2020-03 Supply Chain Low Impact Revisions (Draft 1)

Description:

Start Date: 08/27/2021
End Date: 10/11/2021

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End
2020-03 Supply Chain Low Impact Revisions CIP-003-X IN 1 ST 2020-03 Supply Chain Low Impact Revisions CIP-003-X 08/27/2021 09/27/2021 10/01/2021 10/11/2021

Filter:

Hot Answers

SMUD agrees that the proposed language addresses the risk of malicious communication and vendor remote access to low impact BES cyber systems, but believes that it would create less confusion for industry if the a “low impact asset” was referred to as a “low impact facility.” Using lower case asset versus upper case Asset has been a source of confusion since the low impact standards became effective.

SMUD does not believe that CIP-003 R2 Section 6 Part 6.2 belongs in section 6.  This requirement may be better suited for Section 3, but should be changed to clearly reflect that the applicability is to vendor remote access (which is not in the current wording as part of Part 6.2).  At a minimum, SMUD recommends changing the wording in Part 6.2: e.g.

“6.2 For vendor remote access, have one or more method(s) for detecting known or suspected malicious communications for both inbound and outbound communications; and….”

Regional Entities could potentially interpret 6.2 to increase the scope to have one or more methods for detecting any malicious communications.  This could increase the cost to implement and burden of proof to demonstrate compliance. SMUD would suggest adding “vendor remote access” to the requirement so that the scope is absolutely clear.

Joe Tarantino, On Behalf of: Foung Mua, Sacramento Municipal Utility District, 1,3,4,5,6; Charles Norton, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Looney, Sacramento Municipal Utility District, 1,3,4,5,6; Kevin Smith, Balancing Authority of Northern California, 1; Nicole Goi, Sacramento Municipal Utility District, 1,3,4,5,6

- 0 - 0

April Owen, Public Utility District No. 1 of Pend Oreille County, 6, 9/28/2021

- 0 - 0

Other Answers

Kevin Conway, Public Utility District No. 1 of Pend Oreille County, 1, 9/13/2021

- 1 - 0

Bryant Kramer, On Behalf of: Public Utility District No. 1 of Pend Oreille County, , Segments 1, 3, 5, 6

- 0 - 0

Jennifer Bray, Arizona Electric Power Cooperative, Inc., 1, 9/27/2021

- 0 - 0

Hot Answers

SMUD would like to see more clarity regarding what constitutes a vendor.  If an entity has contracted with an orgization to operate an asset, are all communications and connections from outside of the asset considered vendor remote access? There are use cases where the entity may contract the operation of an asset that the entity itself has no access to.  

Would a contractor, issued an entity provided/managed laptop, working from an entity owned facility, that has been onboarded using the same process as all entity employees that have been granted unescorted and electronic access still be considered a vendor?

The two examples provided are use cases that SMUD feels should not be left up to the region entities.

Joe Tarantino, On Behalf of: Foung Mua, Sacramento Municipal Utility District, 1,3,4,5,6; Charles Norton, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Looney, Sacramento Municipal Utility District, 1,3,4,5,6; Kevin Smith, Balancing Authority of Northern California, 1; Nicole Goi, Sacramento Municipal Utility District, 1,3,4,5,6

- 0 - 0

April Owen, Public Utility District No. 1 of Pend Oreille County, 6, 9/28/2021

- 0 - 0

Other Answers

Kevin Conway, Public Utility District No. 1 of Pend Oreille County, 1, 9/13/2021

- 1 - 0

Bryant Kramer, On Behalf of: Public Utility District No. 1 of Pend Oreille County, , Segments 1, 3, 5, 6

- 0 - 0

Jennifer Bray, Arizona Electric Power Cooperative, Inc., 1, 9/27/2021

- 0 - 0

Hot Answers

Joe Tarantino, On Behalf of: Foung Mua, Sacramento Municipal Utility District, 1,3,4,5,6; Charles Norton, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Looney, Sacramento Municipal Utility District, 1,3,4,5,6; Kevin Smith, Balancing Authority of Northern California, 1; Nicole Goi, Sacramento Municipal Utility District, 1,3,4,5,6

- 0 - 0

April Owen, Public Utility District No. 1 of Pend Oreille County, 6, 9/28/2021

- 0 - 0

Other Answers

Kevin Conway, Public Utility District No. 1 of Pend Oreille County, 1, 9/13/2021

- 1 - 0

Bryant Kramer, On Behalf of: Public Utility District No. 1 of Pend Oreille County, , Segments 1, 3, 5, 6

- 0 - 0

Jennifer Bray, Arizona Electric Power Cooperative, Inc., 1, 9/27/2021

- 0 - 0

Hot Answers

Given the ambiguity around what constitutes “vendor remote access” it is difficult to determine what it would take to comply with the proposed requirements or determine if the modifications  would be cost effective.  Would a contractor that is issued an entity provided/managed laptop, working from an entity owned facility, that has been onboarded using the same process as all entity employees that have been granted unescorted and electronic access still be considered a vendor?

The cost and implementation could be quite significant if entities were to have to renegotiate contracts and get access to assets for which they are registered for, but that they do not have access to.

Joe Tarantino, On Behalf of: Foung Mua, Sacramento Municipal Utility District, 1,3,4,5,6; Charles Norton, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Looney, Sacramento Municipal Utility District, 1,3,4,5,6; Kevin Smith, Balancing Authority of Northern California, 1; Nicole Goi, Sacramento Municipal Utility District, 1,3,4,5,6

- 0 - 0

April Owen, Public Utility District No. 1 of Pend Oreille County, 6, 9/28/2021

- 0 - 0

Other Answers

Kevin Conway, Public Utility District No. 1 of Pend Oreille County, 1, 9/13/2021

- 1 - 0

Bryant Kramer, On Behalf of: Public Utility District No. 1 of Pend Oreille County, , Segments 1, 3, 5, 6

- 0 - 0

Jennifer Bray, Arizona Electric Power Cooperative, Inc., 1, 9/27/2021

- 0 - 0

Hot Answers

If the scope is clear, 18-months for implementation should be fine.  Given some of the ambiguity in the current draft, more specifically, the lack of clarity of key terms,  it is difficult to determine the extent of changes or what additional technical resources necessary to comply.

Additionally, some entities may have very limited security technologies in place for or at  low impact assets that can be re-used for the purpose of meeting the requirements.  For those entities, it may take much more time to architect, procure, and deploy a solution. Given the potentially large number of low impact sites, 18-months could be challenging.

Joe Tarantino, On Behalf of: Foung Mua, Sacramento Municipal Utility District, 1,3,4,5,6; Charles Norton, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Looney, Sacramento Municipal Utility District, 1,3,4,5,6; Kevin Smith, Balancing Authority of Northern California, 1; Nicole Goi, Sacramento Municipal Utility District, 1,3,4,5,6

- 0 - 0

April Owen, Public Utility District No. 1 of Pend Oreille County, 6, 9/28/2021

- 0 - 0

Other Answers

Kevin Conway, Public Utility District No. 1 of Pend Oreille County, 1, 9/13/2021

- 1 - 0

Bryant Kramer, On Behalf of: Public Utility District No. 1 of Pend Oreille County, , Segments 1, 3, 5, 6

- 0 - 0

Jennifer Bray, Arizona Electric Power Cooperative, Inc., 1, 9/27/2021

- 0 - 0

Hot Answers

Definitions for Vendor remote access and what constitutes malicious communications would provide some clarity and help entities determine the cost effectiveness standard.

SMUD suggests changing  lower case “asset” to “facility” to remove the confusion that already exists.

Moving requirement 6.2 to section 3 might make it more consistent with CIP-005.

 

Joe Tarantino, On Behalf of: Foung Mua, Sacramento Municipal Utility District, 1,3,4,5,6; Charles Norton, Sacramento Municipal Utility District, 1,3,4,5,6; Nicole Looney, Sacramento Municipal Utility District, 1,3,4,5,6; Kevin Smith, Balancing Authority of Northern California, 1; Nicole Goi, Sacramento Municipal Utility District, 1,3,4,5,6

- 0 - 0

April Owen, Public Utility District No. 1 of Pend Oreille County, 6, 9/28/2021

- 0 - 0

Other Answers

Kevin Conway, Public Utility District No. 1 of Pend Oreille County, 1, 9/13/2021

- 0 - 0

Bryant Kramer, On Behalf of: Public Utility District No. 1 of Pend Oreille County, , Segments 1, 3, 5, 6

- 0 - 0

AEPCO has signed on to the ACES comments below:

We would like to thank the SDT for preparing the changes and allowing us to comment.  We do have a concern not addressed by the above questions:

While the revisions address the risk of malicious communications outlined by the NERC Board resolution, this is NOT a requirement for medium impact BES Cyber Systems not at Control Centers.  This was brought up by ACES at the final CIPC meeting as CIP-005 R1.5’s applicable systems are high impact and medium impact BES Cyber Systems at Control Centers.  This creates more stringent controls for low impact BCS, than medium impact BCS which we object to.  While this new requirement was part of the NERC study low impact BCS should not have to meet greater requirements than higher impact level BCS.

Further, there is not an existing project to change CIP-005 R1.5 to include all medium impact BCS and the CIP-005 revision from Project 2016-02 do not change the Applicable Systems to include medium impact BCS not at Control Centers.  Without adding medium impact BCS to CIP-005 or removal of this proposed requirement, the standards will leave a gap for medium impact BCS not at a Control Center when considering malicious communications.

Jennifer Bray, Arizona Electric Power Cooperative, Inc., 1, 9/27/2021

- 0 - 0