This comment form is no longer interactive because the comment period is closed.

2019-03 Cyber Security Supply Chain Risks | CIP-005-7, CIP-010-4, & CIP-013-2 (Draft 3)

Description:

Start Date: 07/28/2020
End Date: 09/10/2020

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End
2019-03 Cyber Security Supply Chain Risks CIP-005-7, CIP-010-4, & CIP-013-2 AB 3 ST 2019-03 Cyber Security Supply Chain Risks CIP-005-7, CIP-010-4, & CIP-013-2 01/27/2020 02/25/2020 09/01/2020 09/10/2020

Filter:

Hot Answers

Jennie Wike, On Behalf of: Marc Donaldson, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Ozan Ferrin, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; John Merrell, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Hien Ho, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Terry Gifford, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6

- 0 - 0

please reference Marty Hostler, Northern California Power Agency, comments

Dennis Sismaet, Northern California Power Agency, 6, 9/10/2020

- 0 - 0

Other Answers

Duke Energy generally agrees with restoring R2 Parts 2.4 and 2.5 to the original approved CIP-005-6 language and adding R3 for EACMS and PACS.

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

Matthew Nutsch, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

We recommend that view only access by a vendor is not considered IRA, nor vendor remote access.

Joshua Andersen, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

N&ST believes there are several problems with proposed requirement R3 as presently written

  • It addresses “authenticated vendor-initiated remote connections” without explicitly establishing a requirement for authentication, nor does it provide a working definition of a “remote connection.”
  • Part 3.2’s mandate to control the ability of a vendor whose connection has been terminated to reconnect creates a consistency problem. There is no comparable requirement in Requirement R2 for vendor remote connections to BES Cyber Systems and PCAs.
  • A second inconsistency is created by using the term, “remote connection” in R3, whereas the term, “remote access” is used in R2.

N&ST recommends the following changes:

  • Move R3’s proposed Parts 3.1 and 3.2 to R2 and eliminate R3. N&ST sees no need to address vendor remote access to applicable systems in two separate, top-level requirements.
  • Modify the “applicability” language in those two Parts to say, for example:
    • “EACMS and PACS:
    • associated with High Impact BES Cyber Systems, and
    • not located within any of the Responsible Entity’s Electronic Security Perimeter(s).”
      • NOTE: 2nd bullet is taken verbatim from the Glossary definition of IRA
  • Add an explicit requirement to use at least one form of authentication.
  • Consider adding language, taken from the existing IRA definition, that that clarifies "vendor remote access" originates from "Cyber Assets used or owned by vendors, contractors, or consultants." The SDT may want to consider adding this to existing R2 Parts 2.4 and 2.5, as well.
  • Change “remote connection” to “remote access”
  • The proposed requirement to control vendor reconnection should either be eliminated or added to existing R2 Part 2.5.

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1

- 1 - 0

Kelsi Rigby, 9/1/2020

- 0 - 0

Scott Langston, Tallahassee Electric (City of Tallahassee, FL), 1, 9/1/2020

- 0 - 0

Kyle Hussey, On Behalf of: Public Utility District No. 2 of Grant County, Washington, , Segments 1, 4, 5, 6

- 0 - 0

Jesus Sammy Alcaraz, Imperial Irrigation District, 1, 9/2/2020

- 0 - 0

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments NA - Not Applicable

- 0 - 0

To separate the remote access from the vendor remote access, FirstEnergy would respectfully suggest that the currently drafted R2 Parts 2.4 and 2.5 are reorganized to become R3 Parts 3.1 and 3.2.  Subsequently, the currently drafted R3 3.1 and 3.2 become Parts 3.3 and 3.4. 

FirstEnergy, Segment(s) 3, 5, 6, 4, 9/3/2020

- 0 - 0

Consumers Energy Company, Segment(s) 1, 3, 4, 5, 11/29/2017

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 9/4/2020

- 0 - 0

Agree with comments submitted separately by Tom Breene of WEC

Janet OBrien, 9/4/2020

- 0 - 0

ACES does not agree with the use of “authenticated” and “remote connections” in R3. 

R3 without the word authenticated, covers all vendor connections ..  CIP-004 R4.1 already requires access management for EACMS and PACS and CIP-007 R5.1 requires methods to enforce authentication.  Further, as discussed on the project 2019-03 webinar, unauthenticated remote access is already addressed by the CIP standards.  Lastly, an authorized remote connection can be made without being authenticated.  Thus an authorized malicious insider could easily craft a denial of service without ever being completely authenticated.  Removing the word “authenticated” would put more emphasis on all vendor connections and increases the security objective of R3.  Suggested language:

“Have one or more method(s) to determine vendor initiated remote access.”

Secondly, the CIP standards have always used the NERC defined term: Interactive Remote Access and or remote access vs what is in the draft “remote connections”.  ACES suggests using language consistent with existing standards.  Without defining “remote connections”, it makes the requirement vague and could be interpreted differently.  Suggested language:

“Have one or more method(s) to terminate vendor initiated remote access and control the ability to reconnect.”

ACES Standard Collaborations, Segment(s) 1, 3, 9/4/2020

- 0 - 0

Bruce Reimer, Manitoba Hydro , 1, 9/4/2020

- 0 - 0

BPA proposes the SDT eliminate references to “vendor.” The requirements should apply to any active remote sessions.

Proposed change to R2.4:

Have one or more methods for determining detecting active vendor remote access sessions (including Interactive Remote Access and system-to-system remote access).

Proposed change to R2.5:

Have one or more method(s) to disable active vendor remote access (including Interactive Remote Access and system-to-system remote access).

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

BC Hydro, Segment(s) 3, 5, 1, 12/18/2018

- 0 - 0

Anthony Jablonski, ReliabilityFirst , 10, 9/8/2020

- 0 - 0

DTE Energy - DTE Electric, Segment(s) 5, 4, 3, 1/24/2020

- 0 - 0

Tony Skourtas, Los Angeles Department of Water and Power, 3, 9/8/2020

- 0 - 0

Richard Jackson, U.S. Bureau of Reclamation, 1, 9/8/2020

- 0 - 0

Restoring R2 Parts 2.4 and 2.5 to the original approved CIP-005-6 language is fine, but the language in R3 is unclear.  It’s not clear what “authenticated vendor-initiated” remote connections are.  The intent seems clear, and the security necessity is warranted, but it is not clear why using something like “Have one or more method(s) for determining authorized vendor-initiated remote access connections” is not used.  What value does using “authenticated” vendor-initiated remote access connections add?  Why is “Remote Connections” used instead of “Remote Access” since R3 is “Vendor Remote Access”?  What is considered a remote connection? Does a remote connection include both system to system communication and remote access?  Is a remote connection from outside of an entities corporate network or is it a remote connection from inside an entities network but behind a firewall and using some remote access client?

Joe Tarantino, On Behalf of: Kevin Smith, Balancing Authority of Northern California, 1; Jamie Cutlip, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Goi, Sacramento Municipal Utility District, 1,3,4,5,6; Beth Tincher, Sacramento Municipal Utility District, 1,3,4,5,6; Arthur Starkovich, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Looney, Sacramento Municipal Utility District, 1,3,4,5,6

- 0 - 0

Oncor supports EEI's comment.

Tho Tran, 9/8/2020

- 0 - 0

ISO-NE agrees with the proposed approach to restore the CIP-005-7 Requirements R2 Parts 2.4 and 2.5. However, ISO-NE recommends the use of consistent “vendor remote access” or “vendor-initiated remote connections” for both Requirement R2 Part 2.4 and R2.5 and the Requirement R3 Parts 3.1 and 3.2.

John Galloway, On Behalf of: Michael Puscas, ISO New England, Inc., 2

- 0 - 0

Texas RE agrees with restoring CIP-005-7 Requirement R2 Parts 2.4 and 2.5 to the original approved CIP-005-6 language, as well as addressing vendor remote access for EACMS and PACS in the newly formed Requirement R3.

 

However, Texas RE is concerned that in addressing vendor remote access for EACMS and PACS, the Standard Drafting Team (SDT) has elected to use the term “authenticated vendor-initiated remote connections.”   Texas RE notes that “authenticated vendor-initiated remote connections” is not presently defined.  As such, the introduction of such a term may create additional ambiguity, particularly around what constitutes an “authenticated” vendor-initiated remote connection.  Texas RE suggests that the SDT could address this concern by using clarifying that such access includes “Interactive Remote Access and system-to-system remote access” as presently defined in the current and proposed Requirement 2.4 and 2.5.

Texas RE suggests the “hall of mirrors” concern could be better addressed by adding language to Requirement R3 that excludes Intermediate Systems for EACMS and PACS in the applicability section.  Alternatively, the SDT could revise the definition of Interactive Remote Access to clarify this point.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 9/9/2020

- 0 - 0

Laura Nelson, 9/9/2020

- 0 - 0

If the requirements are technically the same, as it appears, then the new scope should be added to Parts 2.4 and 2.5. However, we believe the SDT was attempting to resolve some ambiguity that currently exists around what is vendor remote access. We commend the SDT for this effort, and request they clarify the existing requirements (parts 2.4 and 2.5). Specifically, vendor remote access should be defined or somehow clarified that it only includes access where the vendor's personnel or system has direct access and ability to control the session. Having IRA and system-to-system listed as examples, but not an all-inclusive list, would also be helpful.

Kjersti Drott, 9/9/2020

- 0 - 0

PG&E believes this is the appropriate modifications in-line with the industry comments made to the second Comment & Ballot.  The restoration of the P2.4 and P2.5, along with the modifications made in Requirement R3 more clearly eliminate the potential interpretation that could have resulted in recursive requirements noted in Question 2 below.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

MidAmerican supports EEI commnets

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 9/9/2020

- 0 - 0

See EEI's comments.

Neil Shockey, 9/9/2020

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 9/9/2020

- 0 - 0

Jose Avendano Mora, Edison International - Southern California Edison Company, 1, 9/9/2020

- 0 - 0

Carl Pineault, Hydro-Qu?bec Production, 5, 9/10/2020

- 0 - 0

Ameren agrees with and supports EEI comments.

David Jendras, Ameren - Ameren Services, 3, 9/10/2020

- 0 - 0

Cleco agrees with EEI comments.

Clay Walker, On Behalf of: Robert Hirchak, Cleco Corporation, 1,3,5,6; John Lindsey, Cleco Corporation, 1,3,5,6; Stephanie Huffman, Cleco Corporation, 1,3,5,6; Maurice Paulk, Cleco Corporation, 1,3,5,6

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 9/10/2020

- 0 - 0

NV Energy supports EEI's comments on Q1:

"While EEI supports the changes made by the SDT, which addressed prior EEI member comments related to CIP-005-7 Requirement R2 Parts 2.4 and 2.5, we ask the SDT to consider revising “vendor remote access” to “vendor initiated remote access” or provide clarification why they believe that all vendor remote access should be considered under Parts 2.4 and 2.5. 

EEI supports the current proposed draft language for Requirement R3."

In addition, NVE supports the revision of "vendor remote access" to "vendor initiated remote access" due to current conflicting interpretations of P2.5 and 2.5 and CIP-005-6 by Regional Entities. WECC has identified videoconferences (initiated by the Entity) as "vendor remote access", which does not align with industry interpretation (NATF, other Regional Entities), so further clarification of this action would provide more clarity for future interpretations.

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Daniel Gacek, Exelon, 1, 9/10/2020

- 0 - 0

The SDT should provide guidance or clarify the role or function of Intermediate Systems in context of providing electronic access to EACMS and PACS located within an ESP vs outside an ESP.

If the SDT intends to exclude Interactive Remote Access (IRA) requirements for EACMS or PACS in CIP-005-7 R3.1 and R3.2, it should clarify that an intermediate system is not required to electronically access an EACMS and PACS located outside an ESP. However, if the EACMS or PACS is located within the ESP, the entity is required to utilize an Intermediate System for electronic access. This brings into scope all CIP-005 R2 requirements.  

Without guidance, entities may interpret that an Intermediate System is never required for the vendor IRA to EACMS or PACS -  even though they may exist within an ESP.

The SDT did not use the defined term IRA in R3.1 and R3.2, but if an EACMS or PACS is inside an ESP and the vendor remote access meets the IRA definition, does SDT allow a vendor IRA to the EACMS or PACS inside an ESP without the IRA requirements of CIP-005 R2?

The  SDT could consider putting all vendor remote access sub-requirements in one requirement – 3.0. 

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Ray Jasicki, On Behalf of: Ray Jasicki, , Segments 1, 3, 5

- 0 - 0

PUD No. 1 of Chelan County , Segment(s) 1, 3, 5, 6, 9/10/2020

- 0 - 0

The ISO/RTO Council Standards Review Committee (IRC SRC) [1] supports the restoration of CIP-005-7 Requirement R2 Parts 2.4 and 2.5 to the original, currently approved CIP-005-6 language and Applicable Systems.

In addition, we agree with the addition of Requirement R3, Parts 3.1 and 3.2 to focus on the directive in FERC Order 850 and the recommendation in the NERC Cyber Security Supply Chain Risks Report to have one or more methods to determine and be able to terminate vendor-initiated remote connections to EACMS and PACS.

That said, the IRC SRC requests the Standard Drafting Team (SDT) provide additional clarity around the term “authenticated” to align and memorialize what was verbally (and non-binding) presented by the SDT in the Project 2019-03 webinar (timestamp 9:00 – 10:00 of 37:24) on August 5, 2020.

[1] For purposes of these comments, the IRC SRC includes the following entities: CAISO, ERCOT, IESO, ISO-NE, MISO, NYISO, PJM and SPP.

ISO/RTO Council Standards Review Committee 2019-03 Supply Chain Risks, Segment(s) 2, 9/10/2020

- 0 - 0

Lana Smith, San Miguel Electric Cooperative, Inc., 5, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Kinte Whitehead, Exelon, 3, 9/10/2020

- 0 - 0

Eversource Group, Segment(s) 3, 1, 4/12/2019

- 0 - 0

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Cynthia Lee, Exelon, 5, 9/10/2020

- 0 - 0

Agree with leaving R2 as is.

Disagree with need for a R3.  Actually, the SDT should be providing us with a cost/benefit justification for change.

Marty Hostler, Northern California Power Agency, 4, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Becky Webb, Exelon, 6, 9/10/2020

- 0 - 0

Westar Energy and Kansas City Power & Light, the Evergy companies, support and incorporate by reference the Edison Electric Institute’s response to Question 1.

Westar-KCPL, Segment(s) 1, 3, 5, 6, 12/18/2018

- 0 - 0

We thought a CIP Modification SDT goal was to remove this language to assist the coming virtualization updates.

 

Request clarification on why CIP-005 R2 Parts 2.4 & 2.5 use the phrase “vendor remote access” while CIP-013 R1 Part 1.2.6 uses the phrase “vendor-initiated remote access” We are concerned that omitting “initiated” may introduce unintended requirements in CIP-005.

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 9/10/2020

- 0 - 0

Teresa Krabe, Lower Colorado River Authority, 5, 9/10/2020

- 0 - 0

James Baldwin, On Behalf of: Lower Colorado River Authority, , Segments 1, 5

- 0 - 0

The CAISO supports the ISO/RTO Council Standards Review Committee comments below.

ISO/RTO Council Standards Review Committee (IRC SRC)[1] supports the restoration of CIP-005-7 Requirement R2 Parts 2.4 and 2.5 to the original, currently approved CIP-005-6 language and Applicable Systems.

In addition, we agree with the addition of Requirement R3, Parts 3.1 and 3.2 to focus on the directive in FERC Order 850 and the recommendation in the NERC Cyber Security Supply Chain Risks Report to have one or more methods to determine and be able to terminate vendor-initiated remote connections to EACMS and PACS.

That said, the IRC SRC requests the Standard Drafting Team (SDT) provide additional clarity around the term “authenticated” to align and memorialize what was verbally (and non-binding) presented by the SDT in the Project 2019-03 webinar (timestamp 9:00 – 10:00 of 37:24) on August 5, 2020.

[1] For purposes of these comments, the IRC SRC includes the following entities: CAISO, ERCOT, IESO, ISO-NE, MISO, NYISO, PJM and SPP.

Monika Montez, On Behalf of: California ISO, WECC, Segments 2

- 0 - 0

GSOC greatly appreciates the drafting team’s efforts and thoughtful approach regarding this proposal.  However, it is concerned that the splitting of these requirements creates significant potential for very different compliance obligations for the different classes of assets while attaining the same or similar cyber security protections as would be garnered solely with either set of requirements.  More specifically, the differentiation between the requirements for PACS and EACMSs and the assets to which access is sought is likely to cause confusion as well as increase the potential for differing interpretations of compliance and “double jeopardy.”  That the proposed split of requirements would likely provide little or no additional security benefit, while being unduly burdensome for entities, creates additional concerns for responsible entities as they try to focus their resources on those activities that will have a net effect of enhancing security.

GSOC understands that industry comments have driven these proposed changes, and agrees that valid concerns have been presented (e.g., the hall of mirrors). In its response to question #2, GSOC proposes an approach to addressing these previous concerns and comments that will allow a return to a simpler approach for the requirements generally. We respectfully recommend that the SDT consider utilizing alternative approaches such as are proposed below, e.g., definition revision, to allow the requirements to more clearly and succinctly meet the Commission directives regarding EACMS and PACS.  This simpler approach to address concerns will facilitate a reversion of the requirement language to the initial proposal where EACMSs and PACs were added as applicable systems for the existing requirements.

Andrea Barclay, 9/10/2020

- 0 - 0

Requirements R2 and R3 have subtly different language (e.g. "disable" vs. "terminate" and "vendor-initiated") in addition to different applicability.  Matching the language or updating the language so the same processes developed for R2 could be used for R3 would reduce regulatory burden.

Trevor Tidwell, 9/10/2020

- 0 - 0

Requirements R2 and R3 have subtly different language (e.g. "disable" vs. "terminate" and "vendor-initiated") in addition to different applicability.  Matching the language or updating the language so the same processes developed for R2 could be used for R3 would reduce regulatory burden

Laurie Williams, 9/10/2020

- 0 - 0

Hot Answers

Jennie Wike, On Behalf of: Marc Donaldson, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Ozan Ferrin, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; John Merrell, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Hien Ho, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Terry Gifford, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6

- 0 - 0

please reference Marty Hostler, Northern California Power Agency, comments

Dennis Sismaet, Northern California Power Agency, 6, 9/10/2020

- 0 - 0

Other Answers

Duke Energy generally agrees with the removal of the references to Interactive Remote Access (IRA) and the undefined term system to system from CIP-005-7 Requirements R3 Parts 3.1 and 3.2.

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

Matthew Nutsch, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

Joshua Andersen, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

While N&ST agrees that recursive requirements should be avoided, we believe the proposed changes do not address the possibility of an EACMS or PACS being located within an established Electronic Security Perimeter with sufficient clarity. N&ST recommends, in addition to moving R3 Parts 3.1 and 3.2 to R2 and eliminating R3, that "Applicability" language for those two Parts be modified to clarify that they apply to EACMS and PACS that are not located within any of the Responsible Entity's Electronic Security Perimeters.

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Kelsi Rigby, 9/1/2020

- 0 - 0

Scott Langston, Tallahassee Electric (City of Tallahassee, FL), 1, 9/1/2020

- 0 - 0

Kyle Hussey, On Behalf of: Public Utility District No. 2 of Grant County, Washington, , Segments 1, 4, 5, 6

- 0 - 0

Jesus Sammy Alcaraz, Imperial Irrigation District, 1, 9/2/2020

- 0 - 0

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments NA - Not Applicable

- 0 - 0

FirstEnergy, Segment(s) 3, 5, 6, 4, 9/3/2020

- 0 - 0

Consumers Energy Company, Segment(s) 1, 3, 4, 5, 11/29/2017

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 9/4/2020

- 0 - 0

Agree with comments submitted separately by Tom Breene of WEC

Janet OBrien, 9/4/2020

- 0 - 0

ACES Standard Collaborations, Segment(s) 1, 3, 9/4/2020

- 0 - 0

If the SDT intends to exclude IRA requirements for EACMS or PACS, we suggest the SDT should clarify Intermediate Systems are not required for EACMS and PACS only if the EACMS and PACS are located outside ESP. We understand that the SDT didn’t use the defined term IRA in R3.1 and R3.2, but if an EACMS or PACS is inside an ESP and the vendor remote access meets the IRA definition, does SDT allow a vendor IRA to the EACMS or PACS inside an ESP without compliance with IRA requirements of CIP-005 R2?

Bruce Reimer, Manitoba Hydro , 1, 9/4/2020

- 0 - 0

BPA believes the SDT should address this issue with requirements aimed at securing the management plane of EACMS rather than continuing down the path of perimeter-based security and bastion hosts (jump boxes and DMZs) as a sole protection for protected enclaves. This would clarify the recursive effect of “intermediate systems for intermediate systems ad nauseam.” This recursive effect problem seems related to the history of previous drafting teams endlessly debating whether a “packet to a port” is “access.” There may be a connection (a term with no recognized and easily specified meaning in NIST); however, a connection is generally not considered “authenticated” because “authentication” occurs at a different layer of the OSI model. Authentication is associated with sessions (ephemeral or time limited and specific to an interactive or programmed action) rather than connections (which are typically permanently configured, filtered, and existing at least in potential all the time, more associated with physical infrastructure as well).

 There is a problem buried in current discussions of “authenticated” or ”provisioned” access  that will continue to encourage entities to avoid more advanced technology such as next generation firewalls with role-based permissions. Currently, standard and extended access control lists based upon source, destination, and port/protocol contain no “authentication” mechanism. Filtering based upon source and destination is not a means of authentication. Therefore, a “packet to a port” to an EACMS that is allowed by source IP is a connection, and lacks authentication, but does not constitute “access.” Industry typically does not refer to “unauthenticated connections” but rather to authenticated or unauthenticated “sessions.” The SDT should conform to this more-common terminology because it tracks better with security principles and the technical implementations of authentication mechanism. Establishing a “session” to an EACMS to manage/configure it would constitute “access”, and require authentication and other security controls securing the management plane. Under this construct, requirements can be crafted to avoid the recursive perimeter protection problem.  

Entities could design a solution where any unauthenticated connection, using only an IP source address to authorize passing the traffic, would avoid the requirement to detect active sessions entirely.  This perverse incentive/loophole must be discouraged.

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

BC Hydro, Segment(s) 3, 5, 1, 12/18/2018

- 0 - 0

These changes address the issues with undefined terms and broadens the scope appropriately.    

Anthony Jablonski, ReliabilityFirst , 10, 9/8/2020

- 0 - 0

DTE Energy - DTE Electric, Segment(s) 5, 4, 3, 1/24/2020

- 0 - 0

Tony Skourtas, Los Angeles Department of Water and Power, 3, 9/8/2020

- 0 - 0

Richard Jackson, U.S. Bureau of Reclamation, 1, 9/8/2020

- 0 - 0

Joe Tarantino, On Behalf of: Kevin Smith, Balancing Authority of Northern California, 1; Jamie Cutlip, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Goi, Sacramento Municipal Utility District, 1,3,4,5,6; Beth Tincher, Sacramento Municipal Utility District, 1,3,4,5,6; Arthur Starkovich, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Looney, Sacramento Municipal Utility District, 1,3,4,5,6

- 0 - 0

Oncor supports EEI's comment.

Tho Tran, 9/8/2020

- 0 - 0

ISO-NE agrees with the proposed approach to restore the CIP-005-7 Requirements R3. However, ISO-NE recommends the use of consistent “vendor remote access” or “vendor-initiated remote connections” for both Requirement R2 Part 2.4 and R2.5 and the Requirement R3 Parts 3.1 and 3.2.

John Galloway, On Behalf of: Michael Puscas, ISO New England, Inc., 2

- 0 - 0

Please see Texas RE’s comments on #1.  Texas RE also suggests that defining “system-to-system” could add clarification.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 9/9/2020

- 0 - 0

Laura Nelson, 9/9/2020

- 0 - 0

Tri-State does not agree with the new terminology, as it is open to interpretation.

Kjersti Drott, 9/9/2020

- 1 - 0

PG&E agrees with the modification and that it does help clarify the condition of elimination of a recursive requirement (hall of mirrors) and the Requirement is for the EACMS and PACS, and not the BCS,

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

MidAmerican supports EEI comments

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 9/9/2020

- 0 - 0

See EEI's comments

Neil Shockey, 9/9/2020

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 9/9/2020

- 0 - 0

Jose Avendano Mora, Edison International - Southern California Edison Company, 1, 9/9/2020

- 0 - 0

Carl Pineault, Hydro-Qu?bec Production, 5, 9/10/2020

- 0 - 0

Ameren agrees with and supports EEI comments.

David Jendras, Ameren - Ameren Services, 3, 9/10/2020

- 0 - 0

Cleco agrees with EEI comments.

Clay Walker, On Behalf of: Robert Hirchak, Cleco Corporation, 1,3,5,6; John Lindsey, Cleco Corporation, 1,3,5,6; Stephanie Huffman, Cleco Corporation, 1,3,5,6; Maurice Paulk, Cleco Corporation, 1,3,5,6

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 9/10/2020

- 0 - 0

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Daniel Gacek, Exelon, 1, 9/10/2020

- 0 - 0

It is important that the SDT clarify the applicable in-scope systems based on their risk to the Bulk Electric System and further clarify the role of Intermediate Systems and their capabilities and functions.

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Ray Jasicki, On Behalf of: Ray Jasicki, , Segments 1, 3, 5

- 0 - 0

PUD No. 1 of Chelan County , Segment(s) 1, 3, 5, 6, 9/10/2020

- 0 - 0

The IRC SRC supports the removal of references to IRA and the undefined term “system to system” from CIP-005-7, requirement R3, Parts 3.1 and 3.2 to clarify that Intermediate Systems are optional and not required for EACMS or PACS. 

ISO/RTO Council Standards Review Committee 2019-03 Supply Chain Risks, Segment(s) 2, 9/10/2020

- 0 - 0

Lana Smith, San Miguel Electric Cooperative, Inc., 5, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Kinte Whitehead, Exelon, 3, 9/10/2020

- 0 - 0

Eversource Group, Segment(s) 3, 1, 4/12/2019

- 0 - 0

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Cynthia Lee, Exelon, 5, 9/10/2020

- 0 - 0

N/A

Marty Hostler, Northern California Power Agency, 4, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Becky Webb, Exelon, 6, 9/10/2020

- 0 - 0

Westar Energy and Kansas City Power & Light, the Evergy companies, support and incorporate by reference the Edison Electric Institute’s response to Question 2.

Westar-KCPL, Segment(s) 1, 3, 5, 6, 12/18/2018

- 0 - 0

We agree with the SDT on removing the hall of mirrors. But the “authentication” clarification below is necessary.

 

We request clarification of authenticating. The Technical Rationale, page 11 under R3, says this “authenticating” means authenticating the connection, not authenticating the user. This clarification should be in this Standard. This clarification is needed to avoid confusion with CIP-004.

 

We request clarification on the distinction between “connection” and “access.”

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 9/10/2020

- 0 - 0

Teresa Krabe, Lower Colorado River Authority, 5, 9/10/2020

- 0 - 0

James Baldwin, On Behalf of: Lower Colorado River Authority, , Segments 1, 5

- 0 - 0

The CAISO supports the ISO/RTO Council Standards Review Committee comments below.

The IRC SRC supports the removal of references to IRA and the undefined term “system to system” from CIP-005-7, requirement R3, Parts 3.1 and 3.2 to clarify that Intermediate Systems are optional and not required for EACMS or PACS.

Monika Montez, On Behalf of: California ISO, WECC, Segments 2

- 0 - 0

GSOC appreciates the SDT’s efforts to remove the “hall of mirrors” concerns, but suggests a return to the simpler approach for the requirements as discussed in its response to question #1.  To support this reversion, GSOC recommends the following revision to the definition of EACMS to address the ‘Hall of Mirrors” concern:Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems and does not include those systems that only perform electronic access control or electronic access monitoring to or from other EACMSs.

GSOC suggests that incorporating the recommended revision above will address the “hall of mirrors” concern, which will allow the SDT to revert the proposed language to the simpler approach described in question 1 above and eliminate the need to create multiple requirements to address the same or similar security and access controls/objectives. 

Andrea Barclay, 9/10/2020

- 0 - 0

Trevor Tidwell, 9/10/2020

- 0 - 0

Laurie Williams, 9/10/2020

- 0 - 0

Hot Answers

Jennie Wike, On Behalf of: Marc Donaldson, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Ozan Ferrin, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; John Merrell, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Hien Ho, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Terry Gifford, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6

- 0 - 0

please reference Marty Hostler, Northern California Power Agency, comments

Dennis Sismaet, Northern California Power Agency, 6, 9/10/2020

- 0 - 0

Other Answers

Duke Energy generally agrees with the removal of the references to Interactive Remote Access (IRA).

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

Matthew Nutsch, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

Joshua Andersen, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Kelsi Rigby, 9/1/2020

- 0 - 0

Scott Langston, Tallahassee Electric (City of Tallahassee, FL), 1, 9/1/2020

- 0 - 0

Kyle Hussey, On Behalf of: Public Utility District No. 2 of Grant County, Washington, , Segments 1, 4, 5, 6

- 0 - 0

Jesus Sammy Alcaraz, Imperial Irrigation District, 1, 9/2/2020

- 0 - 0

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments NA - Not Applicable

- 0 - 0

FirstEnergy, Segment(s) 3, 5, 6, 4, 9/3/2020

- 0 - 0

Consumers Energy Company, Segment(s) 1, 3, 4, 5, 11/29/2017

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 9/4/2020

- 0 - 0

Agree with comments submitted separately by Tom Breene of WEC

Janet OBrien, 9/4/2020

- 0 - 0

ACES Standard Collaborations, Segment(s) 1, 3, 9/4/2020

- 0 - 0

The phrase “coordinating controls” in Part 1.2.6 is not defined and should be clarified what it means explicitly.

Bruce Reimer, Manitoba Hydro , 1, 9/4/2020

- 0 - 0

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

BC Hydro, Segment(s) 3, 5, 1, 12/18/2018

- 0 - 0

Anthony Jablonski, ReliabilityFirst , 10, 9/8/2020

- 0 - 0

DTE Energy - DTE Electric, Segment(s) 5, 4, 3, 1/24/2020

- 0 - 0

Tony Skourtas, Los Angeles Department of Water and Power, 3, 9/8/2020

- 0 - 0

Richard Jackson, U.S. Bureau of Reclamation, 1, 9/8/2020

- 0 - 0

Joe Tarantino, On Behalf of: Kevin Smith, Balancing Authority of Northern California, 1; Jamie Cutlip, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Goi, Sacramento Municipal Utility District, 1,3,4,5,6; Beth Tincher, Sacramento Municipal Utility District, 1,3,4,5,6; Arthur Starkovich, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Looney, Sacramento Municipal Utility District, 1,3,4,5,6

- 0 - 0

Oncor supports EEI's comment.

Tho Tran, 9/8/2020

- 0 - 0

ISO-NE supports the removal of the references to IRA and the undefined term system-to-system for CIP-013-2. To avoid confusion, ISO-NE recommends that SDT ensures the CIP-013-2 R1.2.6 language and vendor terms remain consistent with the CIP-005 and CIP-010 supply chain requirements.

John Galloway, On Behalf of: Michael Puscas, ISO New England, Inc., 2

- 0 - 0

Texas RE notes that the Standard Drafting Team (SDT) removed references to remote access and system-to-system communications from CIP-013-2 R1.2.6 and elected instead to define the term “remote access” in that proposed requirement as included “vendor-initiated remote connections and system to system remote connections for EACMS and PACS; and vendor-initiated [Interactive Remote Access (IRA)] and system to system access to BCS and PCAs” in the Technical Rationale document.  Texas RE suggests that the SDT instead retain the general requirement that Requirement 1.2.6 apply to system-to-system remote access directly within the requirement language.  Texas RE further suggests that the SDT could address concerns regarding the requirement that EACMS and PACS themselves have intermediate systems by adding language to Requirement R1.2.6 that excludes Intermediate Systems for EACMS and PACS in the applicability section.  Alternatively, the SDT could revise the definition of Interactive Remote Access to clarify this point, obviating the need for the proposed changes to CIP-013-2 R1.2.6.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 9/9/2020

- 0 - 0

Laura Nelson, 9/9/2020

- 0 - 0

Kjersti Drott, 9/9/2020

- 0 - 0

PG&E believes this modification aligns CIP-013 Requirement P1.2.6 with the modifications made in CIP-005 and removes operational requirements from the CIP-013 plan.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 9/9/2020

- 0 - 0

See EEI's comments

Neil Shockey, 9/9/2020

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 9/9/2020

- 0 - 0

Jose Avendano Mora, Edison International - Southern California Edison Company, 1, 9/9/2020

- 0 - 0

Carl Pineault, Hydro-Qu?bec Production, 5, 9/10/2020

- 0 - 0

Ameren agrees with and supports EEI comments.

David Jendras, Ameren - Ameren Services, 3, 9/10/2020

- 0 - 0

Cleco agrees with EEI comments.

Clay Walker, On Behalf of: Robert Hirchak, Cleco Corporation, 1,3,5,6; John Lindsey, Cleco Corporation, 1,3,5,6; Stephanie Huffman, Cleco Corporation, 1,3,5,6; Maurice Paulk, Cleco Corporation, 1,3,5,6

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 9/10/2020

- 0 - 0

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Daniel Gacek, Exelon, 1, 9/10/2020

- 0 - 0

The SDT should ensure industry understands that CIP-013 Parts R1.2.5 and R1.2.6 are included as security controls required from the relationship of entities and vendors as part of an entities CIP-013 Supply Chain Cyber Security plan – i.e., when establishing a new supply chain vendor relationship with a vendor or enhancing the existing supply chain cyber security relationships. In general, the actions and outputs of a Supply Chain (and CIP-013) program occur before an entity onboards or maintains a system.

The phrase “coordinating controls” is not defined nor well understood in CIP-013

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Ray Jasicki, On Behalf of: Ray Jasicki, , Segments 1, 3, 5

- 0 - 0

PUD No. 1 of Chelan County , Segment(s) 1, 3, 5, 6, 9/10/2020

- 0 - 0

The IRC SRC supports the removal of references to IRA and the undefined term, “system to system” from CIP-013-2, requirement R1.2.6. In addition, we agree with the addition of EACMS and PACS to meet what was directed in FERC Order 850 and the recommendation in the NERC Cyber Security Supply Chain Risks Report.

ISO/RTO Council Standards Review Committee 2019-03 Supply Chain Risks, Segment(s) 2, 9/10/2020

- 0 - 0

Lana Smith, San Miguel Electric Cooperative, Inc., 5, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Kinte Whitehead, Exelon, 3, 9/10/2020

- 0 - 0

Eversource Group, Segment(s) 3, 1, 4/12/2019

- 0 - 0

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Cynthia Lee, Exelon, 5, 9/10/2020

- 0 - 0

N/A

Marty Hostler, Northern California Power Agency, 4, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Becky Webb, Exelon, 6, 9/10/2020

- 0 - 0

Westar-KCPL, Segment(s) 1, 3, 5, 6, 12/18/2018

- 0 - 0

We agree that CIP-013 should remain the Plan while CIP-005 and CIP-010 are technical.

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 9/10/2020

- 0 - 0

Teresa Krabe, Lower Colorado River Authority, 5, 9/10/2020

- 0 - 0

James Baldwin, On Behalf of: Lower Colorado River Authority, , Segments 1, 5

- 0 - 0

The CAISO supports the ISO/RTO Council Standards Review Committee comments below.

The IRC SRC supports the removal of references to IRA and the undefined term, “system to system” from CIP-013-2, requirement R1.2.6. In addition, we agree with the addition of EACMS and PACS to meet what was directed in FERC Order 850 and the recommendation in the NERC Cyber Security Supply Chain Risks Report. 

Monika Montez, On Behalf of: California ISO, WECC, Segments 2

- 0 - 0

GSOC appreciates the SDT’s proposal, but would offer that references to vendor-initiated remote access should be consistent throughout the body of the supply chain standards. In its review, GSOC identified the following different terms that appeared to be used either interchangeably or with the same or similar objectives:  

  •  In CIP-005, GSOC identified the terms “active vendor remote access sessions (including Interactive Remote Access and system-to-system remote access)” in requirement R2.4;   “active vendor remote access (including Interactive Remote Access and system-to-system remote access)” in requirement R2.5; and “authenticated vendor-initiated remote connections” in requirements R3.1 and 3.2.
  • In CIP-013, GSOC identified the term “vendor-initiated remote access” in requirement R1.2.6.

All of these terms appear to have the same connotation and objective.  Yet they are all slightly different in more ways than just reserving technical aspects for the more technical standards.

Utilization of different terms could lead to the interpretation of different scopes or objectives, which would result in confusion, ambiguity, and subjectivity in both implementation and compliance enforcement.  Conversely, utilization of the same terms in multiple requirements makes the definition, scope, and objective clearer and simplier. It also makes implementation more straightforward and easier to audit.

For these reasons, GSOC suggests that the SDT consider defining vendor-initiated remote access and, then, utilize the defined term throughout the body of supply chain reliability standards to eliminate the potential for confusion regarding these undefined terms. To facilitate the SDT’s review and potential adoption of this suggestion, GSOC proposes the following definition of vendor-initiated remote access:

User-initiated access by a Vendor employing a remote access client or other remote access technology using a routable protocol and is inclusive of Interactive Remote Access and system-to-system communications. Vendor is defined as those persons, companies, or other organizations with whom the Responsible Entity, or its affiliates, contract with to supply BES Cyber Systems and related services, but is not inclusive of other NERC registered entities providing reliability services.  

Andrea Barclay, 9/10/2020

- 0 - 0

Trevor Tidwell, 9/10/2020

- 0 - 0

Laurie Williams, 9/10/2020

- 0 - 0

Hot Answers

Jennie Wike, On Behalf of: Marc Donaldson, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Ozan Ferrin, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; John Merrell, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Hien Ho, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Terry Gifford, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6

- 0 - 0

please reference Marty Hostler, Northern California Power Agency, comments

Dennis Sismaet, Northern California Power Agency, 6, 9/10/2020

- 0 - 0

Other Answers

Duke Energy sees potential schedule and cost risks in implementing yet to be defined tools. 

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

Matthew Nutsch, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

We recommend defining the term ‘Vendor Initiated Remote Access’, and define who is considered a vendor.

Joshua Andersen, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

N&ST recommends modifying proposed changes to CIP-005, as per our response to Question 1.

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Kelsi Rigby, 9/1/2020

- 0 - 0

Scott Langston, Tallahassee Electric (City of Tallahassee, FL), 1, 9/1/2020

- 0 - 0

Kyle Hussey, On Behalf of: Public Utility District No. 2 of Grant County, Washington, , Segments 1, 4, 5, 6

- 0 - 0

Jesus Sammy Alcaraz, Imperial Irrigation District, 1, 9/2/2020

- 0 - 0

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments NA - Not Applicable

- 0 - 0

FirstEnergy, Segment(s) 3, 5, 6, 4, 9/3/2020

- 0 - 0

Consumers Energy Company, Segment(s) 1, 3, 4, 5, 11/29/2017

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 9/4/2020

- 0 - 0

Agree with comments submitted separately by Tom Breene of WEC

Janet OBrien, 9/4/2020

- 0 - 0

ACES Standard Collaborations, Segment(s) 1, 3, 9/4/2020

- 0 - 0

Bruce Reimer, Manitoba Hydro , 1, 9/4/2020

- 0 - 0

The basic capability of detecting (which is a better term than determine) remote session activity is the relevant security control. Whether that activity is initiated by a vendor, partner, customer, or an employee is irrelevant to the technical capability. Scoping the requirement narrowly does not provide significant cost savings and still allows for poor security. BPA does not agree with feedback that monitoring for remote sessions by employees could be a union issue. There is a difference between monitoring for external sessions vs monitoring employee activity within a session and this requirement does not go that far. Insider threat remains the number one threat to critical infrastructure and the ability to actively detect and terminate a session regardless of who originates it is a key cyber security control.

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

BC Hydro recommends changing the applicability around PACS to be associated with Medium Impact BCS with ERC instead of just Medium Impact BCS to avoid confusion.  The modifications under CIP-010-4 R1.6 to include PACS associated with Medium Impact BES Cyber Systems is otherwise out of alignment in regards to the application of PACS under the CIP standards.  The CIP standards under CIP-006-6 require the application of PACS in environments associated with High Impact BES Cyber Systems, Medium Impact BES Cyber Systems with External Routable Connectivity, and associated EACMS and PCAs but do not require this for Medium Impact BES Cyber Systems without ERC.  By expanding the requirement and application of PACS to Medium Impact BES Cyber Systems without any qualifier per CIP-010-4 R1.6, it is not clear whether this is implied to bring into scope similar or identical cyber assets to PACS that may be used by entities to restrict and/or monitor access to Medium Impact without ERC BES Cyber Systems but which would not meet the definition of PACS (even though the application of these are not required by the standards).

BC Hydro, Segment(s) 3, 5, 1, 12/18/2018

- 0 - 0

Anthony Jablonski, ReliabilityFirst , 10, 9/8/2020

- 0 - 0

DTE Energy - DTE Electric, Segment(s) 5, 4, 3, 1/24/2020

- 0 - 0

Tony Skourtas, Los Angeles Department of Water and Power, 3, 9/8/2020

- 0 - 0

To minimize churn among standard versions and better identify the scope, Reclamation recommends the SDT take additional time to coordinate the modifications in CIP-005-7, CIP-010-4, and CIP-013-2 with other existing drafting teams for related standards; specifically, Projects 2016-02, 2020-03, and 2020-04.  This will help minimize the costs associated with the planning and adjustments required to achieve compliance with frequently changing requirements. NERC should foster a standards development environment that will allow entities to fully implement technical compliance with current standards before moving to subsequent versions. This will provide entities economic relief by better aligning the standards for overall improved reliability and by reducing the chances that standards will conflict with one another.

Richard Jackson, U.S. Bureau of Reclamation, 1, 9/8/2020

- 0 - 0

“vendor-initiate remote access” only seems to apply to R3 of CIP-005-7, so the summary above does not accurately reflect the changes to R2 of CIP-005-7.  “Vendor Initiated” should be included in CIP-007 R2.4 and 2.5.  Leaving non-vendor initiated remote access in R2.4 and R2.5 is purely administrative in nature.  SMUD has implemented this requirement as it is currently written and have found it to be both operationally inefficient and lacking value from a security standpoint.  

For R3, this question cannot be answered because it is unclear what constitutes an authenticated vendor-initiated remote connection.

Joe Tarantino, On Behalf of: Kevin Smith, Balancing Authority of Northern California, 1; Jamie Cutlip, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Goi, Sacramento Municipal Utility District, 1,3,4,5,6; Beth Tincher, Sacramento Municipal Utility District, 1,3,4,5,6; Arthur Starkovich, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Looney, Sacramento Municipal Utility District, 1,3,4,5,6

- 0 - 0

Tho Tran, 9/8/2020

- 0 - 0

Although ISO-NE acknowledges the importance of establishing Supply Chain requirements associated with EACMS and PACS, ISO-NE respectfully believes that it cannot clearly determine if the modified requirements would meet the FERC directives in a cost effective manner because the current CIP-005-6, CIP-010-3 and CIP-013-1 standards have yet to become effective. It is difficult to determine cost-effectiveness when the approach is to build on requirements that the Industry has had limited experience with and limited opportunities for lessons learned or to mature processes and controls.

John Galloway, On Behalf of: Michael Puscas, ISO New England, Inc., 2

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 9/9/2020

- 0 - 0

Laura Nelson, 9/9/2020

- 0 - 0

Do not agree. Tri-State contends that the edits should have been risk-based and only applicable to the control portions of PACS and EACMS, and not also the monitoring portions of those systems.

Additionally, time and resources would be saved if the SDT would include language that clarifies that entity-initiated remote access and entity-initiated vendor remote access are not prohibited by CIP standards.

Kjersti Drott, 9/9/2020

- 0 - 0

PG&E cannot agree the modifications are cost effective since the work to complete the implementation of the CIP-013-1 set of Standards is just being completed and full testing has not been completed to determine the cost of that work.  As noted in the PG&E input on the first Comment & Ballot for these modifications, PG&E would have preferred to have an “Unknown” option to select.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 9/9/2020

- 0 - 0

See EEI's comments

Neil Shockey, 9/9/2020

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 9/9/2020

- 0 - 0

Jose Avendano Mora, Edison International - Southern California Edison Company, 1, 9/9/2020

- 0 - 0

Carl Pineault, Hydro-Qu?bec Production, 5, 9/10/2020

- 0 - 0

 Ameren agrees with and supports EEI comments.

David Jendras, Ameren - Ameren Services, 3, 9/10/2020

- 0 - 0

No comment on cost effectiveness of the proposed changes.

Clay Walker, On Behalf of: Robert Hirchak, Cleco Corporation, 1,3,5,6; John Lindsey, Cleco Corporation, 1,3,5,6; Stephanie Huffman, Cleco Corporation, 1,3,5,6; Maurice Paulk, Cleco Corporation, 1,3,5,6

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 9/10/2020

- 0 - 0

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Daniel Gacek, Exelon, 1, 9/10/2020

- 0 - 0

Unfortunately, there is a continual misplacement and shift of requirements (Parts) related to their given security objectives within the CIP framework. NERC is chartered with the edict to map CIP to NIST and the SDT should keep this in mind when developing standards.

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Ray Jasicki, On Behalf of: Ray Jasicki, , Segments 1, 3, 5

- 0 - 0

PUD No. 1 of Chelan County , Segment(s) 1, 3, 5, 6, 9/10/2020

- 0 - 0

While the IRC SRC acknowledges that EACMS and PACS are important to protect and believes it is good business practice to apply supply chain security controls to all Cyber Assets in the enterprise, it also believes that regulatory compliance has the potential to increase the cost of implementation and maintenance. At times, this can be dramatic, to a point where it may be detrimental to a company’s overall security posture, thereby ultimately increasing the security risk to the company. NERC and the industry should continue to monitor and evaluate cost versus security benefits.

In that regard, the IRC SRC proposes that after CIP-005-6, CIP-010-3 and CIP-013-1 standards have been in effect for at least two years, NERC issue a CIP-013-1 survey amongst the industry to collect recommendations for improvement of the industry’s supply chain security standard. This will allow for the processes and controls to mature and for Reliability Entities to obtain any key learnings from implementing these protections and from audit experiences, including findings and areas of concerns identified by the auditors.

ISO/RTO Council Standards Review Committee 2019-03 Supply Chain Risks, Segment(s) 2, 9/10/2020

- 0 - 0

Lana Smith, San Miguel Electric Cooperative, Inc., 5, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Kinte Whitehead, Exelon, 3, 9/10/2020

- 0 - 0

Eversource Group, Segment(s) 3, 1, 4/12/2019

- 0 - 0

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Cynthia Lee, Exelon, 5, 9/10/2020

- 0 - 0

Cost effective is vague.  Please provide a cost/benefit justification for any posposed changes.

Marty Hostler, Northern California Power Agency, 4, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Becky Webb, Exelon, 6, 9/10/2020

- 0 - 0

Westar-KCPL, Segment(s) 1, 3, 5, 6, 12/18/2018

- 0 - 0

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 9/10/2020

- 0 - 0

Teresa Krabe, Lower Colorado River Authority, 5, 9/10/2020

- 0 - 0

James Baldwin, On Behalf of: Lower Colorado River Authority, , Segments 1, 5

- 0 - 0

The CAISO supports the ISO/RTO Council Standards Review Committee comments below.

While the IRC SRC acknowledges that EACMS and PACS are important to protect and believes it is good business practice to apply supply chain security controls to all Cyber Assets in the enterprise, it also believes that regulatory compliance has the potential to increase the cost of implementation and maintenance. At times, this can be dramatic, to a point where it may be detrimental to a company’s overall security posture, thereby ultimately increasing the security risk to the company. NERC and the industry should continue to monitor and evaluate cost versus security benefits.

In that regard, the IRC SRC proposes that after CIP-005-6, CIP-010-3 and CIP-013-1 standards have been in effect for at least two years, NERC issue a CIP-013-1 survey amongst the industry to collect recommendations for improvement of the industry’s supply chain security standard. This will allow for the processes and controls to mature and for Reliability Entities to obtain any key learnings from implementing these protections and from audit experiences, including findings and areas of concerns identified by the auditors.

Monika Montez, On Behalf of: California ISO, WECC, Segments 2

- 0 - 0

GSOC agrees that the SDT has worked to fine tune requirements to ensure security and cost-effectiveness.  However, GSOC remains concerned about the scope of EACMSs to which the requirements are applicable and how the current scope increases the overall cost and burden on registered entities.  For these reasons, GSOC recommends that the SDT work on additional fine-tuning of the overall scope of applicability as related to EACMSs.  

Additionally, GSOC notes that the multiple requirements, “interchangeable” terms, and potential for confusion and ambiguity detract from the potential cost-effectiveness of these standards.  The elimination of multiple, “interchangeable” terms through the use of definitions and defined terms along with streamlined requirements will help to further fine-tune the scope and security obligations set forth within these standards.  They will also facilitate consistent, effective compliance auditing, making these reliability standards more cost-effective across the ERO Enterprise.

Andrea Barclay, 9/10/2020

- 0 - 0

Trevor Tidwell, 9/10/2020

- 0 - 0

Laurie Williams, 9/10/2020

- 0 - 0

Hot Answers

Jennie Wike, On Behalf of: Marc Donaldson, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Ozan Ferrin, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; John Merrell, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Hien Ho, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6; Terry Gifford, Tacoma Public Utilities (Tacoma, WA), 1,3,4,5,6

- 0 - 0

Dennis Sismaet, Northern California Power Agency, 6, 9/10/2020

- 0 - 0

Other Answers

N/A

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

None

Matthew Nutsch, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

Joshua Andersen, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Kelsi Rigby, 9/1/2020

- 0 - 0

Scott Langston, Tallahassee Electric (City of Tallahassee, FL), 1, 9/1/2020

- 0 - 0

Kyle Hussey, On Behalf of: Public Utility District No. 2 of Grant County, Washington, , Segments 1, 4, 5, 6

- 0 - 0

Jesus Sammy Alcaraz, Imperial Irrigation District, 1, 9/2/2020

- 0 - 0

Eli Rivera, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments NA - Not Applicable

- 0 - 0

FirstEnergy, Segment(s) 3, 5, 6, 4, 9/3/2020

- 0 - 0

Consumers Energy Company, Segment(s) 1, 3, 4, 5, 11/29/2017

- 0 - 0

The wording in CIP-013 R1.2.6 should match the wording in CIP-005-7 R3 P3.2, to wit: “authenticated vendor-initiated remote connections”

Thomas Breene, WEC Energy Group, Inc., 3, 9/4/2020

- 0 - 0

Janet OBrien, 9/4/2020

- 0 - 0

Thank you for the opportunity to comment.

ACES Standard Collaborations, Segment(s) 1, 3, 9/4/2020

- 0 - 0

Bruce Reimer, Manitoba Hydro , 1, 9/4/2020

- 0 - 0

The SDT uses the term “sessions” in CIP-005-7 R2 but in CIP-005-7 R3, it proposes replacing the term “session” with “connection.” Since there is no definition of “connection” in the Glossary of Terms Used in NERC Reliability Standards or in the NIST online glossary, BPA believes the term “connection” is ambiguous and should not be used within the standard.

Proposed change to CIP-005-7 R3.1:

Have one or more method(s) for detecting remote access sessions.

Proposed change to CIP-005-7 R3.2:

Have one or more method(s) for terminating remote access sessions.

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Further clarity should be provided regarding the definition of “vendor” in relation to staff augmentation consultants/contractors who may performing system integration work or supporting/managing the operation of BES Cyber Assets via remote access.  NERC had during CIP-013-1 standard development responses to industry, indicated that it does not consider staff augmentation contractors/consultants who are treated similar to employees to be considered vendors.  However, WECC is communicating a different approach in compliance outreach sessions and are expecting entities to identify staff augmentation contractors/consultants to be considered as vendors due to risks they could pose.  This should be clarified within the standards to either allow entities the flexibility to define who vendors are to them or to have the standard drafting team define this clearly through a proposed Glossary defined term or within the standard language itself as the current definition within the standard is open to interpretation between enforcement entities and create undue compliance burden.

BC Hydro, Segment(s) 3, 5, 1, 12/18/2018

- 0 - 0

In regards to CIP-010-4 Requirement 1 Part 1.6, PCAs should also be included in the Applicable Systems. When BES Cyber Systems and PCAs are located within the same ESP and software is validated and verified for the BCS but not the PCAs, a mixed-trust security environment is created within an ESP. By not including PACs in the Applicable Systems, it poses additional unnecessary risk to the security of the BES.    

Anthony Jablonski, ReliabilityFirst , 10, 9/8/2020

- 0 - 0

The language is very clear in this version.

DTE Energy - DTE Electric, Segment(s) 5, 4, 3, 1/24/2020

- 0 - 0

Tony Skourtas, Los Angeles Department of Water and Power, 3, 9/8/2020

- 0 - 0

Reclamation recommends a 24-month implementation plan to allow entities flexibility to determine the appropriate implementation actions.

Richard Jackson, U.S. Bureau of Reclamation, 1, 9/8/2020

- 0 - 0

Joe Tarantino, On Behalf of: Kevin Smith, Balancing Authority of Northern California, 1; Jamie Cutlip, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Goi, Sacramento Municipal Utility District, 1,3,4,5,6; Beth Tincher, Sacramento Municipal Utility District, 1,3,4,5,6; Arthur Starkovich, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Looney, Sacramento Municipal Utility District, 1,3,4,5,6

- 0 - 0

Tho Tran, 9/8/2020

- 0 - 0

John Galloway, On Behalf of: Michael Puscas, ISO New England, Inc., 2

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 9/9/2020

- 0 - 0

Laura Nelson, 9/9/2020

- 0 - 0

Kjersti Drott, 9/9/2020

- 0 - 0

PG&E has no additional input regarding this Comment & Ballot.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

MEC supports EEI comments

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 9/9/2020

- 0 - 0

See EEI's comments

Neil Shockey, 9/9/2020

- 0 - 0

 Regarding the Implementation Guidance for CIP-005-7, we provide the following four (4) comments:

(1) Page 3, 2nd paragraph - Suggest adding 'within the Electronic Security Perimeter' as EACMS can reside within the ESP and this appears to be the context of these EACMS.

 

(2) 'However, if  an  Entity uses  the same system  (Intermediate System  for  example)  for   remote  connections  and  access  into  both  their  BES  Cyber  Systems  and  their  EACMS,'

Change to "However, if  an  Entity uses  the same system  (Intermediate System  for  example)  for   remote  connections  and  access  into  both  their  BES  Cyber  Systems  and  their  EACMS within the Electronic Security Perimeter,[…]"

 

(3) Page 5, 2b 'Leveraging periodic inventory  reviews  that may be  associated to  annual  CIP-002-5.1a Requirement R2  to  assess  BES  Cyber  System  classifications  and  architecture'

Suggest different wording than architecture. Perhaps network topology?

 

(4) Page 7 - While this section  contains  a  “cut  and  paste”  of  the  Implementation  Guidance  components  of   the  former  Guidelines  and  Technical  Basis  (GTB)  as-is  from the CIP-005-6 standard, consider detailing the first use of EAP as it isn't used anywhere prior in the IG. Change 'Responsible  Entities should  know  what traffic needs  to cross  an  EAP' to "Responsible  Entities should  know  what traffic needs  to cross  an Electronic Access Point (EAP)..."    

Steven Rueckert, Western Electricity Coordinating Council, 10, 9/9/2020

- 0 - 0

Please see comments submitted by Edison Electric Institute

Jose Avendano Mora, Edison International - Southern California Edison Company, 1, 9/9/2020

- 0 - 0

N/A

Carl Pineault, Hydro-Qu?bec Production, 5, 9/10/2020

- 0 - 0

Ameren agrees with and supports EEI comments.

David Jendras, Ameren - Ameren Services, 3, 9/10/2020

- 0 - 0

Cleco agrees with EEI comments.

Clay Walker, On Behalf of: Robert Hirchak, Cleco Corporation, 1,3,5,6; John Lindsey, Cleco Corporation, 1,3,5,6; Stephanie Huffman, Cleco Corporation, 1,3,5,6; Maurice Paulk, Cleco Corporation, 1,3,5,6

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 9/10/2020

- 0 - 0

Kevin Salsbury, Berkshire Hathaway - NV Energy, 5, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Daniel Gacek, Exelon, 1, 9/10/2020

- 0 - 0

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Ray Jasicki, On Behalf of: Ray Jasicki, , Segments 1, 3, 5

- 0 - 0

PUD No. 1 of Chelan County , Segment(s) 1, 3, 5, 6, 9/10/2020

- 0 - 0

The IRC SRC requests the SDT create individual ballots for each standard included in this project. This would provide flexibility to the industry to support certain aspects of this project while expressing concerns over other aspects.

ISO/RTO Council Standards Review Committee 2019-03 Supply Chain Risks, Segment(s) 2, 9/10/2020

- 0 - 0

We appreciate the SDT efforts.

Lana Smith, San Miguel Electric Cooperative, Inc., 5, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Kinte Whitehead, Exelon, 3, 9/10/2020

- 0 - 0

Eversource Group, Segment(s) 3, 1, 4/12/2019

- 0 - 0

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Cynthia Lee, Exelon, 5, 9/10/2020

- 0 - 0

Marty Hostler, Northern California Power Agency, 4, 9/10/2020

- 0 - 0

Exelon has elected to align with EEI in response to this question.

Becky Webb, Exelon, 6, 9/10/2020

- 0 - 0

Westar Energy and Kansas City Power & Light, the Evergy companies, support and incorporate by reference the Edison Electric Institute’s response to Question 5.

Westar-KCPL, Segment(s) 1, 3, 5, 6, 12/18/2018

- 0 - 0

In the Technical Rationale for Reliability Standard CIP-013-2 document (page 11), “Requirement R2” should read “Requirement R3”. The text indicates “The proposed requirement addresses Order No. 829 directives for entities periodically to reassess selected supply chain cyber security risk management controls (P.46) “.  R2 requires the responsible entity to implement its supply chain cyber security risk management plan specified in R1, R3 requires that the responsible entity review the plan specified in R1 every 15 months.

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 9/10/2020

- 0 - 0

None.

Teresa Krabe, Lower Colorado River Authority, 5, 9/10/2020

- 0 - 0

James Baldwin, On Behalf of: Lower Colorado River Authority, , Segments 1, 5

- 0 - 0

The CAISO supports the ISO/RTO Council Standards Review Committee comments below.

The IRC SRC requests the SDT create individual ballots for each standard included in this project. This would provide flexibility to the industry to support certain aspects of this project while expressing concerns over other aspects.

Monika Montez, On Behalf of: California ISO, WECC, Segments 2

- 0 - 0

None

Andrea Barclay, 9/10/2020

- 0 - 0

Trevor Tidwell, 9/10/2020

- 0 - 0

Laurie Williams, 9/10/2020

- 0 - 0