2019-02 BES Cyber System Information Access Management (Draft 3)

Description:

Start Date: 03/25/2021
End Date: 05/10/2021

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End
2019-02 BES Cyber System Information Access Management CIP-004-7 AB 3 ST 2019-02 BES Cyber System Information Access Management CIP-004-7 12/20/2019 01/20/2020 04/30/2021 05/10/2021
2019-02 BES Cyber System Information Access Management CIP-011-3 AB 3 ST 2019-02 BES Cyber System Information Access Management CIP-011-3 12/20/2019 01/20/2020 04/30/2021 05/10/2021
2019-02 BES Cyber System Information Access Management Implementation Plan AB 3 OT 2019-02 BES Cyber System Information Access Management Implementation Plan 12/20/2019 01/20/2020 04/30/2021 05/10/2021

Filter:

Hot Answers

PG&E agrees with the proposed modifications.  PG&E will define what is “provisioning of access” for our environment and will not need a defined NERC term since a NERC term may not cover all possible conditions for PG&E.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

Move the note to the parent requirement (R6), since it applies to more than 6.1, and remove the word “Note.”

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 5/7/2021

- 0 - 0

Other Answers

Tri-State Generation and Transmission appreciates the time and effort given to this project and agrees with the revisions/changes.

Donna Wood, Tri-State G and T Association, Inc., 1, 4/29/2021

- 0 - 0

Duke Energy agrees with the proposed change to “provisioned access” and that the entity will determine how that provisioning will occur.

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

The use of provisioned access is not addressed in CIP-004-X Requirement 5. The CIP-004-X requirements should use consistent terminology.
 

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 4/30/2021

- 0 - 0

CHPD, Segment(s) 3, 1, 6, 5, 5/4/2021

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 5/5/2021

- 0 - 0

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

Comments: WAPA believes the SDT is moving in the correct direction from the past version. WAPA does not support the term “provisioned access” as it is a non-definable term which has the potential to confuse regulators (auditors, risk, enforcement, FERC, NERC, etc…) and industry. The term also does not address the requirements in the SAR for entities storing BCSI off-prem (such as cloud data centers).

“Provisioned access” creates a security loophole whereas entities only require authorization for a provisioned access. For example, if access to BCSI is not provisioned, no authorization to BCSI is required. This does not meet the goal of SAR for controlling access to BCSI. Given the R6 definition whereas “access to BCSI” occurs when an individual has both “the ability to obtain and use BCSI,” we recommend changing “provisioned access” to “access” that ensures only authorized individual can possess BCSI.

The use of “provisioned, provision or provisioning” of “access,” regardless of tense, would require entities to be audited to, maintain, and provide documented lists of people and the “provisioned” configurations of entity BES Cyber System Information repositories in order to “verify” the “authorization” of such provisioned access.

The Measures section highlights this expectation where evidence may include individual records, or lists of whom is authorized. To achieve this evidence, entities would need to provide evidence of systems accounts of on-premises or off premises system repositories of BCSI. Cloud providers may not provide such lists of personnel who have administrative level access to cloud BCSI server repositories and entities will be unable to verify what 3rd party off-prem systems administrators have access to BCSI without litigation, yet entities will be asked to provide this information for an entire audit cycle

Recommendations:

  1. Focus only on addressing electronic and physical access to BCSI in off-prem or cloud situations.

  2. Consider the following language for R6 Part 6.1:

Authorize access to BCSI based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances. Access to BCSI includes:

6.1.1. Electronic access to electronic BCSI;

6.1.2 Physical access to physical BCSI;

6.1.3 Physical access to unencrypted electronic BCSI (See our comments in Q4).

3. Consider using the perspective of language in CIP-011 “ to prevent unauthorized access to BES Cyber System Information.” This allows entities to determine the risk and methods to protect BCSI

4. WAPA recommends addressing the two potential controls for access to off-prem BCS, 1) encrypting BCSI or 2) purchasing services which allow the entity to manage the off-prem authentication systems – thereby preventing 3rd party systems administrators or others from compromising entity BCSI stored in cloud data centers. This could be as simple as:

Implement at least one control to authorize access to BCSI based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances. Access to BCSI includes:

6.1.1. Electronic access to electronic BCSI;

6.1.2 Physical access to physical BCSI;

6.1.3 Physical access to unencrypted electronic BCSI (See our comments in Q4).

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6

2019-02_Unofficial_Comment_Form_03252021_Information-Protection-NSRF-draft-1_JC.docx

- 0 - 0

Please reference Marty Hostler's comments.   Thanks.

Dennis Sismaet, Northern California Power Agency, 6, 5/6/2021

- 0 - 0

NO.  See WAPA and Indiana Comments

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 3, 4, 5, 6

- 1 - 0

MPC agrees that this change provides greater clarity regarding the intent of this requirement and understands that it is the provisioned access that must be authorized, verified, and revoked.

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

Southwest Power Pool Standards Review Group (SSRG), Segment(s) 2, 9/4/2019

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 2/23/2021

- 0 - 0

William Steiner, Midwest Reliability Organization, 10, 5/7/2021

- 0 - 0

In AEP’s opinion, the updated language leaves room for interpretation. It might be simplistic to refer to the subparts of R6 instead of using specific words from the subparts.

The updated Requirement 6 would read: “Each Responsible Entity shall implement one or more documented access management program(s) to meet subparts of R6 for provisioned access to BCSI pertaining to the “Applicable Systems” identified in CIP-004-X Table R6 – Access Management for BES Cyber System Information that collectively include each of the applicable requirement parts in CIP004X Table R6 – Access Management for BES Cyber System Information. To be considered access to BCSI in the context of this requirement, an individual has both the ability to obtain and use BCSI. [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations and Operations Planning].”

JT Kuehne, AEP, 6, 5/7/2021

- 0 - 0

OG&E agrees with EEI's comments

Patrick Wells, On Behalf of: OGE Energy - Oklahoma Gas and Electric Co., , Segments 1, 3, 5, 6

EEI Near Final Draft Comments_ Project 2019-02_Rev_0f_For Review FOR MEMBER REVIEW.docx

- 0 - 0

Anthony Jablonski, ReliabilityFirst , 10, 5/7/2021

- 0 - 0

OKGE supports comments provided by EEI. 

 

OKGE, Segment(s) 6, 1, 3, 5, 3/22/2021

- 0 - 0

Assuming that “provisioned access” means when someone gains and keeps BCSI access? Meaning if someone sees (screen sharing in view mode only) does not fall under “provisioned access”?

Dan Bamber, On Behalf of: ATCO Electric, , Segments 1

- 0 - 0

Hot Answers

PG&E agrees that the clarification is sufficient.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 5/7/2021

- 0 - 0

Other Answers

Donna Wood, Tri-State G and T Association, Inc., 1, 4/29/2021

- 0 - 0

Duke Energy agrees the proposed changes make it clear that both parameters of the two-pronged test for “obtain and use” must be met to constitute “access” to BCSI.

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

A user can have provisioned access to obtain BCSI and not use it. The Registered Entity is currently receiving an authorization for a user based on need to access BCSI. Access to BCSI is enough to constitute an authorization regardless of use. While this clarification assists in the context of third-party solutions it does not provide clarity for electronic or physical access to BCSI.

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 4/30/2021

- 0 - 0

CHPD, Segment(s) 3, 1, 6, 5, 5/4/2021

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 5/5/2021

- 0 - 0

Dominion Energy is of the opinion that the terms“obtain and use” are ambiguous.  We suggest additional language that provides for the Registered Entity to have the felxibility to define how these terms are applied by adding some additional language to the proposed Requirement as follows: …an individual has both the ability to obtain and use BCSI as defined by the Registered Entity.

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

  1. We agree to adding “obtain and use” language to clarify what constitutes an access to BCSI, but disagree to the use of “provisioned access”. After clarifying the access to BCSI, the language “provisioned” should be removed since it has a security flaw and requires extensive records from repositories of BCSI (See our comments in Q1).

  Recommendations:

  1. Only use the term “access” as recommended in Q1

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Please reference Marty Hostler's comments.   Thanks.

Dennis Sismaet, Northern California Power Agency, 6, 5/6/2021

- 0 - 0

NO.  See WAPA Contents.

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 3, 4, 5, 6

- 1 - 0

MPC appreciates the SDT’s efforts to include the concept from the CMEP Practice Guide.  However, we would prefer the language be more specific to CIP-004, rather than re-introduce the broader “access” concept that goes beyond CIP-004 by using this language instead:  “An individual is considered to have provisioned access to BCSI if they concurrently have the means to both obtain and use the BCSI (e.g., an individual who obtains encrypted BCSI but does not have the encryption keys does not have provisioned access).”  The example is helpful in understanding what is meant by “obtain and use.”

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

The SPP Standards Review Group (SSRG) recommends the word “use” have clarity supplied around the term.

Southwest Power Pool Standards Review Group (SSRG), Segment(s) 2, 9/4/2019

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 2/23/2021

- 0 - 0

William Steiner, Midwest Reliability Organization, 10, 5/7/2021

- 0 - 0

AEP agrees with the addition of “obtain and use” language in R6 parent requirement, as this is in alignment with AEP’s BCSInfo program.

JT Kuehne, AEP, 6, 5/7/2021

- 0 - 0

Patrick Wells, On Behalf of: OGE Energy - Oklahoma Gas and Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Anthony Jablonski, ReliabilityFirst , 10, 5/7/2021

- 0 - 0

OKGE supports comments provided by EEI. 

OKGE, Segment(s) 6, 1, 3, 5, 3/22/2021

- 0 - 0

Dan Bamber, On Behalf of: ATCO Electric, , Segments 1

- 0 - 0

Hot Answers

PG&E agrees with the modifications which make the Requirement more objective-based.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 5/7/2021

- 0 - 0

Other Answers

Donna Wood, Tri-State G and T Association, Inc., 1, 4/29/2021

- 0 - 0

Duke Energy agrees the proposed changes retain the flexibility for storage locations to be used as one way to meet the objective.

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

See comments in response to #9 below.

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

 Storage locations identified for using BCSI is reference in CIP-011-X. CIP-004-X and CIP-011-X should provide consistent terminology.

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 4/30/2021

- 0 - 0

CHPD, Segment(s) 3, 1, 6, 5, 5/4/2021

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 5/5/2021

- 0 - 0

To ensure a consistent understanding of the issues surrounding information storage on the cloud, Dominion Energy suggests using language similiar to that in CIP-011 that addresses cloud storage in the proposed CIP-004.

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

    1. We agree to retaining the flexibility for storage locations to be used as one way to meet the objective of SAR, but disagree to using “provisioned access” (See our comments regarding “provisioned access” in Q1).

    2. The requirement to provide lists of personnel with “provisioned access” would also require entities to identify the locations of BCSI and by auditors whom are required to make the link between the repository of BCSI which has been provisioned for access.

 Recommendation:

Retain the current language and focus on auditable methods to protect BCSI at 3rd party off-prem (cloud) locations.

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Please reference Marty Hostler's comments.   Thanks.

Dennis Sismaet, Northern California Power Agency, 6, 5/6/2021

- 0 - 0

NO.  See WAPA and Indianca Comments.

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 3, 4, 5, 6

- 1 - 0

MPC agrees that this approach provided entities with the flexibility to define their own internal procedures, which may include continuing to designate storage locations for BCSI to which individuals can have provisioned access.  Provisioned access for those individuals can be authorized, verified, and revoked.

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

Southwest Power Pool Standards Review Group (SSRG), Segment(s) 2, 9/4/2019

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 2/23/2021

- 0 - 0

William Steiner, Midwest Reliability Organization, 10, 5/7/2021

- 0 - 0

The currently effective Requirement Part 4.1.3 of CIP-004-6 reads, “Access to designated storage locations, whether physical or electronic, for BES Cyber System Information.”  Removing “storage locations” from R6 and its subparts, makes it difficult for the entities to comply, as the entities need to expand their searches for access control when providing compliance evidence.  Similar to “Provisioned access” noun, simply stating “BCSI” will make it intangible where keeping “storage locations” will make the requirement and its subparts tangible.

AEP understands the intent but it is not clear based on how it is currently worded.  AEP requests SDT to provide further clarification on the intent and to provide better definition on “provisioned access” than what was currently provided in Part 6.1 (“Note: Provisioned access is to be considered the result of the specific actions taken to provide an individual(s) the means to access BCSI (e.g., may include physical keys or access cards, user accounts and associated rights and privileges, encryption keys).)”  AEP also recommends SDT to focus on auditable methods to protect BCSI at 3rd party off-premise (cloud) locations.

AEP currently defines what constitutes as storage locations in CIP-011-2 R1 information protection program, but for other smaller entities this may become further complicated to define besides managing access to BCSI storage locations.

JT Kuehne, AEP, 6, 5/7/2021

- 0 - 0

Patrick Wells, On Behalf of: OGE Energy - Oklahoma Gas and Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Anthony Jablonski, ReliabilityFirst , 10, 5/7/2021

- 0 - 0

OKGE supports comments provided by EEI. 

OKGE, Segment(s) 6, 1, 3, 5, 3/22/2021

- 0 - 0

Dan Bamber, On Behalf of: ATCO Electric, , Segments 1

- 0 - 0

Hot Answers

PG&E agrees with the modifications and clarifications.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 5/7/2021

- 0 - 0

Other Answers

Donna Wood, Tri-State G and T Association, Inc., 1, 4/29/2021

- 0 - 0

Duke Energy agrees the proposed changes enabling entities to use third-party solutions (e.g., cloud services) for BCSI, in CIP-004-X, Requirement R6 Part 6.1, the SDT made a distinction between “electronic access to electronic BCSI” versus “physical access to physical BCSI”.

Duke Energy does not agree with, and recommends removing, “and the justification of business need for the provisioned access” as a measure in CIP-004 R6.1. Managers must be able to authorize access to a large number of employees where they would likely cut and paste a blanket justification for each person or group. All that should be required is documented authorization and removal along with the record of authorized individuals. The act of authorization should be considered sufficient that a business need for access exists. There is no risk reduction in documenting this justification, but there is significant overhead in adding such functionality to existing authorization tools.

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Further clarification should be made to CIP-004-X Part 4.1.2 and Part 6.1.2 to address the difference between physical access to a Physical Security Perimeter that may house BCSI versus physical access to a physical piece of hardware that houses BCSI. Where does the physical piece of hardware that houses BCSI need to be stored?

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 4/30/2021

- 0 - 0

CHPD, Segment(s) 3, 1, 6, 5, 5/4/2021

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 5/5/2021

- 0 - 0

Dominion Energy is concerned the the SDT is attempting to define the term "provisioned access" in a footnote. Leaving a term open to interpretation across Standards is concerning and if a term is being used inconsistently it should be defined in the Glossary of Terms rather than through a footnte for a Standard.

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

We disagree that the physical access only applies to physical BCSI since controlling access to unencrypted BCSI has not been addressed but will be required for 3rd party off-prem (cloud) repositories.  The physical access to Cyber Assets is a fast avenue to owning the unencrypted electronic BCSI it contains, which meets “obtain and use” condition and constitutes an access to BCSI.

 

Recommendation:

Adding “Physical access to unencrypted electronic BCSI” to R6 Part 6.1.3 (See our suggested R6 Part 6.1 changes in Q1).

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Please reference Marty Hostler's comments.   Thanks.

Dennis Sismaet, Northern California Power Agency, 6, 5/6/2021

- 0 - 0

NO. Cloud services should be allowed.  However, there is no need to make a distinction between electronic access and physical access.

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 3, 4, 5, 6

- 1 - 0

MPC appreciates this distinction to enable the use of cloud service providers for entities that wish to use them and eliminate the interpretation that every possible encounter with BCSI cannot be access controlled in the way required by CIP-004, but would still be protected in another way under the entity’s Information Protection Plan per CIP-011.  

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

Southwest Power Pool Standards Review Group (SSRG), Segment(s) 2, 9/4/2019

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 2/23/2021

- 0 - 0

William Steiner, Midwest Reliability Organization, 10, 5/7/2021

- 0 - 0

“Physical BCSI” is not a defined term.  AEP recommends SDT to either define “physical BCSI” or add further clarifications in Requirement 6.  AEP recommends using the existing language, “Access to designated storage locations, whether physical or electronic, for BES Cyber System Information” under 6.1.

JT Kuehne, AEP, 6, 5/7/2021

- 0 - 0

Patrick Wells, On Behalf of: OGE Energy - Oklahoma Gas and Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Anthony Jablonski, ReliabilityFirst , 10, 5/7/2021

- 0 - 0

OKGE supports comments provided by EEI. 

OKGE, Segment(s) 6, 1, 3, 5, 3/22/2021

- 0 - 0

By this change, can it be clarified that an entity’s IT service provider server rooms (where electronic BCSI is hosted) does not fall under physical BCSI.

Dan Bamber, On Behalf of: ATCO Electric, , Segments 1

- 0 - 0

Hot Answers

PG&E agrees with the adjective “provisioned” and as noted in the comment for Question 1, will define what “provisioned” means to PG&E and following the definition in our implementation of the modifications.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 5/7/2021

- 0 - 0

Other Answers

Donna Wood, Tri-State G and T Association, Inc., 1, 4/29/2021

- 0 - 0

Duke Energy agrees the adjective “provisioned” in conjunction with the “Note” clarifies what “provisioned access” is.

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

CIP-004-X R2, R3, and R4 discusses authorized access. A user is to be authorized prior to being provisioned. If the CIP-004-X R6 requirements focus on provisioned users there is a gap of users who may be authorized and not yet provisioned. The SDT should chose to define authorized access in place of or in conjunction with provisioned access.

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 4/30/2021

- 0 - 0

CHPD, Segment(s) 3, 1, 6, 5, 5/4/2021

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 5/5/2021

- 0 - 0

Dominion Energy is concerned the the SDT is attempting to define the term "provisioned access" in a footnote. Leaving a term open to interpretation across Standards is concerning and if a term is being used inconsistently it should be defined in the Glossary of Terms rather than through a footnte for a Standard.

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

  1. Based on WAPA’s disagreement of the term“provisioned access” and given that the SDT has defined “access to BCSI” in R6, the term “provisioned access” should be removed due to the creation of an unintended security loophole (See our comments in Q1).

  2. Access, which occurs in CIP standards language, whether it is electronic and/or logical access, physical access, unescorted physical access, remote access, or interactive remote access is clearly understood, has been widely adopted by industry and regulators, and has been subject to hundreds of audits across all regions for the past 14 years. Entities have developed internal documentation, configured systems, implemented controls tasks and standardized programs on these terms. The adjective “provisioned” adds further terms, requires changes and is of little value regarding the actions required of entities and the output deliverables or evidence.

     

    Recommendation:

  1. Revise the language to focus on access to BCSI and the auditable methods to protect BCSI at 3rd party off-prem (cloud) locations.

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Please reference Marty Hostler's comments.   Thanks.

Dennis Sismaet, Northern California Power Agency, 6, 5/6/2021

- 0 - 0

NO. NERC Terms need a definition which is to be used for both CIP and O&P standards.  Else Registered Entities will be subject to Regional Entity auditor interpretations not vetted by industry.

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 3, 4, 5, 6

- 1 - 0

MPC supports not defining “access” as a NERC glossary term, as this could be difficult and have unintended consequences for other standards.  MPC agrees that the use of “provisioned” and the note adds enough context to clarify what kind of access the requirements are about. 

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

Southwest Power Pool Standards Review Group (SSRG), Segment(s) 2, 9/4/2019

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 2/23/2021

- 0 - 0

Provisioned access’ in Part 6.3 doesn’t necessarily trigger the removal of accesses granted maliciously or inadvertently, and accepts a security and reliability risk that is mitigated in today’s language.  The use of provisioned access in Part 6.1 (authorize) and 6.2 (verify) is fine.  Consider “… ability to access BCSI…” instead of “…ability to use provisioned access…” for Part 6.3 only

William Steiner, Midwest Reliability Organization, 10, 5/7/2021

- 0 - 0

The currently effective Requirement Part 4.1.3 of CIP-004-6 reads, “Access to designated storage locations, whether physical or electronic, for BES Cyber System Information.”  AEP suggests to use similar language from Part 4.1.3 as suggested in our response to Question #4 above. AEP recommends 6.1 use similar language to 4.1, i.e., “Process to authorize based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances: Access to designated storage locations, whether physical or electronic, for BES Cyber System Information

JT Kuehne, AEP, 6, 5/7/2021

- 0 - 0

Patrick Wells, On Behalf of: OGE Energy - Oklahoma Gas and Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Anthony Jablonski, ReliabilityFirst , 10, 5/7/2021

- 0 - 0

OKGE supports comments provided by EEI. 

OKGE, Segment(s) 6, 1, 3, 5, 3/22/2021

- 0 - 0

Dan Bamber, On Behalf of: ATCO Electric, , Segments 1

- 0 - 0

Hot Answers

PG&E does not believe there is any double jeopardy between the proposed modifications to CIP-011-X and CIP-013.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

MidAmerican Energy agrees with removal of Parts 1.3 and 1.4. However, we are concerned with the lack of clarity of the language of Part 1.2. The CIP-011-X Technical Rationale states that methods to protect BCSI “becomes explicitly comprehensive.” This question refers to a “broadened” focus, but the requirement does not clearly explain the broadened focus and comprehensive expectations. We request additional information be added to Technical Rationale regarding expectations of the requirement, including the difference between version 2 and the proposed version X.

We agree with the removal of language of “storage, security during transit, and use” from the requirement. However, we do not see the need to mention this language again in the measures and ask that this language be removed.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 5/7/2021

- 0 - 0

Other Answers

Donna Wood, Tri-State G and T Association, Inc., 1, 4/29/2021

- 0 - 0

Duke Energy generally agrees with the proposed changes of simplifying CIP-011-X, Requirement R1 Part 1.1, and adjusting Part 1.2 to broaden the focus around the implementation of protective methods and secure handling methods to mitigate risks of compromising confidentiality.

Duke Energy has concerns with the wording of measures for R1.2. ‘on-premise BCSI’ and ‘off-premise BCSI’ are open to interperetation. Is it the intent that a third party managed BCSI repository that is implemented on ‘on-premise’ servers not be subject to the ‘off-premise’ measures? Can a risk assessment determine the actual controls, physical, technical or administrative, needed?

Duke Energy recommends that for third party (or ‘off-premise’) managed or hosted storage, a risk assessment for physical, technical and administrative controls be performed and mitigating controls be implemented as determined.

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

While more clear than the previously proposed CIP-011-3, the provided measures for CIP-011-X Part 1.2 it states, implementation of administrative method(s) to protect BCSI (e.g., vendor service risk assessments, business agreements). Business agreements and vendor service risk assessments does lead to confusion with CIP-013.

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 4/30/2021

- 0 - 0

In the Measures for R1.2, change "on-premise" to "on-premises” and “off-premise” to “off-premises”.

CHPD, Segment(s) 3, 1, 6, 5, 5/4/2021

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 5/5/2021

- 0 - 0

Dominion Energy is concerned with the addition of “to mitigate risks of compromising confidentiality”.  This additional language seems to require that Registered Entities develop methodologies and processes to determine levels of risk.  Furthermore, the term mitigate risks is very subjective and could be interpreted differently by the respective parties involved. This addition doesn’t appear to address any risks or identified gaps.  Please clarify the intent of the use of the language.

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

We do not agree with R1 Part 1.2 changes since these changes haven’t resolved the goal of SAR that is to prevent unauthorized access to BCSI while in transit, storage, and in use. CIP-011 requirements should be in alignment with CIP-004 R6 Part 6.1 to ensure only authorized personnel can possess BCSI.

Recommendations:

We suggest adding “prevent unauthorized access to BCSI” to R1 Part 1.2 so that it is in alignment with CIP-004 R6.1:

“Method(s) to protect and securely handle BCSI Information to prevent unauthorized access to BCSI, including storage, transit, and use.”

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Please reference Marty Hostler's comments.   Thanks.

Dennis Sismaet, Northern California Power Agency, 6, 5/6/2021

- 0 - 0

NO. We agree with removing CIP-011XX R1 Parts 1.3 & 1.4.

We do not agree with adjusting Part 1.2.  

 

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 3, 4, 5, 6

- 1 - 0

MPC agrees with the proposed changes and believes that CIP-011 requires protection of BCSI no matter where it is located.  To do this, entities must conduct assessments to understand what BCSI they have, where it can be found, how it transmits, what is done with it, and understand how confidentiality could be compromised at any of these times and locations in order to implement appropriate controls to protect it.

While MPC appreciates the reminder in the measures to consider BCSI that is located on-premises and off-premises, using these terms here may be confusing.  MPC suggests including additional information in Technical Rationale or Implementation Guidance instead.

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

Southwest Power Pool Standards Review Group (SSRG), Segment(s) 2, 9/4/2019

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 2/23/2021

- 0 - 0

In CIP-011-X, Part 1.2, the proposed draft excludes risks related to data integrity.  Omission of data integrity would require supplemental Practice Guides by the ERO Enterprise to determine what cloud environment risks are related to confidentiality vs. integrity.  In practicality most data access risks overlap between those two legs of the CIA triad, and will be difficult or impossible to enforce some data risk scenarios with data confidentiality alone.
Also, the mapping document ‘Description and Change Justification’ indicates that the focus for CIP-011-X Part 1.2 was intended to be broader, but the change appears to be narrower than existing language.  One or the other must be in error, but we are not sure which.

 

William Steiner, Midwest Reliability Organization, 10, 5/7/2021

- 0 - 0

AEP supports the removal of Requirement R1 Parts 1.3 and 1.4, and the minor adjustment made to Requirement R1, Part 1.1. 

AEP has concerns that the adjustments made to Requirement R1, Part 1.2, made this requirement overly broad, especially considering the management of the off-premise BCSI.  Specifically, AEP is concerned with the breadth and depth of L1 and L2 evidence that would be required to demonstrate compliance and mitigating risks of compromising confidentiality associated with Requirement R1, Part 1.2 with regard to off-premise BCSI.  Further, it is not clear what would constitute acceptable methodologies or procedures (self-audit, independent audits, SOC1/SOC2 reviews, etc.) for AEP to validate a third party's control environment (provided the third party cooperates with AEP's request) sufficient to demonstrate compliance and mitigating risks of compromising confidentiality associated with Requirement R1, Part 1.2 with regard to off-premise BCSI.  Finally, it is not clear to what level AEP will need to document, monitor, and enforce controls implemented and administered by a third party who maintains AEP's BCSI off-premise.

AEP is also concerned with any unintended consequences from the proposed language, as it could be interpreted to mean any vendor’s use of BSCI, even if it is stored on AEP’s systems, and not BSCI that is stored, transmitted, or used by a 3rd party vendors on their system(s).

JT Kuehne, AEP, 6, 5/7/2021

- 0 - 0

Patrick Wells, On Behalf of: OGE Energy - Oklahoma Gas and Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Anthony Jablonski, ReliabilityFirst , 10, 5/7/2021

- 0 - 0

OKGE supports comments provided by EEI. 

OKGE, Segment(s) 6, 1, 3, 5, 3/22/2021

- 0 - 0

Dan Bamber, On Behalf of: ATCO Electric, , Segments 1

- 0 - 0

Hot Answers

PG&E agrees with the 24-month implementation plan and the ability for early adoption.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 5/7/2021

- 0 - 0

Other Answers

Donna Wood, Tri-State G and T Association, Inc., 1, 4/29/2021

- 0 - 0

Duke Energy agrees with the extension of the 24-months implementation plan provided the CIP-004 R6.1 requirement to document justification of the need for authorization is eliminated.

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 4/30/2021

- 0 - 0

CHPD, Segment(s) 3, 1, 6, 5, 5/4/2021

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 5/5/2021

- 0 - 0

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Please reference Marty Hostler's comments.   Thanks.

Dennis Sismaet, Northern California Power Agency, 6, 5/6/2021

- 0 - 0

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 3, 4, 5, 6

- 1 - 0

MPC agrees with this approach.

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

Southwest Power Pool Standards Review Group (SSRG), Segment(s) 2, 9/4/2019

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 2/23/2021

- 0 - 0

William Steiner, Midwest Reliability Organization, 10, 5/7/2021

- 0 - 0

JT Kuehne, AEP, 6, 5/7/2021

- 0 - 0

Patrick Wells, On Behalf of: OGE Energy - Oklahoma Gas and Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Anthony Jablonski, ReliabilityFirst , 10, 5/7/2021

- 0 - 0

OKGE, Segment(s) 6, 1, 3, 5, 3/22/2021

- 0 - 0

Dan Bamber, On Behalf of: ATCO Electric, , Segments 1

- 0 - 0

Hot Answers

At this time PG&E does not have information to determine if the modifications are a cost-effective approach.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

MidAmerican Energy is concerned with broadened and “explicitly comprehensive” expectations for CIP-011-X R1.2, which could result in a costly approach. 

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 5/7/2021

- 0 - 0

Other Answers

Donna Wood, Tri-State G and T Association, Inc., 1, 4/29/2021

- 0 - 0

Duke Energy recommends removing “and the justification of business need for the provisioned access” as a measure in CIP-004 R6.1. Managers must be able to authorize access to a large number  of employees without need to cut and paste a blanket justification for each person or group. All that should be required is documented authorization and removal along with the record of authorized individuals. The act of authorization should be considered sufficient that a business need for access exists. There is no risk reduction in documenting this justification, but there is significant overhead in adding such functionality to existing authorization tools.

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

See comments in response to #9 below.

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 4/30/2021

- 0 - 0

CHPD, Segment(s) 3, 1, 6, 5, 5/4/2021

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 5/5/2021

- 0 - 0

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

Any changes made result in a cost to industry.

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Please reference Marty Hostler's comments.   Thanks.

Dennis Sismaet, Northern California Power Agency, 6, 5/6/2021

- 0 - 0

The SDT has not provided a cost estimate.  Consequently, we have no idea if the proposal is cost effective.

Standards should not be approved by Industry until each Standard Drafting Team develops a detailed cost estimate (capital and maintenance).

This means including internal controls, more staff, management/board approval, budgetting, revising all Internal Compliance Documents to account for the new standard or modifications, etc.  All these changes end up costing real people, our customer, they certainly would not blindly tell the STD I just want that product and don't care what the cost is.

 

 

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 3, 4, 5, 6

- 1 - 0

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

Southwest Power Pool Standards Review Group (SSRG), Segment(s) 2, 9/4/2019

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 2/23/2021

- 0 - 0

William Steiner, Midwest Reliability Organization, 10, 5/7/2021

- 0 - 0

JT Kuehne, AEP, 6, 5/7/2021

- 0 - 0

Patrick Wells, On Behalf of: OGE Energy - Oklahoma Gas and Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

Anthony Jablonski, ReliabilityFirst , 10, 5/7/2021

- 0 - 0

OKGE, Segment(s) 6, 1, 3, 5, 3/22/2021

- 0 - 0

Dan Bamber, On Behalf of: ATCO Electric, , Segments 1

- 0 - 0

Hot Answers

PG&E thanks the SDT for the effort in making the modifications objective based that will allow PG&E to implement them to fit our environment.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

MidAmerican Energy continues to have concern with the revised text of CIP-004-X R6.2. Please add a statement to the CIP-004-X Technical Rationale document: The review expected in CIP-004-X R6.2 is expected to be the same as CIP-004-6 R4.4.

While we are generally supportive of the changes to CIP-004, we are concerned about creating a new separate requirement for BCSI authorization, revocation and review. This creates the potential for non compliance of multiple requirements for a single situation, such as revocation of accesses for a termination. We ask the SDT to consider making changes that will reconcile this issue.

Darnez Gresham, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 5/7/2021

- 0 - 0

Other Answers

Tri-State Generation and Transmission appreciates the time and effort given to this project and agrees with the revisions/changes.

Donna Wood, Tri-State G and T Association, Inc., 1, 4/29/2021

- 0 - 0

No additional comments.

Duke Energy, Segment(s) 1, 5, 6, 3, 12/13/2019

- 0 - 0

The proposed language is too ambigious and obligates entities to protect BCSI in any form, even though beyond its control.  Should BCSI be shared with NERC/FERC, the proposed standard would require registered entities to extend their access management to include the copy of that information held by NERC/FERC.  Subsequent requirements in CIP-011 would require reviews of access rights associated with that copy.

The language should be re-scoped to focus on management of access to designated repositories, instead of the information itself.

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

The CIP-004-X and CIP-011-X proposal is more favorable than the previous CIP-004-7 and CIP-011-3 approach of moving access management of BCSI from CIP-004 and adding it to CIP-011.

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 4/30/2021

- 0 - 0

CHPD, Segment(s) 3, 1, 6, 5, 5/4/2021

- 0 - 0

Jeanne Kurzynowski, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

LaTroy Brumfield, American Transmission Company, LLC, 1, 5/5/2021

- 0 - 0

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

The SDT should work to simplify but clarify the standards. Years down the road auditors make interpretations and companies need to be clear what is required. Secondly the SDT should look at ISO and NIST standards for guidance. Per our comments in question 1, WAPA recommends  changing “provisioned access” to “access to BCSI” for whole R6 and its parts as suggested here:

“Except our suggested changes to R6 Part 6.1, we also have the following recommendations for R6 Part 6.2 and 6.3:

 

  • For changes to R6 Part 6.2:

     

    Verify at least once every 15 calendar months that all individuals with access to BCSI:

    6.2.1. have an Is authorization record;

    6.2.2. Is still need the access to BCSI to perform their current work functions,  as determined by the Responsible Entity.

     

  • For changes to R6 Part 6.3:

     

    For termination actions, remove the individual’s ability to access to BCSI (unless already revoked according to Part 5.1) by the end of the next calendar day following the effective date of the termination action.”

     

 

As we suggested in Q1, changing from “provisioned access to BCSI” to “access to BCSI” provides the clarity and flexibility for authorizing, verifying, and revoking access” to BCSI using various approaches including BCSI repository level or BCSI file level protection, which make the R6 backwards compatible.

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6; sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Please reference Marty Hostler's comments.   Thanks.

Dennis Sismaet, Northern California Power Agency, 6, 5/6/2021

- 0 - 0

none.

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 3, 4, 5, 6

- 1 - 0

Andy Fuhrman, On Behalf of: Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1; Theresa Allard, Minnkota Power Cooperative Inc., 1

- 0 - 0

The SSRG wants to thank the drafting team for their time and efforts on this project.

Southwest Power Pool Standards Review Group (SSRG), Segment(s) 2, 9/4/2019

- 0 - 0

N/A

FE Voter, Segment(s) 1, 3, 5, 6, 4, 2/23/2021

- 0 - 0

William Steiner, Midwest Reliability Organization, 10, 5/7/2021

- 0 - 0

No further comments.

JT Kuehne, AEP, 6, 5/7/2021

- 0 - 0

Patrick Wells, On Behalf of: OGE Energy - Oklahoma Gas and Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

CIP-004-X R6 and CIP-011-X R1 have different applicability. In the Draft 3 language, BCSI pertaining to medium impact BCS without ERC must be protected (CIP-011-X R1), but access to this BCSI need not be controlled (CIP-004-X R6). Without mandated access controls, the entity will be left to determine what is an effective protection to BCSI pertaining to medium impact BCS without ERC. The SDT should consider revisiting the differences in applicability between CIP-004-X R6 and CIP-011-X R1. Since this issue is beyond the scope of the 2019-02 SAR, please add this concern to the list of SAR items for the next revision of CIP-004.

 

The Background sections of CIP-004-x and CIP-011-X should be moved to their respective Technical Rationale documents.

 

CIP-004-X Implementation Guidance: 1) Implementation Guidance for R2 states that “a single training program for all individuals needing to be trained is acceptable” which is in conflict with the language in R2, “appropriate to individual roles, functions, or responsibilities.” 2) Page numbers for R6 are incorrect. 3) Appendix 1 should be moved to the Technical Rationale document as it does not fit the requirements for Implementation Guidance.

 

Implementation Plan: The “Early Adoption” paragraph should make it clear that all of the updated Requirements must be adopted at the same time. An entity should not be permitted to early-adopt only parts of the revised Standards.

 

Anthony Jablonski, ReliabilityFirst , 10, 5/7/2021

- 0 - 0

OKGE supports comments provided by EEI. 

OKGE, Segment(s) 6, 1, 3, 5, 3/22/2021

- 0 - 0

Dan Bamber, On Behalf of: ATCO Electric, , Segments 1

- 0 - 0