would any BES Cyber Systems compliance issues discovered after acquisition of the Assets already commissioned by the selling Entity be subject to immediate compliance with CIP Cyber Security Standards, or would this discovery by the purchasing Entity constitute an Unplanned Change with 12 months to achieve compliance?

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 12/11/2019

- 0 - 0

AEP has no additional comments at this time.

Kent Feliks, AEP, 3, 12/12/2019

- 0 - 0

Stacy Lee, City of College Station, 1, 12/12/2019

- 0 - 0

Exelon supports the comments offered by EEI, as reflected here:

1.      Page 5 of the Redline, EEI suggests that all references to Version 4 and 5 should be removed from the Standard.  We are now on Version 6 and the following language should be removed from the standard - “transitioning from Version 4 to Version 5” and “(as that term is used in Version 4)”.

2.      Page 6 and page 28 of the Redline: EEI suggests removing all references to the NERC Functional Model.  (See Reliable Operation of the BES/P6 and High Impact Rating/P28).  NERC has decided to no longer maintain the Functional Model , therefore it should not be referenced in Reliability Standards.  Instead, the SDT should make references to the appropriate sections of NERC’s Organization Registration and Certification Manual and the Compliance Registry Criteria, per the determination made by the Standards Committee at their October 2019 meeting.

3.    Page 7 of the Redline: Remove the bulleted examples for EACMS, PACS and PCA given all three are defined terms in NERC’s Glossary of Terms and the definition for EACMS and PACs were both adopted by the NERC BOT on 12/26/2012 and approved by FERC on 11/22/2013, while PCA was adopted by the NERC BOT on 2/12/2015 and approved by FERC on 1/21/2016.

4.    The footnote on all pages (i.e., page 10 moving forward) incorrectly still reference Draft 3 of CIP-002-6.

5.    Page 17 of the Redline: Remove the second listing of the title (Impact Rating Criteria) at the top of Attachment 1.

6.    Page 22 of the Redline: EEI supports the SDT decision to not remove the Guidelines and Technical Basis at this time, in order to ensure changes made to CIP-002-6 are not needlessly delayed.  However, we do ask that the GTB be removed within Project 2016-02 before the current SDT is disbanded

 

Daniel Gacek, Exelon, 1, 12/12/2019

- 0 - 0

Westar-KCPL, Segment(s) 1, 3, 5, 6, 12/18/2018

- 0 - 0

Tim Womack, 12/12/2019

- 0 - 0

N/A

Carl Pineault, On Behalf of: Hydro-Qu?bec Production, , Segments 1, 5

- 0 - 0

Leonard Kula, Independent Electricity System Operator, 2, 12/13/2019

- 0 - 0

Provide clearer examples for each of the listed items in the implementation table for the unplanned section.  

FE Voter, Segment(s) 1, 3, 5, 6, 4, 10/31/2019

- 0 - 0

While draft 3 provided additional time (24 calendar months) for unplanned changes resulting in new BES Cyber Systems or a higher categorization for existing BES Cyber Systems, Southern understands that removing the proposed change associated with “time frames to implement” while reverting to the previous language makes sense.  We look forward to the opportunity to actively participate in addressing this as a part of a future proposed change which encompasses addressing planned and unplanned changes, as a whole.

Southern Company, Segment(s) 1, 3, 5, 6, 12/13/2019

- 0 - 0

NRECA appreciates the efforts of the SDT on these issues.

Barry Lawson, 12/13/2019

- 0 - 0

Duke Energy has the following additional comments - The second paragraph in Criterion 2.1 on page 29 of 45 states "to use a value that could be verified through existing requirements as proposed by NERC standard MOD-024" The MOD-024 Standard has been retired and should be removed as a reference. 

Masuncha Bussey, On Behalf of: Duke Energy - SERC - Segments 1, 3, 5, 6

- 0 - 0

PG&E provides no additional comments.

Michael Johnson, On Behalf of: Marco Rios, Pacific Gas and Electric Company, 1,3,5

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 1, 3, 4, 5

- 0 - 0

NCEMC appreciates the efforts of the SDT on these issues.

Kagen DelRio, On Behalf of: Luis Fondacci, North Carolina Electric Membership Corporation, 3,4,5; doug white, North Carolina Electric Membership Corporation, 3,4,5; John Cook, North Carolina Electric Membership Corporation, 3,4,5

- 0 - 0

MISO supports the additional clarity provided in the Supplemental Material (on page 29, under "Medium Impact Rating" and page 38 under "Low Impact Rating"); i.e. "No additional evaluation is necessary for BES Cyber Systems that have already been identified as high (or medium) impact."

Bobbi Welch, Midcontinent ISO, Inc., 2, 12/16/2019

- 0 - 0

Texas RE noticed the following:

  • In the section “BES Cyber Systems”, there appears to be incorrect grammar in first sentence discussing transition.

  • Starting on page 10, the footer information contains the incorrect draft version and date.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 12/16/2019

- 0 - 0

Comments: EEI offers for SDT consideration the following additional comments on Draft 4 of CIP-002-6:

1.      Page 5 of the Redline, Section 6, Background, under subheading “BES Cyber Systems”, the first word in the sentence (transitioning) needs to be capitalized.

2.      Page 5 of the Redline, EEI suggests that all references to Version 4 and 5 should be removed from the Standard.  We are now on Version 6 and the following language should be removed from the standard - “transitioning from Version 4 to Version 5” and “(as that term is used in Version 4)”.

3.      Page 6 and page 28 of the Redline: EEI suggests removing all references to the NERC Functional Model.  (See Reliable Operation of the BES/P6 and High Impact Rating/P28).  NERC has decided to no longer maintain the Functional Model , therefore it should not be referenced in Reliability Standards.  Instead, the SDT should make references to the appropriate sections of NERC’s Organization Registration and Certification Manual and the Compliance Registry Criteria, per the determination made by the Standards Committee at their October 2019 meeting.

4.      Page 7 of the Redline: Remove the bulleted examples for EACMS, PACS and PCA given all three are defined terms in NERC’s Glossary of Terms and the definition for EACMS and PACs were both adopted by the NERC BOT on 12/26/2012 and approved by FERC on 11/22/2013, while PCA was adopted by the NERC BOT on 2/12/2015 and approved by FERC on 1/21/2016.

5.      The footnote on all pages (i.e., page 10 moving forward) incorrectly still references Draft 3 of CIP-002-6.

6.      Page 17 of the Redline: Remove the second listing of the title (Impact Rating Criteria) at the top of Attachment 1.

7.      Page 22 of the Redline: EEI supports the SDT decision to not remove the Guidelines and Technical Basis at this time, in order to ensure changes made to CIP-002-6 are not needlessly delayed.  However, we do ask that the GTB be removed within Project 2016-02 before the current SDT is disbanded. 

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

RSC, Segment(s) 10, 2, 4, 5, 7, 3, 1, 0, 6, 12/12/2019

- 0 - 0

- 0 - 0

AECI appreciates the efforts of the SDT on these issues.

AECI, Segment(s) 1, 3, 6, 5, 5/31/2019

- 0 - 0

Karl Blaszkowski, CMS Energy - Consumers Energy Company, 3, 12/16/2019

- 0 - 0

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1, 3, 5, 6

- 0 - 0

Marc Donaldson, Tacoma Public Utilities (Tacoma, WA), 3, 12/16/2019

- 0 - 0

San Miguel appreciates the efforts of the SDT on this project.

Lana Smith, San Miguel Electric Cooperative, Inc., 5, 12/16/2019

- 0 - 0

Alan Johnson, On Behalf of: NRG - NRG Energy, Inc., MRO, WECC, Texas RE, NPCC, SERC, RF, Segments 5, 6

- 0 - 0

We thank the SDT for allowing us to provide comments on these changes.

ACES Standard Collaborations, Segment(s) 1, 5, 3, 12/16/2019

- 0 - 0

We request additional guidance regarding Planned and Unplanned Changes with respect to acquisition of new BES assets from another Entity.

Would any BES Cyber Systems compliance issues discovered after acquisition of the Assets already commissioned by the selling Entity be subject to immediate compliance with CIP Cyber Security Standards, or would this discovery by the purchasing Entity constitute an Unplanned Change with 12 months to achieve compliance?

Sandra Shaffer, 12/16/2019

- 0 - 0

Constantin Chitescu, Ontario Power Generation Inc., 5, 12/16/2019

- 0 - 0

EEI offers for SDT consideration the following additional comments on Draft 4 of CIP-002-6:

  1. Page 5 of the Redline, EEI suggests that all references to Version 4 and 5 should be removed from the Standard.  We are now on Version 6 and the following language should be removed from the standard - “transitioning from Version 4 to Version 5” and “(as that term is used in Version 4)”.

  2. Page 6 and page 28 of the Redline: EEI suggests removing all references to the NERC Functional Model.  (See Reliable Operation of the BES/P6 and High Impact Rating/P28).  NERC has decided to no longer maintain the Functional Model , therefore it should not be referenced in Reliability Standards.  Instead, the SDT should make references to the appropriate sections of NERC’s Organization Registration and Certification Manual and the Compliance Registry Criteria, per the determination made by the Standards Committee at their October 2019 meeting.

  3. Page 7 of the Redline: Remove the bulleted examples for EACMS, PACS and PCA given all three are defined terms in NERC’s Glossary of Terms and the definition for EACMS and PACs were both adopted by the NERC BOT on 12/26/2012 and approved by FERC on 11/22/2013, while PCA was adopted by the NERC BOT on 2/12/2015 and approved by FERC on 1/21/2016.

  4. The footnote on all pages (i.e., page 10 moving forward) incorrectly still reference Draft 3 of CIP-002-6.

  5. Page 17 of the Redline: Remove the second listing of the title (Impact Rating Criteria) at the top of Attachment 1.

  6. Page 22 of the Redline: EEI supports the SDT decision to not remove the Guidelines and Technical Basis at this time, in order to ensure changes made to CIP-002-6 are not needlessly delayed.  However, we do ask that the GTB be removed within Project 2016-02 before the current SDT is disbanded. 

Clay Walker, On Behalf of: Cleco Corporation - SERC - Segments 1, 3, 5, 6

- 0 - 0

Pam Feuerstein, Intermountain REA, 3, 12/16/2019

- 0 - 0

Spencer Tacke, Modesto Irrigation District, 4, 12/16/2019

- 0 - 0