This comment form is no longer interactive because the comment period is closed.

2020-04 Modifications to CIP-012 | Standard Authorization Request

Description:

Start Date: 04/08/2020
End Date: 06/11/2020

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End

Filter:

Hot Answers

We disagree with the FERC Order, based on all the comments which NERC and others raised as documented in the Order along with the additional items:

1.         The scope of the SAR is not cybersecurity-related and not refined enough.

2.         O&P standards cover communication availability

3.         Cyber assets associated with  communication networks and data communication links between discrete ESPs are exempt

 

The scope of this SAR is not clearly defined enough to agree with.  Without a significantly defined scope, this project has the possibility to bleed into O&P standards such as IRO and EOP and multiple CIP standards and current projects as noted in the SAR which is of major concern. 

FERC’s concerns in Order No. 866 and the scope of the SAR are not cybersecurity in nature and thus should be covered in Operation & Planning standards if required.  “Protections regarding the availability of communications links and data communicated between the bulk electric system Control Centers”, is not always controlled by entities, which are dependant on telecommunication carriers and telecommunication equipment, currently not in the scope of the CIP requirements and should remain out of the scope of CIP requirements and fall under O&P standards which cover communication availability and backup communications. 

The current CIP standards limit the scope to BES Cyber Systems and associated EACMS, PACS, and PCAs.  The standards are specific in exempting,  “4.2.3.2. Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters” which in our opinion conflicts with Order No. 866.  The proposed changes are already covered in CIP-008 and CIP-009 in regards to compromise and recovery.  If the scope of this SAR was added to the CIP standards, we believe this would extend beyond CIP-012 and at a minimum impact CIP-008 and CIP-009 and create intermingled requirements as we had in previous CIP standards, which is not desired.

Therefore we do not agree with the scope of the SAR.  We strongly believe Order No. 866 is in direct conflict with the exception of “4.2.3.2. Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters.” Combine the exemption, with NERC and the industry’s comments in the Order, CIP-008 and CIP-009 coverage of the Order, and the scope of the SAR not being cybersecurity-related, we feel this modification is rooted in the Operations and Planning standards and not the CIP standards.

ACES Standard Collaborations, Segment(s) 1, 3, 4, 5, 6/11/2020

- 0 - 0

While the IRC SRC supports addressing the spirit of the FERC directive in Order 866; i.e. “maintaining the availability of communication networks and data should include provisions for incident recovery and continuity of operations in a responsible entity’s compliance plan,” we believe the issue of “availability” is an operational versus a security concern. With that as a backdrop, we disagree with the foregone conclusion in the SAR Title; i.e. “Revisions to CIP standards to address Cyber Security Communications between Control Centers.”

Monika Montez, On Behalf of: California ISO, WECC, Segments 2

- 0 - 0

Other Answers

Kevin Conway, On Behalf of: Public Utility District No. 1 of Pend Oreille County, , Segments 1, 3, 5, 6

- 0 - 0

LaTroy Brumfield, On Behalf of: American Transmission Company, LLC, , Segments 1

- 0 - 0

Bruce Reimer, On Behalf of: Manitoba Hydro , , Segments 1, 3, 5, 6

- 0 - 0

Jennie Wike, On Behalf of: Tacoma Public Utilities (Tacoma, WA) - WECC - Segments 1, 3, 4, 5, 6

- 0 - 0

The requested changes from FERC via Order 866 are logical.

DTE Energy - DTE Electric, Segment(s) 5, 4, 3, 1/24/2020

- 0 - 0

Reclamation recommends the scope of the SAR be expanded to proactively address the types of data covered by CIP-012 and to add NERC Glossary definitions for “Availability,” “Real-time Monitoring,” “Real-time Data,” “BES Data,” “Operational Data,” and “System Planning Data.”

Richard Jackson, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

ReliabilityFirst agrees with the proposed scope of the SAR to address the directive issued by FERC in Order No. 866.

Anthony Jablonski, On Behalf of: ReliabilityFirst , , Segments 10

- 0 - 0

Anton Vu, On Behalf of: Los Angeles Department of Water and Power, , Segments 1, 3, 5, 6

- 0 - 0

Duke Energy does not agree with the proposed scope as described in the SAR. Duke understands and agrees with the intent to address protections with respect to availability of real time communications between control centers in CIP-012. However, the scope of CIP-012 modifications should remain limited to requirements that directly support protection of real time data between control centers and directly mitigate the risk of unavailability of these communications due to cyber-attacks or incidents. Incident response & recovery, and backup communication capabilities should be addressed within the appropriate existing standards, both CIP and O&P, to ensure elimination of overlap and reduce the possibility of conflicting requirements.

Duke Energy has concerns that the scope is too broadly stated and that the SAR should be limited to availability protections in CIP-012. Duke energy does not agree with the submitter assertion that there are no unique characteristics associated with BES facilities that will be impacted by this proposed standard development project. This impact has yet to be determined, there could be communication system architectural impacts.

Distribution Providers are not currently CIP-012-1 Applicable Entities. Duke Energy recommends that Distribution Providers be removed from applicability unless there some basis provided for their inclusion.

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

Although AZPS is in agreement with the intention of the SAR, it makes the following recommendation:

The project scope and goal states that the project will address concerns FERC outlined in Order No. 866; however, it does not specify the exact concern(s) that the project will include.  APS recommends adding details specific to the directive that the project is intended to address.

Kelsi Rigby, On Behalf of: Kelsi Rigby, , Segments 1, 3, 5, 6

- 0 - 0

Our concurrence is based on assumption that having geographically diverse and redundant ICCP links constitutes “backup communication capabilities” as referenced in Order 866 Paragraph 35.

FE Voter, Segment(s) 1, 3, 5, 6, 4, 10/31/2019

- 0 - 0

Randy Cleland, On Behalf of: Randy Cleland, , Segments 1

- 0 - 0

IESO supports the comments submitted by both NPCC and ISO/ RTO Council.

IESO supports the proposed scope of the SAR as addressing the FERC directive in Order 866; i.e. “maintaining the availability of communication networks and data should include provisions for incident recovery and continuity of operations in a responsible entity’s compliance plan.” FERC recognized that the redundancy of communication links cannot always be guaranteed, and acknowledged there should be plans for both recovery of compromised communication links and use of backup communication capability. See Order No. 866 at PP 35-36.

Leonard Kula, On Behalf of: Independent Electricity System Operator, , Segments 2

- 0 - 0

Dominion Energy supports the comments submitted by EEI. DOminion Energy supports the project as directed by FERC Order No. 866 but does not agree that the proposed SAR correctly reflects the language and intent of the FERC order. Specifically:

1.     The “Project Scope" section should include the FERC Order No. 866 directive language “develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers.”   

2.     The “Purpose and Goal” section should be revised to reflect the reliability-related benefit of improved protections regarding the availability of communication links and data communicated between control centers.

3.     The “Detailed Description” section should state clear deliverables with sufficient detail for a drafting team to execute the project.  EEI suggests the following for NERC consideration:

a.      The scope of this project will be to modify Reliability Standard, CIP-012-1 to require BAs, GOs, GOPs, RCs, TOs, and TOPs who own or operate BES Control Centers to implement protections that address the availability of communication links and data links between BES Control Centers.  Redundancy of communications links will not be required; however, incident recovery and continuity of operation plans are to be included within the scope.

4.     The “Functional Entities” section identifies Distribution Providers (DPs) as one of the functional entities that the proposed standard(s) should apply. However, DPs were not identified as an Applicable Entity in draft CIP-012-1 nor were they identified in FERC Order 866.  EEI recommends DPs either be removed or NERC include a justification for adding DPs.

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

The following are technical reasons why NCPA does not support the subject SAR in its current form:

1.   FCC Jurisdiction Infringement: One accurate NERC Staff SAR assertation is their claim "there are no unique characteristics associated with BES facilities that will be impacted by this proposed standard development project.”; that is because there are NO BES Reliability Gaps.  This SAR appears to be an attempt to forcibly require Registered Entities to pay for modifications to communication facilities that are under the Federal Communication Commission's (FCC) jurisdiction, and is not an enhancement to BES reliability at all.

2.   NERC’s response to Market Principle one on SAR page three is inaccurate.  The project will result in an unfair competitive advantage for non-GOPs in Regions that have BA/ISOs that don’t allow GOPs to recover fixed costs for FERC mandated, but unfunded, NERC compliance initiatives. 

  • California ISO (CAISO) Market rules, and maybe other ISOs too, do not allow GOPs to recover fixed costs for unfunded FERC/NERC reliability mandates.  Non-GOP Market Participants have no said obligations nor costs.

  • If this SAR is to move forward FERC needs to level the playing field and first order BAs to modify their Tariffs, and compensate GO/GOPs for fixed NERC Compliance Costs. 

  • Otherwise, at a minimum, this proposed Standard, among others, results in unfair Market competitive advantages for non-GOP generator Market Participants in the CAISO BA to the detriment, disadvantage of GOPs.

  • This is an extremely unfair business practice especially considering the BAs/ISOs are compensated for, allowed to recover, 100% of their NERC/FERC fixed compliance costs.

    3.   NERC has not provided a cost estimate for this proposal. Future SARs should not be allowed though the Standards Committee without a cost estimate.  All stakeholders need to know the estimated cost prior to SAR posting.  We need to know the estimated cost of what we are voting on, and it needs to include all cost for everything FERC, WECC, and NERC will ultimately tell us we should be doing.

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 3, 4, 5, 6

- 0 - 0

Exelon is aligning with EEI in resonse to this question.

Kinte Whitehead, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

Exelon is aligning with EEI in resonse to this question.

Daniel Gacek, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

Exelon is aligning with EEI in resonse to this question.

Cynthia Lee, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

Exelon is aligning with EEI in resonse to this question.

Becky Webb, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

BPA thanks the drafting team for the opportunity to comment.  In addition to the Project 2016-02 and Project 2019-02 Standards Drafting Team efforts, the scope should include examination of impact to CIP-008-6 and CIP-009-6 applicability and requirements. Incident “Recovery” strongly relates to and implies a need for incident response. Recovery cannot proceed without alleviating the proximate cause of an outage. In cases where that cause is a deliberate attack or even an accidental manmade situation, appropriate incident response activities to limit the scope, impact, and duration of the condition must be engaged before beginning recovery operations. Otherwise the situation may recur or recovery operations may fail.

 Intentional incidents are not static, but rather have malicious intent driving dynamic adaptation to the defender’s actions, and may use the programmed recovery plan activities to further exploit, or embed future exploitation capability into a system that is composed of people, processes, technology, and information.)

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

“These comments represent the MRO NSRF membership as a whole but would not preclude members from submitting individual comments”.

There seems to be a disconnect between Project 2020-04, titled “Modifications to CIP-012,” and the SAR itself, which is titled “Revisions to CIP Standards…” and never explicitly mentions CIP-012. Given the FERC Order to “include provisions for incident recovery and continuity of operations,” are CIP-008 Incident Reporting and Response Planning, and/or CIP-009 Recovery Plans for BES Cyber Systems, anticipated to be included within the scope of this SAR? If so, this should be disclosed for transparency, to alert all potentially impacted stakeholders, and to avoid subsequent surprises.

MRO NSRF proposes the title of the SAR be modified to match the title of Project 2020-04; i.e. from “Revisions to CIP standards to address Cyber Security Communications between Control Centers” to “Revisions to NERC standards to address Cyber Security Communications between Control Centers.”

In addition, MRO NSRF prefers the directive in FERC Order 866 be addressed as part of CIP-012 as opposed to CIP-008 and/or CIP-009 if the directive is to be addressed under the CIP standards.

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 1/29/2020

- 0 - 0

Madison Gas and Electric (MGE) supports the comments submitted by the MRO NSRF.

Ronald Bauer, On Behalf of: MGE Energy - Madison Gas and Electric Co., , Segments 3, 4, 5, 6

- 0 - 0

Westar Energy and Kansas City Power & Light (Evergy companies) incorporate by reference and endorse the comments of the Edison Electric Institute (EEI).

Westar-KCPL, Segment(s) 1, 3, 5, 6, 12/18/2018

- 0 - 0

Laura Nelson, On Behalf of: Laura Nelson, , Segments 1

- 0 - 0

While the IRC SRC supports addressing the spirit of the FERC directive in Order 866; i.e. “maintaining the availability of communication networks and data should include provisions for incident recovery and continuity of operations in a responsible entity’s compliance plan,” we believe the issue of “availability” is an operational versus a security concern. With that as a backdrop, we disagree with the foregone conclusion in the SAR Title; i.e. “Revisions to CIP standards to address Cyber Security Communications between Control Centers."

ISO/RTO Council (IRC) Standards Review Committee (SRC)_2020-04_CIP-012 SAR, Segment(s) 2, 6/11/2020

- 0 - 0

Please see comments submitted by the Edison Electric Institute.

Robert Blackney, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Southern Company supports the proposed project, as directed by FERC in Order No. 866, to develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers. However, we have identified the following items that need to be addressed in this SAR before we can support its approval:

1. The section “Are there any related standards or SARs that should be assessed for impact as a result of this proposed project?  If so, which standard(s) or project number(s)?” should include the following standards for impact as they also are concerned with and have existing requirements for data exchange capabilities, availability, periodicity of providing data, loss of data exchange capability and response, redundant communications infrastructure, and responding to data quality issues.

• IRO-002-6

• IRO-010-2

• IRO-014-3 

• TOP-003-3 

• IRO-018-1(i) and TOP-010-1(i)

• TOP-001-4 

• EOP-008-2  

 

Southern Company also agrees with the following comments provided by Edison Electric Institute (EEI) as summarized below: 

1. The “Project Scope" section should include the FERC Order No. 866 directive language “develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers.”   

2. The “Purpose and Goal” section be revised to reflect the reliability-related benefit of improved protections regarding the availability of communication links and data communicated between control centers.

3. The “Detailed Description” section should state clear deliverables with sufficient detail for a drafting team to execute the project.  

4. The “Functional Entities” section identifies Distribution Providers (DPs) as one of the functional entities that the proposed standard(s) should apply. However, DPs were not identified as an Applicable Entity in draft CIP-012-1 nor were they identified in FERC Order 866.  EEI recommends DPs either be removed or NERC include a justification for adding DPs. 

Southern Company, Segment(s) 1, 3, 5, 6, 12/13/2019

- 0 - 0

We agree with the proposed scope because it is consistent with the FERC Directive.

We suggest including the directive from FERC Order 866 in the “Project Scope” section, “The commission directs NERC to develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers.”

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 6/11/2020

- 0 - 0

LCRA feels that the proposed modifications regarding the communication network providers and the scope of equipment ownership within this SAR is too vague.

LCRA Compliance, Segment(s) 6, 5, 1, 5/11/2015

- 0 - 0

MPC supports comments submitted by the MRO NERC Standards Review Forum (NSRF).

Andy Fuhrman, On Behalf of: Minnkota Power Cooperative Inc. - MRO - Segments 1

- 0 - 0

We agree that the proposed SAR covers the FERC order to include provisions for the responsible entities to plan for both recovery of compromised communication links and use of backup communication capability should it be needed for redundancy.  However, the SAR is unclear if the new requirements will be addressed in CIP-012, another CIP Standard, or a combination thereof.  

Sandra Shaffer, On Behalf of: Sandra Shaffer, , Segments 6

- 0 - 0

Oklahoma Gas & Electric supports the comments submitted by EEI.

OKGE, Segment(s) 6, 1, 3, 5, 4/10/2019

- 0 - 0

Oncor supports the comments submitted by EEI.

Tho Tran, On Behalf of: Oncor Electric Delivery, Texas RE, Segments 1

- 0 - 0

Minnesota Power supports EEI Comments: pasted below:

EEI supports the proposed project, as directed by FERC in Order No. 866, to develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers. However, we have identified the following items that need to be addressed in this SAR before we can support its approval:

  1. The “Project Scope" section should include the FERC Order No. 866 directive language “develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers.”   

  2. The “Purpose and Goal” section be revised to reflect the reliability-related benefit of improved protections regarding the availability of communication links and data communicated between control centers.

  3. The “Detailed Description” section should state clear deliverables with sufficient detail for a drafting to execute the project.  EEI suggests the following for NERC consideration:

    1.  The scope of this project will be to modify Reliability Standard, CIP-012-1 to require BAs, GOs, GOPs, RCs, TOs, and TOPs who own or operate BES Control Centers to implement protections that address the availability of communication links and data links between BES Control Centers.  Redundancy of communications links will not be required; however, incident recovery and continuity of operation plans are to be included within the scope.

  4. The “Functional Entities” section identifies Distribution Providers (DPs) as one of the functional entities that the proposed standard(s) should apply. However, DPs were not identified as an Applicable Entity in draft CIP-012-1 nor were they identified in FERC Order 866.  EEI recommends DPs either be removed or NERC include a justification for adding DPs.

Jamie Monette, On Behalf of: Allete - Minnesota Power, Inc., , Segments 1

- 0 - 0

Ameren agrees with and supports EEI comments.

David Jendras, On Behalf of: Ameren - Ameren Services, , Segments 1, 3, 6

- 0 - 0

EEI supports the proposed project, as directed by FERC in Order No. 866, to develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers; however, EEI is unable to support the proposed SAR without addressing the following items:

1.      The “Project Scope" section should include the FERC Order No. 866 directive language “develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers.”   

2.      The “Purpose and Goal” section should be revised to reflect the reliability-related benefit of improved protections regarding the availability of communication links and data communicated between control centers.

3.      The “Detailed Description” section should state clear deliverables with sufficient detail for a drafting team to execute the project.  EEI suggests the following for NERC consideration:

a.      The scope of this project will be to modify Reliability Standard, CIP-012-1 to require BAs, GOs, GOPs, RCs, TOs, and TOPs who own or operate BES Control Centers to implement protections that address the availability of communication links and data links between BES Control Centers.  Redundancy of communications links will not be required; however, incident recovery and continuity of operation plans are to be included within the scope.

4.      The “Functional Entities” section identifies Distribution Providers (DPs) as one of the functional entities that the proposed standard(s) should apply. DPs should be removed from the SAR for the following reasons:

a.       {C}DPs are not identified as an Applicable Entity in the draft CIP-012-1; and,

b.      {C}The SAR’s goal and scope are to address FERC Order 866 directives; DPs are not identified in in the order.

EEI recommends DPs either be removed or, alternatively, since inclusion of DPs is beyond FERC Order 866, that NERC provide a justification for including DPs.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Texas RE noticed that the applicability section of the SAR includes GOs, TOs, and DPs.  The NERC Glossary term for Control Center, however, does not include GOs, TOs, and DPs.  Real-time monitoring data between a TOP/RC/BA/GOP Control Center and other control centers should be protected since most of the Real-time monitoring information comes from DPs and TOs sending it to TOPs.  Texas RE requests that the drafting team not limit the applicability to those entities with Control Centers as defined by the NERC Glossary and be inclusive of GOs, TOs, and DPs that are not included in the NERC Glossary.

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

We support commments from NPCC Regional Standards Committee.

Carl Pineault, On Behalf of: Hydro-Qu?bec Production, , Segments 1, 5

- 0 - 0

NV Energy supports the project for addressing FERC Order 866; however, NV Energy cannot approve the SAR in its current incomplete state. NVE believes additional information must be provided in the SAR to ensure the future SDT can execute on the project.

NVE recommends the following:

  • “Project Scope" section should include the FERC Order No. 866 directive language “develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers.”   
  • “Purpose and Goal” section should be revised to reflect the reliability-related benefit of improved protections regarding the availability of communication links and data communicated between control centers.
  • As previously stated, the “Detailed Description” section should state clear deliverables with sufficient detail for a drafting team to execute the project.  NVE suggests the following for NERC consideration:

    • Define the intent of the modifications, as it is unclear if the modification will only be addressed in a future iteration of CIP-012, or will another CIP Standard be required to accomodate this.

      • Recommendation: The scope of this project will be to modify Reliability Standard, CIP-012-1 to require BAs, GOs, GOPs, RCs, TOs, and TOPs who own or operate BES Control Centers to implement protections that address the availability of communication links and data links between BES Control Centers.  Redundancy of communications links will not be required; however, incident recovery and continuity of operation plans are to be included within the scope.

Kevin Salsbury, On Behalf of: Berkshire Hathaway - NV Energy, , Segments 5

- 0 - 0

Hot Answers

Thank you for the opportunity to provide comments.

ACES Standard Collaborations, Segment(s) 1, 3, 4, 5, 6/11/2020

- 0 - 0

The IRC SRC proposes the SAR Title and SAR Type be modified to allow the industry to determine where best to address the FERC directive in Order 866.

The IRC SRC recommends the Requirements focus on a plan of action since a Reliability Entity cannot guarantee a third party’s availability or reliability. The IRC SRC requests the Standard Drafting Team not prescribe technical solution(s. As an example, see COM-001-3, R11.

R11. Each Distribution Provider and Generator Operator that detects a failure of its Interpersonal Communication capability shall consult each entity affected by the failure, as identified in Requirement R7 for a Distribution Provider or Requirement R8 for a Generator Operator, to determine a mutually agreeable action for the restoration of its Interpersonal Communication capability.

If changes are made to CIP-012-1, the IRC SRC requests that modifications not adversely impact existing Responsible Entity efforts to implement version 1 by its effective date.

Finally, the SAR Drafting Team should pay attention to NERC’s Operational Data Exchange Simplification Standard Authorization Rquest (SAR) seeking to simplify TOP-003 and IRO-010.

Monika Montez, On Behalf of: California ISO, WECC, Segments 2

- 0 - 0

Other Answers

In some rempte areas of the country it is not always possible to have redundant communications because the phone system is owned by a third party communications provider, and the infrastructure costs.  A standard of this type has to be developed with the understanding that rural utilities have unique challenges in meeting redundancey and in most cases represent a very small threat to the BES.

Kevin Conway, On Behalf of: Public Utility District No. 1 of Pend Oreille County, , Segments 1, 3, 5, 6

- 0 - 0

ATC suggests the SDT update the SAR to reflect their work specifically on CIP-012. As it stands the SDT could use the SAR to open any of the CIP standards to achieve the desired outcome.

LaTroy Brumfield, On Behalf of: American Transmission Company, LLC, , Segments 1

- 0 - 0

Bruce Reimer, On Behalf of: Manitoba Hydro , , Segments 1, 3, 5, 6

- 0 - 0

Jennie Wike, On Behalf of: Tacoma Public Utilities (Tacoma, WA) - WECC - Segments 1, 3, 4, 5, 6

- 0 - 0

nothing futher at this time.

DTE Energy - DTE Electric, Segment(s) 5, 4, 3, 1/24/2020

- 0 - 0

Reclamation recommends when addressing the technical documents to review requirements for electronic communications align where possible to the requirements for oral communication contained in COM-001-3: (1) have electronic communication capability; (2) designate alternative electronic communication capability in the event of a failure of the primary communication capability; (3) test the alternate method of electronic communication; (4) notify the entity on the other end of the communication path if a failure is detected; and, (5) establish mutually agreeable action to restore the electronic communication capability. Entities may want to establish a “heartbeat” within their own systems to detect a data communications failure and not rely on far-end communication of path failures.

Prior to proposing additional modifications, Reclamation also recommends each SDT take additional time to completely identify the scope of each Standard Authorization Request to account for future potential compliance issues. This will provide economic relief for entities by minimizing the costs associated with the planning and adjustments required to achieve compliance with frequently changing standard versions. NERC should foster a compliance environment that will allow entities to fully implement technical compliance with current standards before moving to subsequent versions.

Reclamation also recommends the SAR drafting team thoughtfully assess the cost impacts associated with this SAR to effect changes in a cost-effective manner. The SAR proposes a significant increase in the scope of the affected standard, which will have a substantial impact on affected entities and should not be taken without appropriate consideration.

To minimize churn among standard versions, Reclamation recommends the SAR drafting team coordinate changes with other existing drafting teams for related standards; specifically, Project 2016-02 and Project 2019-03. This will reduce the chance that standards will conflict with one another and better align standards.

Richard Jackson, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

The Standards and Drafting team should be mindful that proposed changes to CIP-012-1 may have implications on various other Operations Reliability Standards that reference data exchange, recovery of compromised communication links, and use of backup communication capability; and that those Operations Reliability Standards may have implications on CIP-012-1 (including but not limited to: TOP-001-4, TOP-003-3, IRO-010-2, and EOP-008-2).  The Standards and Drafting team should look for opportunities to create synergies between Standards with common threads to ease the compliance burden where possible.

Anthony Jablonski, On Behalf of: ReliabilityFirst , , Segments 10

- 0 - 0

Anton Vu, On Behalf of: Los Angeles Department of Water and Power, , Segments 1, 3, 5, 6

- 0 - 0

No additional questions. 

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

Kelsi Rigby, On Behalf of: Kelsi Rigby, , Segments 1, 3, 5, 6

- 0 - 0

Ensure SDT is providing flexibity to account for multiple communications and EMS landscapes and is seeking input from stakeholders during the standards drafting process.

 

FE Voter, Segment(s) 1, 3, 5, 6, 4, 10/31/2019

- 0 - 0

Randy Cleland, On Behalf of: Randy Cleland, , Segments 1

- 0 - 0

IESO supports the comments submitted by both NPCC and ISO/ RTO Council

The IESO prefers the directive from FERC Order 866 be addressed as part of CIP-012 as opposed to CIP-008 and/or CIP-009.

IESO proposes that the title of the SAR be modified to match the title of Project 2020-04; i.e. Modifications to CIP-012.

IESO recommends the Requirements focus on a plan of action since a Reliability Entity cannot guarantee a third party’s availability or reliability.

IESO requests the Standard Drafting Team not prescribe technical solution(s); e.g. COM-001-3.

IESO requests that modifications to CIP-012-1 not adversely impact existing Reliability Entity efforts to implement version 1 by its effective date.

The SAR Drafting Team should pay attention to NERC’s Compliance Implementation Guidance on simplifying TOP-003 and IRO-010.

Leonard Kula, On Behalf of: Independent Electricity System Operator, , Segments 2

- 0 - 0

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

No.

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 3, 4, 5, 6

- 0 - 0

Kinte Whitehead, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

Daniel Gacek, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

Cynthia Lee, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

Becky Webb, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

While on the topic of recovery, continuity of operations, and backup or alternate communications capability, “resilience” should be a major topic of discussion with the intent to bring CIP standards more in line with the greater body of knowledge on incident planning.  "Resilience" meaning full OR partial mitigation of impact, scope, and duration to preserve capability; usually expressed in terms of planning for Recovery Point and Recovery Time Objectives (RPO/RTO), possible need for stages of capability/capacity restoration, and using risk management/risk reduction formulas and concepts.

Every effort should be made to look both inside and outside the traditional electric utility industry to incorporate best practices for incident response when drafting new requirements.

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

These comments represent the MRO NSRF membership as a whole but would not preclude members from submitting individual comments”.

 The NSRF questions the Applicability within the current CIP-012-1.  The Purpose states:  

To protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers.  The Applicability Section lists 4.1.3 Generator Owner (GO) and 4.1.6 Transmission Owner (TO).  Neither the GO or TO are included in the NERC definition of Control Center which reads;

One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facilities at two or more locations, or 4) a Generator Operator for generation Facilities at two or more locations.

The NSRF recommends that the SAR scope be updated to review the Applicability Sction of the current CIP-012-1 and the FERC directive (as already written).

MRO NSRF recommends the Requirements focus on a plan of action since a Reliability Entity cannot guarantee a third party’s availability or reliability. As an example, see COM-001-3, R11.

R11. Each Distribution Provider and Generator Operator that detects a failure of its Interpersonal Communication capability shall consult each entity affected by the failure, as identified in Requirement R7 for a Distribution Provider or Requirement R8 for a Generator Operator, to determine a mutually agreeable action for the restoration of its Interpersonal Communication capability.

MRO NSRF requests the Standard Drafting Team not prescribe technical solution(s); e.g. COM-001-3.

MRO NSRF requests that modifications to CIP-012-1 not adversely impact existing Reliability Entity efforts to implement version 1 by its effective date.

The SAR Drafting Team should pay attention to NERC’s Compliance Implementation Guidance on simplifying TOP-003 and IRO-010. 

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 1/29/2020

- 0 - 0

Madison Gas and Electric (MGE) supports the comments submitted by the MRO NSRF.

Ronald Bauer, On Behalf of: MGE Energy - Madison Gas and Electric Co., , Segments 3, 4, 5, 6

- 0 - 0

None.

Westar-KCPL, Segment(s) 1, 3, 5, 6, 12/18/2018

- 0 - 0

Laura Nelson, On Behalf of: Laura Nelson, , Segments 1

- 0 - 0

The IRC SRC proposes the SAR Title and SAR Type be modified to allow the industry to determine where best to address the FERC directive in Order 866.

The IRC SRC recommends the Requirements focus on a plan of action since a Reliability Entity cannot guarantee a third party’s availability or reliability. The IRC SRC requests the Standard Drafting Team not prescribe technical solution(s. As an example, see COM-001-3, R11.

R11. Each Distribution Provider and Generator Operator that detects a failure of its Interpersonal Communication capability shall consult each entity affected by the failure, as identified in Requirement R7 for a Distribution Provider or Requirement R8 for a Generator Operator, to determine a mutually agreeable action for the restoration of its Interpersonal Communication capability.

If changes are made to CIP-012-1, the IRC SRC requests that modifications not adversely impact existing Responsible Entity efforts to implement version 1 by its effective date.

Finally, the SAR Drafting Team should pay attention to NERC’s Operational Data Exchange Simplification Standard Authorization Rquest (SAR) seeking to simplify TOP-003 and IRO-010.

ISO/RTO Council (IRC) Standards Review Committee (SRC)_2020-04_CIP-012 SAR, Segment(s) 2, 6/11/2020

- 0 - 0

Robert Blackney, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Southern Company requests the SAR drafting team to consider the following: 

1. Ensure the SAR provides the SDT with the ability to modify any impacted O&P Standards; don’t create a conflict between CIP and O&P where both cover availability by making sure those other Standards are in scope for this SAR because those could be impacted. 

2. Ensure the Scope adequately addresses methods to protect availability of communication links and data communicated between bulk electric system Control Centers “as it is communicated between CCs”, or “while it is being communicated.” This is the focus of the FERC Order, and not on data at rest that “could” be transmitted at some point in time. 

3. The SAR and Standards drafting teams both need to consider that “availability” can impact integrity when it comes to handling encryption. Don’t put in place or propose requirements around ensuring availability that can come at the expense or degradation of confidentiality or integrity.

Southern Company, Segment(s) 1, 3, 5, 6, 12/13/2019

- 0 - 0

We expect that the Requirements will focus on a plan since the Entity cannot guarantee a third party’s availability or reliability

We request that Standard Drafting Team not prescribe technical solution(s). Also, we suggest that the SAR drafting team consider the CIP-012 relationship to TOP-003 and IRO-10, and the SAR involving Operational Data Exchange simplification – Standards Efficiency Review Phase 2. We suggest that the “Purpose and Goal” section should state the reliability-related benefits, as described in the FERC Order.

We suggest that the “To assist the NERC Standards Committee in appointing a drafting team…” section should not include the Distribution Provider function since the scope involves the availability of communication links and data communicated between bulk electric system Control Centers.

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 6/11/2020

- 0 - 0

LCRA expresses concern with understanding how provisions for a registered entity’s equipment, compliance plans - with respect to incident recovery and continuity operations - are to be addressed under specific circumstances and whether or not these circumstances would come in to scope under this Standard. Example: communication network / equipment that is not owned by the registered entity.  

LCRA is concerned with the compliance burden associated with a revision to a Standard prior to the current version of the Standard becoming effective. Additionally, the language of the SAR appears to duplicate the efforts of already enforceable Standards (CIP-008, CIP-009, COM-001).

LCRA Compliance, Segment(s) 6, 5, 1, 5/11/2015

- 0 - 0

MPC supports comments submitted by the MRO NERC Standards Review Forum (NSRF).

Andy Fuhrman, On Behalf of: Minnkota Power Cooperative Inc. - MRO - Segments 1

- 0 - 0

We would like the drafting team to consider, if a redundant back up communications method exists that the responsible entity meets the requirement for availability.  Also, specification for acceptable availability down-time should be considered in the development.

Sandra Shaffer, On Behalf of: Sandra Shaffer, , Segments 6

- 0 - 0

OKGE, Segment(s) 6, 1, 3, 5, 4/10/2019

- 0 - 0

None

Tho Tran, On Behalf of: Oncor Electric Delivery, Texas RE, Segments 1

- 0 - 0

None

Jamie Monette, On Behalf of: Allete - Minnesota Power, Inc., , Segments 1

- 0 - 0

None

David Jendras, On Behalf of: Ameren - Ameren Services, , Segments 1, 3, 6

- 0 - 0

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

We support commments from NPCC Regional Standards Committee

Carl Pineault, On Behalf of: Hydro-Qu?bec Production, , Segments 1, 5

- 0 - 0

As mentioned in our response to Question 1, within our Recommendation bullet, NVE would like the SDT to consider, if a redundant back up communications method exists that the responsible entity meets the requirement for availability.  Also, specification for what is deemed "acceptable availability down-time" should be considered in the development.

Kevin Salsbury, On Behalf of: Berkshire Hathaway - NV Energy, , Segments 5

- 0 - 0