This comment form is no longer interactive because the comment period is closed.

2020-03 Supply Chain Low Impact Revisions | Draft 3

Description:

Start Date: 07/06/2022
End Date: 08/19/2022

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End
2020-03 Supply Chain Low Impact Revisions CIP-003-X AB 3 ST 2020-03 Supply Chain Low Impact Revisions CIP-003-X 08/27/2021 09/27/2021 08/10/2022 08/19/2022

Filter:

Hot Answers

See comments submitted by the Edison Electric Institute

Kenya Streeter, On Behalf of: Edison International - Southern California Edison Company, , Segments 1, 3, 5, 6

- 0 - 0

Cowlitz PUD does not agree that the proposed language in Attachment 1, Section 6 addresses the risk of active malicious communications and is too prescriptive in the actions listed in Section 6.1 – 6.3. Entities can mitigate the risks associated with vendor electronic remote access through various means and still address the NERC Board Resolution to detect, determine, and disable active vendor electric remote access, and malicious communications. The language should read more like an objective risk-based requirement allowing an entity to have a bit more leeway to comply with the requirement.  Additionally, as written Section 6.3 appears to be applicable to all communications and should then be removed from Section 6.3 and placed in Section 3.1 if this was the intent.

Deanna Carlson, Cowlitz County PUD, 5, 8/19/2022

- 0 - 0

Other Answers

Kevin Conway, Public Utility District No. 1 of Pend Oreille County, 1, 7/14/2022

- 0 - 0

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Eric Sutlief, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

Sean Steffensen, IDACORP - Idaho Power Company, 1, 7/29/2022

- 0 - 0

Martin Sidor, NRG - NRG Energy, Inc., 6, 8/3/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 8/4/2022

- 0 - 0

Jay Sethi, On Behalf of: Manitoba Hydro - MRO - Segments 1, 3, 5, 6

- 0 - 0

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

The introduction of “detecting known or suspected malicious communications” for low impact BES Cyber Systems would be more stringent as compared to CIP-005 R1.5 since Medium Impact BES Cyber Systems are not applicable in the current version of the standards without adding any additional reliability benefits.

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 4 - 0

Xcel Energy supports the comments of EEI and the MRO NSRF. 

Joe Gatten, On Behalf of: Xcel Energy, Inc. - MRO, WECC - Segments 1, 3, 5, 6

- 0 - 0

PUD No. 1 of Chelan County, Segment(s) 3, 1, 6, 5, 8/11/2022

- 0 - 0

Erik Gustafson, On Behalf of: PNM Resources - Public Service Company of New Mexico - WECC, Texas RE - Segments 1, 3

- 0 - 0

As with the previous draft, Section 6.3 still creates a higher bar for some assets containing low impact BCS than for most medium impact BCS (i.e., those outside of control centers).  Section 6.3 would require detection of malicious inbound and outbound communications for low impact BCS with vendor remote connectivity.  In the current version and next effective version of CIP-005, Part 1.5 requires detection of malicious inbound and outbound communications only for medium impact BCS at Control Centers.

BPA recognizes that the NERC Board Resolution directs the drafting team to modify CIP-003 to “..include policies for low impact BES Cyber Systems to: (1) detect known or suspected malicious communications for both inbound and outbound communications…” BPA also acknowledges that the Technical Rationale attempts to identify more robust controls from CIP-005-6 that offset this inconsistency.  However, this inconsistency results in a complicated and confusing compliance approach: entities will be required to develop separate evidence packages for Low and Medium (outside of control centers) substations even if they implement identical solutions across both.

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 4 - 0

Southern agrees that the proposed language in Attachment 1 Section 6 addresses the risk of malicious communication and vendor remote access to low impace BES cyber systems as directed by the NERC Board resolution.

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

BC Hydro appreciates the opportunity to comment and thanks the drafting team for their continued efforts.

The language proposed in CIP-003-X attachment 1 Section 6 does not comprehensively address the risk of malicious communication and vendor remote access to low impact BES cyber systems with possible areas of improvement as follows:

  • The language used in CIP-003-X attachment 1 Section 6.3 is referring to 'known or suspected malicious communications'. BC Hydro recommends adding more clarity and provide examples of use cases and applicability. Specifcally, context and usage of the term 'malicious communication' needs more clarity and BC Hydro requests to provide the context and usage with pertinent examples and use case scenarios to improve understanding and to better scope the requirements.
  • Similarly, BC Hydro proposes defining and adding term 'Vendor Electronic Remote Access' to NERC Glossary of Terms.
  • Who and what is considered a 'Vendor' also need to be defined in the Glossary of Terms for clarity and understanding.

CIP-005-5 R1.5 does not apply to Medium impact BCS if they are not at Control Centers. Why and how the Requirement in Section 6.3 applies to 'Low Impact BCS' is not very clear from the language used. The Section 6.3 does offer possible mitigation of the risks i.e., 'malicious communication and vendor remote acces's however this is even more stringent on Low Impact BCS in comparison to CIP-005-5 R1.5.

BC Hydro recommends rewording or removing Section 6.3 completely.

BC Hydro, Segment(s) 3, 5, 1, 12/18/2018

- 1 - 0

Rob Watson, On Behalf of: Choctaw Generation Limited Partnership, LLLP, , Segments 5

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 8/15/2022

- 0 - 0

PG&E agrees the updated language in Attachment 1, Section 6 addresses the risks noted by the NERC Board of Trustees resolution.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

Claudine Bates, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

Sheila Suurmeier, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

Micah Runner, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

Ron Wilgers, On Behalf of: Black Hills Corporation - WECC - Segments 3

- 0 - 0

Attachment 1 Section 6 was introduced as an objective risk-based requirement; however, it lists prescriptive actions.  An entity can mitigate the risks associated with vendor electronic remote access through various means and still address disabling of vendor electric remote access, and malicious communication protection.  As such the language should read more like an objective risk-based requirement allowing an entity to have a bit more leeway to comply with the requirements. 

Santee Cooper, Segment(s) 1, 3, 5, 6, 8/15/2022

- 0 - 0

Tacoma Power does not agree that the proposed language in Attachment 1, Section 6 addresses the risk of malicious communication. The Section 6 introduction includes an objective risk-based high-level requirement, yet prescriptive actions are listed in the sub-parts. An entity can mitigate the risks associated with vendor electronic remote access through various means and still address disabling of vendor electric remote access, and malicious communication protection.

Tacoma Power suggests the following wording to avoid prescriptive language in the sub-parts (changes noted in italics and important word changes are highlighted with bold text):

Section 6: Vendor Electronic Remote Access Security Controls: For assets containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement a process to mitigate risks associated with vendor electronic remote access, where such access has been established under Section 3.1. These processes shall address:

6.1 determining and disabling active vendor electronic remote access sessions, if applicable; and

6.2 malicious communications.

By altering the wording as shown above, an entity would be able to comply through multiple means and would not HAVE to implement a detection method to mitigate malicious communication. For example, if an Entity makes use of an Intermediate System for all low impact BCS remote access, which would mitigate the risk of vendor electronic remote access malicious communications, they have addressed malicious communications without having to also detect malicious communications, which in this scenario is extremely unlikely to occur.

Tacoma Power, Segment(s) 1, 3, 4, 5, 6, 3/9/2021

- 3 - 0

NextEra Energy supports EEI’s comment: EEI agrees that the updated language proposed in Draft 3 of Attachment 1 Section 6 addresses the risk of malicious communication and vendor remote access to low impact BES cyber systems as directed by the NERC Board resolution

Justin Welty, NextEra Energy - Florida Power and Light Co., 6, 8/16/2022

- 0 - 0

Yes, Constellation agrees the the updated language addresses the risk of malicious communication and vendor remote access to low impact BES cyber systems.

 

Kimberly Turco on behalf of Constellation Segments 5 and 6

Kimberly Turco, Constellation, 6, 8/16/2022

- 0 - 0

Yes, Constellation agrees the the updated language addresses the risk of malicious communication and vendor remote access to low impact BES cyber systems.

 

Kimberly Turco on behalf of Constellation Segements 5 and 6

Alison Mackellar, Constellation, 5, 8/16/2022

- 0 - 0

John Daho, On Behalf of: MEAG Power - SERC - Segments 1

- 0 - 0

Jennifer Buckman, On Behalf of: Southern Indiana Gas and Electric Co., RF, Segments 3, 5, 6

- 0 - 0

Texas RE continues to be concerned that the language in Attachment 1, Section 6 is limited to vendor remote access. Texas RE is concerned that Section 6’s focus on vendor remote access does not capture the full range of malicious communications contemplated under the low impact guidance documents.  In the event of a supply chain attack, malicious communications can occur whether or not a Responsible Entity has established an authorized channel for vendor communications.  Additionally, in the event of a supply chain attack, malicious communications can potentially be initiated from compromised Cyber Assets attempting to communicate with a Command and Control server.  Importantly, these can occur along logical pathways for which where the Responsible Entity has deliberately not established channels for vendor remote access. 

 

A supply chain attack, such as the supply chain attack that resulted in the 2020 United States federal government data breach, is not typically conducted directly by compromised vendors themselves.  These attacks are typically conducted by malicious third parties that do not have a formal business relationship with the vendor or the affected Registered Entity.  As such, scoping this requirement to only address remote access that is conducted directly by vendors would deliberately exclude from scope the exact communications that need to be monitored.

 

Based on this perspective, therefore, Texas RE recommends that the SDT clarify that CIP-003 low impact monitoring obligations extend to all inbound and outbound network traffic to mitigate the risk of suspicious or malicious traffic going unnoticed, not just in situations of authorized vendor remote access.  Texas RE recommends moving the proposed language in Attachment 1, Section 6.2 to Section 3 (Electronic Access Controls) so it is clear malicious communication monitoring and detection method obligations apply to all communications, not simply vendor remote access communications.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 8/16/2022

- 0 - 0

JT Kuehne, AEP, 6, 8/17/2022

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Michelle Amarantos, APS - Arizona Public Service Co., 5, 8/17/2022

- 0 - 0

Since Section 6 has introduced an objective risk-based high-level requirement, yet prescriptive actions are listed. An entity can mitigate the risks associated with vendor electronic remote access through various means and still address disabling of vendor electric remote access, and malicious communication protection.

Israel Perez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 12/20/2021

- 0 - 0

Evergy supports and incorporates by reference the comments of the Edison Electric Institute (EEI) for question #1.

Alan Kloster, On Behalf of: Kevin Frick, Evergy, 1,3,5,6; Jeremy Harris, Evergy, 1,3,5,6; Marcus Moor, Evergy, 1,3,5,6; Jennifer Flandermeyer, Evergy, 1,3,5,6

- 0 - 0

Reclamation recommends the SDT align the CIP-003 Attachment 1 Section 6 language with CIP-005-6 R2 and use NERC-defined terms where possible. The content of Section 6 should be included within Attachment 1 Section 3 and not made into a new section. Reclamation recommends adding “if technically feasible” to Section 6.2 to account for leagacy systems that are not capable of detecting known or suspected malicious communications for both inbound and outbound communications.

Reclamation recommends the following changes to Section 6:

From:

Vendor remote access: For assets containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement a process to mitigate risks associated with vendor remote access (including interactive and system-to-system access) to low impact BES Cyber Systems that includes:

6.1 Having one or more method(s) for determining vendor remote access sessions;

6.2 Having one or more method(s) for detecting known or suspected malicious communications for both inbound and outbound communications; and

6.3 Having one or more method(s) for disabling vendor remote access.

 

To:

Vendor remote access: For assets containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement a process to mitigate risks associated with active vendor remote access sessions (including Interactive Remote Access and system-to-system remote access) to low impact BES Cyber Systems that includes:

6.1 Having one or more method(s) for identifying active vendor remote access sessions;

6.2 If technically feasible, have one or more method(s) for detecting known or suspected malicious communications for both inbound and outbound communications; and

6.3 Having one or more method(s) for disabling active vendor remote access.

The phrase “determining active vendor remote access sessions” is not clear. Reclamation recommends using the same language as in the Technical Rationale, which refers more specifically to ”when sessions are initiated.” 

Richard Jackson, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

Joseph Amato, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 8/18/2022

- 0 - 0

SMUD and BANC support Tacoma Power's comment.

SMUD / BANC, Segment(s) 3, 6, 1, 4, 5, 8/18/2022

- 0 - 0

Section 6.3 still creates a higher bar for some assets containing low impact BCS than for  most medium impact BCS (i.e., those outside of control centers).  It is still not clear is VPN connections established with support vendors fully adheres to requirement or additional steps such as IDS/IPS are required. The Section 6 introduction includes an objective risk-based high-level requirement, yet prescriptive actions are listed in the sub-parts.

Jesus Sammy Alcaraz, Imperial Irrigation District, 1, 8/18/2022

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 8/18/2022

- 0 - 0

Gail Golden, On Behalf of: Entergy - Entergy Services, Inc., , Segments 5

- 0 - 0

Mike Magruder, Avista - Avista Corporation, 1, 8/18/2022

- 0 - 0

NCPA does not agree with prescriptive language for 6.3 as it relates to detect known or suspected malicious communications. This would be more arduous for Low impact entities to implement compared to non-Control Center Medium Impact facilities as they don't need to comply with CIP-005 R1.5.  This creates an imbalance of requiring lower risk facilities to comply with a more strenuous requirement than higher risk facilities.  At least limiting 6.3’s scope to only Low Impact Control Centers would be somewhat congruent with the CIP-005 R1.5 requirement. 

NCPA, Segment(s) 4, 6, 6/4/2021

- 0 - 0

Dwanique Spiller, Berkshire Hathaway - NV Energy, 5, 8/19/2022

- 0 - 0

Based on comments below, we conclude the proposed updates do not adequately address the risk of malicious communication and vendor remote access.

Carl Pineault, On Behalf of: Hydro-Qu?bec Production, , Segments 1, 5

- 0 - 0

Wayne Sipperly, On Behalf of: North American Generator Forum, MRO, WECC, Texas RE, NPCC, SERC, RF, Segments 5

- 0 - 0

Ellese Murphy, On Behalf of: Duke Energy - MRO, WECC, Texas RE, SERC, RF - Segments 1, 3, 5, 6

- 0 - 0

Minnesota Power is in agreement with EEI’s comments.

Jamie Monette, Allete - Minnesota Power, Inc., 1, 8/19/2022

- 0 - 0

Cleco agrees with EEI comments.

Clay Walker, On Behalf of: John Lindsey, Cleco Corporation, 1,3,5,6; Robert Hirchak, Cleco Corporation, 1,3,5,6; Maurice Paulk, Cleco Corporation, 1,3,5,6

- 0 - 0

While the language added to the standard does meet the NERC Board resolution, we still strongly disagree with adding malicious code detections for low impact BCS (specifically Section 6.3) as this control is not a requirement for medium impact BCS (not at Control Centers).  Although these new requirements come from the FERC/NERC resolution, there are much greater risks to the overall BES/BPS, at medium impact BCS than low impact BCS.  We feel the only resolution to this, is to add the same controls to medium impact BCS or drop the requirement for low impact.  If we as an ERO are taking a risk based approach and the FERC/NERC resolution into consideration, then adding the requirement to medium impact BCS is the only possible resolution to satisfy us and the FERC/NERC resolution.  Based on our research there is not a resolution to add malicious code detections to medium impact BCS and therefore we will not be in favor of the controls for low impact.

ACES Standard Collaborations, Segment(s) 1, 3, 4, 5, 8/19/2022

- 0 - 0

Malicious communication can arguably be effectively addressed with Attachment 1, requirements  6.1 and 6.2.  We believe that Requirement 6.3 is excessive.    

DTE Energy, Segment(s) 4, 3, 5, 10/5/2021

- 0 - 0

Dania Colon, Orlando Utilities Commission, 5, 8/19/2022

- 0 - 0

It is not clear that Section 6.3 only applies to only inbound and outbound vendor communication and not all communication established under Section 3.1.  If Section 6.3 is applicable to all communications then it should be moved to Section 3.1.

Brian Evans-Mongeon, Utility Services, Inc., 4, 8/19/2022

- 0 - 0

Jose Avendano Mora, Edison International - Southern California Edison Company, 1, 8/19/2022

- 0 - 0

Romel Aquino, Edison International - Southern California Edison Company, 3, 8/19/2022

- 0 - 0

Teresa Krabe, Lower Colorado River Authority, 5, 8/19/2022

- 0 - 0

Megan Caulson, On Behalf of: Jennifer Wright, Sempra - San Diego Gas and Electric, 1,3,5

- 0 - 0

David Jendras, Ameren - Ameren Services, 3, 8/19/2022

- 0 - 0

James Baldwin, Lower Colorado River Authority, 1, 8/19/2022

- 0 - 0

EEI agrees that the updated language proposed in Draft 3 of Attachment 1 Section 6 addresses the risk of malicious communication and vendor remote access to low impact BES cyber systems as directed by the NERC Board resolution.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Exelon is aligning with EEI in response to this question. 

Daniel Gacek, Exelon, 1, 8/19/2022

- 0 - 0

Exelon is aligning with EEI in response to this question. 

Kinte Whitehead, Exelon, 3, 8/19/2022

- 0 - 0

GSOC believes the updated language in section 6 addresses the risk; however modifications to section 6.3 introduce confusion regarding the scope of the requirement over the last posting by arguably including non-vendor related communications in the language.  This broadening of language could be read to include asset-level monitoring of all inbound and outbound communication for known or suspected malicious communications is a significant departure from the previous draft and would result in an unduly burdensome compliance mandate.  The Technical Rationale developed by the SDT states that section 6.3 “is scoped to focus only on vendors’ communications per the NERC Board resolution and the supply chain report.”  However, the SDT has removed the language from 6.3 that clarifies this scope.  Since the SDT moved the language that states “where such access has been established under Section 3.1” to the main part of Section 6, this language could be read as requiring this detection to occur at the point where access is established under Section 3.1 which defines that access at each asset containing low impact assets.  Further, 6.3 could be read to require all malicious communications to be detected, regardless of whether it is vendor communication or not as there is no reference to vendor communication in the control specified in section 6.3. 

 

GSOC respectfully proposes the following wording that reverts the language in 6.3 to the language of the prior posting:

 Vendor Electronic Remote Access Security Controls: For assets containing

low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible

Entity shall implement a process to mitigate risks associated with vendor electronic remote access, where such access has been established under Section 3.1.


These processes shall include:

6.1       One or more method(s) for determining vendor electronic remote

access;

6.2       One or more method(s) for disabling vendor electronic remote

access; and

6.3       One or more method(s) for detecting known or suspected malicious communications for both inbound and outbound vendor communications.

Benjamin Winslett, Georgia System Operations Corporation, 4, 8/19/2022

2020-03_Supply_Chain_Lows_Unofficial_Comment_Form (GSOC FINAL).docx

- 0 - 0

Mark Ciufo, On Behalf of: Payam Farahbakhsh, Hydro One Networks, Inc., 1,3

- 0 - 0

ITC is in agreement with the EEI response

Gail Elliott, On Behalf of: International Transmission Company Holdings Corporation - MRO, RF - Segments NA - Not Applicable

- 0 - 0

Devon Tremont, Taunton Municipal Lighting Plant, 1, 8/19/2022

- 0 - 0

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Based on comments below, we conclude the proposed updates do not adequately address the risk of malicious communication and vendor remote access.

Michael Russell, Massachusetts Municipal Wholesale Electric Company, 5, 8/19/2022

- 0 - 0

Based on the comments below, we conclude the proposed updates do not adequately address the risk of malicious communication and vendor remote access.

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 7/6/2022

- 0 - 0

Seattle City Light abstains

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

Florida Municipal Power Agency (FMPA), Segment(s) 5, 4, 3, 6, 6/17/2022

- 0 - 0

See comments as supplied by Deanna Carlson from Cowlitz PUD.

Russell Noble, Cowlitz County PUD, 3, 8/19/2022

- 0 - 0

Hot Answers

See comments submitted by the Edison Electric Institute

Kenya Streeter, On Behalf of: Edison International - Southern California Edison Company, , Segments 1, 3, 5, 6

- 0 - 0

Cowlitz PUD would like to see the terms ‘vendor electronic remote access’; added to Section 6.3 as it is included in Section 6.1 and 6.2.  By excluding this from Section 6.3 an interpretation could be applied to malicious communications more broadly than as was intended.

Deanna Carlson, Cowlitz County PUD, 5, 8/19/2022

- 0 - 0

Other Answers

Kevin Conway, Public Utility District No. 1 of Pend Oreille County, 1, 7/14/2022

- 0 - 0

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Eric Sutlief, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

Sean Steffensen, IDACORP - Idaho Power Company, 1, 7/29/2022

- 0 - 0

Martin Sidor, NRG - NRG Energy, Inc., 6, 8/3/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 8/4/2022

- 0 - 0

Jay Sethi, On Behalf of: Manitoba Hydro - MRO - Segments 1, 3, 5, 6

- 0 - 0

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

Xcel Energy supports the comments of EEI and the MRO NSRF. 

Joe Gatten, On Behalf of: Xcel Energy, Inc. - MRO, WECC - Segments 1, 3, 5, 6

- 0 - 0

PUD No. 1 of Chelan County, Segment(s) 3, 1, 6, 5, 8/11/2022

- 0 - 0

Erik Gustafson, On Behalf of: PNM Resources - Public Service Company of New Mexico - WECC, Texas RE - Segments 1, 3

- 0 - 0

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Southern believes the language added is clear to limit the scop of remote access conducted by vendors.

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

As mentioned in comments related to Question 1 above, 'vendor electronic remote access' needs clarity of understanding and clear definitions of the terms for appropriate applicability as well as the use of term 'Vendor' e.g., whether a consultant using same infrastructure is considered vendor.

BC Hydro, Segment(s) 3, 5, 1, 12/18/2018

- 0 - 0

Rob Watson, On Behalf of: Choctaw Generation Limited Partnership, LLLP, , Segments 5

- 0 - 0

I believe the language is clear however the level of monitoring is not reduced.

Glen Farmer, Avista - Avista Corporation, 5, 8/15/2022

- 0 - 0

PG&E agrees the language is clear that remote access is only for vendors.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

Claudine Bates, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

Sheila Suurmeier, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

Micah Runner, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

Ron Wilgers, On Behalf of: Black Hills Corporation - WECC - Segments 3

- 0 - 0

The term “vendor” needs to be defined in the NERC glossary of terms.  The use of the term “vendor” in the CIP-013 Supplemental Material is not an official definition.  This term is crucial to CIP-013 and with the proposed changes to CIP-003 the term will be crucial in determining what is considered vendor remote access.

Santee Cooper, Segment(s) 1, 3, 5, 6, 8/15/2022

- 0 - 0

While the high-level Section 6 introduction includes scoping language, the wording of the sub-parts 6.1 and 6.2 include the same vendor electronic remote access language, while 6.3 does not. Sub-part 6.3 may be construed to apply more broadly due to the omission of the scoping language in this sub-part, because the other sub-parts include this scoping language. Tacoma Power recommends including the “vendor remote access” language to the sub-part 6.3 sentence, in accordance with the the following Westlaw reference: https://content.next.westlaw.com/practical-law/document/Ibe943df6e1e711e698dc8b09b4f043e0/Expressio-unius-est-exclusio-alterius?viewType=FullText&transitionType=Default&contextData=(sc.Default)&firstPage=true

Tacoma Power, Segment(s) 1, 3, 4, 5, 6, 3/9/2021

- 2 - 0

NextEra Energy supports EEI’s comment: EEI supports the Draft 3 language believing that it is sufficiently clear to limit the scope for remote access to low impact BES cyber systems.

Justin Welty, NextEra Energy - Florida Power and Light Co., 6, 8/16/2022

- 0 - 0

Yes, Constellation believes that the language is clear.

 

Kimberly Turco on behalf of Constellation Segments 5 and 6

Kimberly Turco, Constellation, 6, 8/16/2022

- 0 - 0

Yes, Constellation believes that the language is clear.

 

Kimberly Turco on behalf of Constellation Segements 5 and 6

Alison Mackellar, Constellation, 5, 8/16/2022

- 0 - 0

Sections 6.1 and 6.2 use the terms ‘vendor electronic remote access’; however, Section 6.3 does not use this language which could lead to confusion for utilities.  Even though the high level Section 6 limits the scope to remote access conducted by vendors, Section 6.3, without having the same language as Sections 6.1 and 6.2, could be interpreted to apply to malicious communications more broadly and not just for vendor electronic remote access.

Suggested language:  In Section 6.3, instead of saying “One or more method(s) for detecting known or suspected inbound and outbound malicious communications,” the suggested language is as follows:  “One or more method(s) for addressing and mitigating known or suspected inbound and outbound malicious communications for vendor electronic remote access"

John Daho, On Behalf of: MEAG Power - SERC - Segments 1

- 0 - 0

Jennifer Buckman, On Behalf of: Southern Indiana Gas and Electric Co., RF, Segments 3, 5, 6

- 0 - 0

As noted in its response to Question 1 above, Texas RE continues to believe that the low-impact standards being developed should not be limited solely to vendor communications.  However, if the SDT elects to limit the focus of these requirements solely to vendor communications, Texas RE notes that because the SAR specifically states that CIP-003-8 should be revised to include policies for low impact BES Cyber Systems at locations that allow vendor remote access, Texas RE recommends including “at locations that allow vendor remote access” in Section 6 as well.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 8/16/2022

- 0 - 0

JT Kuehne, AEP, 6, 8/17/2022

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Michelle Amarantos, APS - Arizona Public Service Co., 5, 8/17/2022

- 0 - 0

While the high-level Section 6 introduction includes scoping language, the wording of the sub-parts 6.1 & 6.2 include the same vendor electronic remote access language, while 6.3 does not. Sub-part 6.3 may be construed to apply more broadly due to the omission of the scoping language in this sub-part, because the other sub-parts include this scoping language. PGS recommends including the language “vendor remote access”.

Israel Perez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 12/20/2021

- 0 - 0

Evergy supports and incorporates by reference the comments of the Edison Electric Institute (EEI) for question #2.

Alan Kloster, On Behalf of: Kevin Frick, Evergy, 1,3,5,6; Jeremy Harris, Evergy, 1,3,5,6; Marcus Moor, Evergy, 1,3,5,6; Jennifer Flandermeyer, Evergy, 1,3,5,6

- 0 - 0

Reclamation recommends adding “Vendor” to the NERC Glossary of Terms and proposes the following definition:

Vendor - Persons, companies, or other organizations with whom the Responsible Entity, or its affiliates, contracts to supply equipment for BES Cyber Systems and related services. Vendor does not include other NERC-registered entities that provide reliability services (e.g., Balancing Authority or Reliability Coordinator services pursuant to NERC Reliability Standards). Vendor may include: (i) developers or manufacturers of information systems, system components, or information system services; (ii) product resellers; or (iii) system integrators. 

Richard Jackson, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

Joseph Amato, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 8/18/2022

- 0 - 0

SMUD and BANC support Tacoma Power's comment.

SMUD / BANC, Segment(s) 3, 6, 1, 4, 5, 8/18/2022

- 0 - 0

Jesus Sammy Alcaraz, Imperial Irrigation District, 1, 8/18/2022

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 8/18/2022

- 0 - 0

The technical rationale explains that Section 6.3 is specific to vendor only communication. It would aid the reader's understanding if this is clarified in the actual CIP-003-X standard language.

Gail Golden, On Behalf of: Entergy - Entergy Services, Inc., , Segments 5

- 0 - 0

I believe the language is clear however the level of monitoring is not reduced.

Mike Magruder, Avista - Avista Corporation, 1, 8/18/2022

- 0 - 0

NCPA, Segment(s) 4, 6, 6/4/2021

- 0 - 0

Dwanique Spiller, Berkshire Hathaway - NV Energy, 5, 8/19/2022

- 0 - 0

The CIP Standards use many terms:

{C}·         Vendor electronic remote access (proposed CIP-003)

{C}·         Inbound and outbound electronic access (CIP-003, Section 3)

{C}·         User-initiated interactive access (CIP-003 Reference Model 5)

{C}·         Indirect access (CIP-003 Reference Models 6 and 9)

Suggest using an existing term OR request clarification of the “vendor electronic remote access” term - what is the purpose of electronic? What is remote?

Carl Pineault, On Behalf of: Hydro-Qu?bec Production, , Segments 1, 5

- 0 - 0

Wayne Sipperly, On Behalf of: North American Generator Forum, MRO, WECC, Texas RE, NPCC, SERC, RF, Segments 5

- 0 - 0

Ellese Murphy, On Behalf of: Duke Energy - MRO, WECC, Texas RE, SERC, RF - Segments 1, 3, 5, 6

- 0 - 0

Minnesota Power is in agreement with EEI’s comments.

Jamie Monette, Allete - Minnesota Power, Inc., 1, 8/19/2022

- 0 - 0

Cleco agrees with EEI comments.

Clay Walker, On Behalf of: John Lindsey, Cleco Corporation, 1,3,5,6; Robert Hirchak, Cleco Corporation, 1,3,5,6; Maurice Paulk, Cleco Corporation, 1,3,5,6

- 0 - 0

ACES Standard Collaborations, Segment(s) 1, 3, 4, 5, 8/19/2022

- 0 - 0

Please define if “Vendor Electronic Remote Access” is only for Interactive Access or does it include system to system access as well.

DTE Energy, Segment(s) 4, 3, 5, 10/5/2021

- 0 - 0

We appreciate the time and attention the SDT put forth working on this section, however we are concerned that the language under 6.3 does not include a direct reference to “vendor remote accesss” in the sub part. We understand the SDT debated this issue, however we recommend modification to the language to improve clarity.  We believe these clarifications can be made without substantial change, so are thereby voting affirmative with the desire for futher clarification.  These are possible improvements to the language:

 

1) Adding clarity to the last sentence of section 6:

"These vendor remote access processes shall include:" By adding "vendor remote access", it helps clarify the intent of all three sub-sections being applicable to just "vendor remote access" and not all communications.  While technically the word "these" refers to the previous sentence, we feel there could be more calrity to assist Responsisble Entities to focus on the subject of the revisions.

2) Remove references to “vendor remote access” in 6.1 and 6.2

3) Modifying 6.3 to include a reference to vendor remote access. If 6.3 were modified, we recommend it to read:

“6.3 One or more method(s) for detecting known or suspected inbound and outbound malicious communications associated with vendor remote access.”

Dania Colon, Orlando Utilities Commission, 5, 8/19/2022

- 0 - 0

The second paragraph of Attachment 1 states “Responsible Entities with multiple-impact BES Cyber Systems ratings can utilize policies, procedures, and processes for their high or medium impact BES Cyber Systems to fulfill the sections for the development of low impact cyber security plan(s).”    It is unclear how this statement can be applied without clarification on how the terms used in CIP-005-7 relate to the proposed terms in CIP-003-x. Request clarification on how the CIP-003-X term “vendor electronic remote access” relates to the CIP-005-7 terms “active vendor remote access” (R2) and “vendor-initiated remote connections”(R3).

The CIP Standards use many terms:

·       Vendor electronic remote access (proposed CIP-003)

·       Inbound and outbound electronic access (CIP-003, Section 3)

·       User-initiated interactive access (CIP-003 Reference Model 5)

·       Indirect access (CIP-003 Reference Models 6 and 9)

Suggest using an existing term OR request clarification of the “vendor electronic remote access” term - what is the purpose of electronic? What is remote?

Brian Evans-Mongeon, Utility Services, Inc., 4, 8/19/2022

- 0 - 0

Jose Avendano Mora, Edison International - Southern California Edison Company, 1, 8/19/2022

- 0 - 0

Romel Aquino, Edison International - Southern California Edison Company, 3, 8/19/2022

- 0 - 0

Teresa Krabe, Lower Colorado River Authority, 5, 8/19/2022

- 0 - 0

Megan Caulson, On Behalf of: Jennifer Wright, Sempra - San Diego Gas and Electric, 1,3,5

- 0 - 0

Ameren believes the term vendor needs to be more defined more clearly. Does the vendor role make a difference (contractor operators, support, etc.)? Is operations different from support in terms of vendors?

David Jendras, Ameren - Ameren Services, 3, 8/19/2022

- 0 - 0

James Baldwin, Lower Colorado River Authority, 1, 8/19/2022

- 0 - 0

EEI supports the Draft 3 language believing that it is sufficiently clear to limit the scope for remote access to low impact BES cyber systems.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Exelon is aligning with EEI in response to this question. 

Daniel Gacek, Exelon, 1, 8/19/2022

- 0 - 0

Exelon is aligning with EEI in response to this question. 

Kinte Whitehead, Exelon, 3, 8/19/2022

- 0 - 0

GSOC believes the updated language in section 6, specifically section 6.3 does not clarify the scope of the requirement.  The language that provided that clear scoping was removed in this posting.  Section 6.3 could now be read to require all malicious communications to be detected, regardless of whether it is vendor communication or not as there is no reference to vendor communication in the control specified in section 6.3.  GSOC respectfully proposes the following wording which reverts the language in 6.3 to that of the prior posting:

Vendor Electronic Remote Access Security Controls: For assets containing

low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible

Entity shall implement a process to mitigate risks associatedwith vendor electronic remote access, where such access has been established under Section 3.1.


These processes shall include:

6.1       One or more method(s) for determining vendor electronic remote

access;

6.2       One or more method(s) for disabling vendor electronic remote

access; and

6.3       One or more method(s) for detecting known or suspected malicious communications for both inbound and outbound vendor communications.

Benjamin Winslett, Georgia System Operations Corporation, 4, 8/19/2022

- 0 - 0

Mark Ciufo, On Behalf of: Payam Farahbakhsh, Hydro One Networks, Inc., 1,3

- 0 - 0

ITC is in agreement with the EEI response

Gail Elliott, On Behalf of: International Transmission Company Holdings Corporation - MRO, RF - Segments NA - Not Applicable

- 0 - 0

Devon Tremont, Taunton Municipal Lighting Plant, 1, 8/19/2022

- 0 - 0

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6

- 0 - 0

The CIP Standards use many terms such as: Vendor electronic remote access (proposed CIP-003), Inbound and outbound electronic access (CIP-003, Section 3), User-initiated interactive access (CIP-003 Reference Model 5), Indirect access (CIP-003 Reference Models 6 and 9).  Suggest using an existing term OR request clarification of the “vendor electronic remote access” term - what is the purpose of electronic? What is remote?

Michael Russell, Massachusetts Municipal Wholesale Electric Company, 5, 8/19/2022

- 0 - 0

The CIP Standards use many terms:

Vendor electronic remote access (proposed CIP-003)

Inbound and outbound electronic access (CIP-003, Section 3)

User-initiated interactive access (CIP-003 Reference Model 5)

Indirect access (CIP-003 Reference Models 6 and 9)

Suggest using an existing term OR request clarification of the “vendor electronic remote access” term - what is the purpose of electronic? What is remote?

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 7/6/2022

- 0 - 0

Seattle City Light abstains

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

We appreciate the time and attention the SDT put forth working on this section, however we are concerned that the language under 6.3 does not include a direct reference to “vendor remote accesss” in the sub part. We understand the SDT debated this issue, however we recommend modification to the language to improve clarity.  We believe these clarifications can be made without substantial change, so are thereby voting affirmative with the desire for futher clarification.  These are possible improvements to the language:

1) Adding clarity to the last sentence of section 6:

"These vendor electronic remote access processes shall include:" By adding "vendor electronic remote access", it helps clarify the intent of all three sub-sections being applicable to just "vendor electronic remote access" and not all communications.  While technically the word "these" refers to the previous sentence, we feel there could be more calrity to assist Responsisble Entities to focus on the subject of the revisions.

2) Remove references to “vendor remote access” in 6.1 and 6.2

3) Modifying 6.3 to include a reference to vendor electronic remote access. If 6.3 were modified, we recommend it to read:

“6.3 One or more method(s) for detecting known or suspected inbound and outbound malicious communications associated with vendor electronic remote access.”

Florida Municipal Power Agency (FMPA), Segment(s) 5, 4, 3, 6, 6/17/2022

- 0 - 0

See comments as supplied by Deanna Carlson from Cowlitz PUD.

Russell Noble, Cowlitz County PUD, 3, 8/19/2022

- 0 - 0

Hot Answers

See comments submitted by the Edison Electric Institute

Kenya Streeter, On Behalf of: Edison International - Southern California Edison Company, , Segments 1, 3, 5, 6

- 0 - 0

The language says, “electronic remote access” it does not state “remote locations,” which is appropriate based on the guidance given for CIP-005, which made it clear that “remote access” may include access originating from a desk in your corporate office. The geographic location of the vendor shouldn’t matter, only the method used to access the BCS. 

Deanna Carlson, Cowlitz County PUD, 5, 8/19/2022

- 0 - 0

Other Answers

Kevin Conway, Public Utility District No. 1 of Pend Oreille County, 1, 7/14/2022

- 0 - 0

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Eric Sutlief, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

The language in Section 6, ‘where such access has been established under Section 3.1’ implies the entity is not required to implement a process to ‘mitigate risks associated with vendor electronic remote access’ unless remote access has been (or will be) established. We believe this is appropriate, where entities have opted to categorically deny all electronic remote access to vendors.

Sean Steffensen, IDACORP - Idaho Power Company, 1, 7/29/2022

- 0 - 0

Martin Sidor, NRG - NRG Energy, Inc., 6, 8/3/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 8/4/2022

- 0 - 0

Jay Sethi, On Behalf of: Manitoba Hydro - MRO - Segments 1, 3, 5, 6

- 0 - 0

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

Xcel Energy supports the comments of EEI and the MRO NSRF. 

Joe Gatten, On Behalf of: Xcel Energy, Inc. - MRO, WECC - Segments 1, 3, 5, 6

- 0 - 0

PUD No. 1 of Chelan County, Segment(s) 3, 1, 6, 5, 8/11/2022

- 0 - 0

Erik Gustafson, On Behalf of: PNM Resources - Public Service Company of New Mexico - WECC, Texas RE - Segments 1, 3

- 0 - 0

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

The language is clear for Section 6.1 and 6.2 that it clarifies this section is specific for Vendor Electronic Remote Access. Section 6.3 could be somewhat ambiguous and may be read to include more than vendor remote access.

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

The use of word "Remote" will need some clarification and perhaps a definition in the defined terms, e.g., how the "Remote" term will be used in the sample scenarios below:
1)  On site, but electronically remote (i.e. has to go through EAP despite being at the station).
2)  A "vendor" at the work location of Responsible Entity, also electronically remote (i.e. going through EAP).
3) "Traditionally" remote, off site, and electronically remote (also going through EAP).

BC Hydro, Segment(s) 3, 5, 1, 12/18/2018

- 0 - 0

Rob Watson, On Behalf of: Choctaw Generation Limited Partnership, LLLP, , Segments 5

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 8/15/2022

- 0 - 0

PG&E agrees with the modifications to Attachment 1, Section 6 and those modifications clearly indicate it is for vendor access from a remote location.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

The language says “electronic remote access” it does not state “remote locations,” which is appropriate based on the guidance given for CIP-005, which made it clear that “remote access” may include access originating from a desk in your corporate office. The geographic location of the vendor shouldn’t matter, only the method used to access the BCS. 

Claudine Bates, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

The language says “electronic remote access” it does not state “remote locations,” which is appropriate based on the guidance given for CIP-005, which made it clear that “remote access” may include access originating from a desk in your corporate office. The geographic location of the vendor shouldn’t matter, only the method used to access the BCS.

Sheila Suurmeier, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

The language says “electronic remote access” it does not state “remote locations,” which is appropriate based on the guidance given for CIP-005, which made it clear that “remote access” may include access originating from a desk in your corporate office. The geographic location of the vendor shouldn’t matter, only the method used to access the BCS. 

Micah Runner, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

The language says “electronic remote access” it does not state “remote locations,” which is appropriate based on the guidance given for CIP-005, which made it clear that “remote access” may include access originating from a desk in your corporate office. The geographic location of the vendor shouldn’t matter, only the method used to access the BCS. 

Ron Wilgers, On Behalf of: Black Hills Corporation - WECC - Segments 3

- 0 - 0

The wording in sub-parts 6.1 & 6.2 include the same “vendor electronic remote access” language, while subpart 6.3 does not. Sub-part 6.3 should read the same as sub-parts 6.1 & 6.2 so as not to imply that 6.3 should be more broadly enforced beyond its intended purpose.

Santee Cooper, Segment(s) 1, 3, 5, 6, 8/15/2022

- 1 - 0

Tacoma Power, Segment(s) 1, 3, 4, 5, 6, 3/9/2021

- 1 - 0

NextEra Energy supports EEI’s comment: EEI agrees that Attachment 1, Section 6 clarifies that vendor’s access to low impact assets containing BES cyber systems is limited to remote locations.

Justin Welty, NextEra Energy - Florida Power and Light Co., 6, 8/16/2022

- 0 - 0

Yes. The SDT clarified that Attachment 1 Section 6 only applies to vendor access to low impact assets containing BES cyber systems from remote (off-site) locations.

 

Kimberly Turco on behalf of Constellation Segments 5 and 6

Kimberly Turco, Constellation, 6, 8/16/2022

- 0 - 0

Yes. The SDT clarified that Attachment 1 Section 6 only applies to vendor access to low impact assets containing BES cyber systems from remote (off-site) locations.

 

Kimberly Turco on behalf of Constellation Segements 5 and 6

Alison Mackellar, Constellation, 5, 8/16/2022

- 0 - 0

John Daho, On Behalf of: MEAG Power - SERC - Segments 1

- 0 - 0

Jennifer Buckman, On Behalf of: Southern Indiana Gas and Electric Co., RF, Segments 3, 5, 6

- 0 - 0

Texas RE does not have comments on this question.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 8/16/2022

- 0 - 0

JT Kuehne, AEP, 6, 8/17/2022

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Michelle Amarantos, APS - Arizona Public Service Co., 5, 8/17/2022

- 0 - 0

Israel Perez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 12/20/2021

- 0 - 0

Evergy supports and incorporates by reference the comments of the Edison Electric Institute (EEI) for question #3.

Alan Kloster, On Behalf of: Kevin Frick, Evergy, 1,3,5,6; Jeremy Harris, Evergy, 1,3,5,6; Marcus Moor, Evergy, 1,3,5,6; Jennifer Flandermeyer, Evergy, 1,3,5,6

- 0 - 0

Access from remote locations is not the same as remote access. A vendor could be physically on site and connect to the system through a remote connection.

Richard Jackson, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

Joseph Amato, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 8/18/2022

- 0 - 0

SMUD / BANC, Segment(s) 3, 6, 1, 4, 5, 8/18/2022

- 0 - 0

Jesus Sammy Alcaraz, Imperial Irrigation District, 1, 8/18/2022

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 8/18/2022

- 0 - 0

Gail Golden, On Behalf of: Entergy - Entergy Services, Inc., , Segments 5

- 0 - 0

Mike Magruder, Avista - Avista Corporation, 1, 8/18/2022

- 0 - 0

NCPA, Segment(s) 4, 6, 6/4/2021

- 0 - 0

Dwanique Spiller, Berkshire Hathaway - NV Energy, 5, 8/19/2022

- 0 - 0

Request clarification on why Attachment 1, 6.3 does not use the phrase “vendor electronic remote access” while Section 6 and, 6.1 and 6.2 use this phrase. While in the parent language, we request consistency among 6.1, 6.2 and 6.3.

Request confirmation that the SDT expects all of Attachment 1, Section 3.1 to be in place before Section 6 requirements. If Section 3.1 is not met, then Section 6 does not apply.

Carl Pineault, On Behalf of: Hydro-Qu?bec Production, , Segments 1, 5

- 0 - 0

Wayne Sipperly, On Behalf of: North American Generator Forum, MRO, WECC, Texas RE, NPCC, SERC, RF, Segments 5

- 0 - 0

Ellese Murphy, On Behalf of: Duke Energy - MRO, WECC, Texas RE, SERC, RF - Segments 1, 3, 5, 6

- 0 - 0

Minnesota Power is in agreement with EEI’s comments.

Jamie Monette, Allete - Minnesota Power, Inc., 1, 8/19/2022

- 0 - 0

Cleco agrees with EEI comments.

Clay Walker, On Behalf of: John Lindsey, Cleco Corporation, 1,3,5,6; Robert Hirchak, Cleco Corporation, 1,3,5,6; Maurice Paulk, Cleco Corporation, 1,3,5,6

- 0 - 0

ACES Standard Collaborations, Segment(s) 1, 3, 4, 5, 8/19/2022

- 0 - 0

DTE Energy, Segment(s) 4, 3, 5, 10/5/2021

- 0 - 0

See comments under question 2 to help clarify this.

Dania Colon, Orlando Utilities Commission, 5, 8/19/2022

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 8/19/2022

- 0 - 0

Jose Avendano Mora, Edison International - Southern California Edison Company, 1, 8/19/2022

- 0 - 0

Romel Aquino, Edison International - Southern California Edison Company, 3, 8/19/2022

- 0 - 0

Teresa Krabe, Lower Colorado River Authority, 5, 8/19/2022

- 0 - 0

Megan Caulson, On Behalf of: Jennifer Wright, Sempra - San Diego Gas and Electric, 1,3,5

- 0 - 0

David Jendras, Ameren - Ameren Services, 3, 8/19/2022

- 0 - 0

James Baldwin, Lower Colorado River Authority, 1, 8/19/2022

- 0 - 0

EEI agrees that Attachment 1, Section 6 clarifies that vendor’s access to low impact assets containing BES cyber systems is limited to remote locations.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Exelon is aligning with EEI in response to this question. 

Daniel Gacek, Exelon, 1, 8/19/2022

- 0 - 0

Exelon is aligning with EEI in response to this question. 

Kinte Whitehead, Exelon, 3, 8/19/2022

- 0 - 0

GSOC believes the updated language in section 6, specifically section 6.3 does not specifically limit the scope of the requirement to vendor access and communications.  GSOC respectfully proposes the following wording:

Vendor Electronic Remote Access Security Controls: For assets containing

low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible

Entity shall implement a process to mitigate risks associated with vendor electronic remote access, where such access has been established under Section 3.1.


These processes shall include:

6.1       One or more method(s) for determining vendor electronic remote

access;

6.2       One or more method(s) for disabling vendor electronic remote

access; and

6.3       One or more method(s) for detecting known or suspected malicious communications for both inbound and outbound vendor communications.

Benjamin Winslett, Georgia System Operations Corporation, 4, 8/19/2022

- 0 - 0

Mark Ciufo, On Behalf of: Payam Farahbakhsh, Hydro One Networks, Inc., 1,3

- 0 - 0

ITC is in agreement with the EEI response

Gail Elliott, On Behalf of: International Transmission Company Holdings Corporation - MRO, RF - Segments NA - Not Applicable

- 0 - 0

Devon Tremont, Taunton Municipal Lighting Plant, 1, 8/19/2022

- 0 - 0

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Request clarification on why Attachement 1, 6.3 does not use the phrase "vendor electronic remote access" while Section 6 and, 6.1 use this phrase.  While in the parent language, we request consistency among 6.1, 6.2 and 6.3.

Request confirmation that the SDE expects all of Attachement 1, Section 3.1 to be in place before Section 6 requirements.  If section 3.1 is not met, then Section 6 does not apply.

Michael Russell, Massachusetts Municipal Wholesale Electric Company, 5, 8/19/2022

- 0 - 0

Request clarification on why Attachment 1, 6.3 does not use the phrase “vendor electronic remote access” while Section 6 and, 6.1 and 6.2 use this phrase. While in the parent language, we request consistency among 6.1, 6.2, and 6.3.

 

Request confirmation that the SDT expects all of Attachment 1, Section 3.1 to be in place before Section 6 requirements. If Section 3.1 is not met, then Section 6 does not apply.

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 7/6/2022

- 0 - 0

Seattle City Light abstains

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

Florida Municipal Power Agency (FMPA), Segment(s) 5, 4, 3, 6, 6/17/2022

- 0 - 0

See comments as supplied by Deanna Carlson from Cowlitz PUD.

Russell Noble, Cowlitz County PUD, 3, 8/19/2022

- 0 - 0

Hot Answers

See comments submitted by the Edison Electric Institute

Kenya Streeter, On Behalf of: Edison International - Southern California Edison Company, , Segments 1, 3, 5, 6

- 0 - 0

Additional clarification needs to ensure that the scope of Section 6 applies only to low impact BES Cyber Systems where vendors are actually given remote access.  The language as written can be interpreted that all low impact BES Cyber System that are identified in Section 3.1 should have a process in place to detect, determine, and disable active vendor electric remote access, and malicious communications, regardless of vendors having remote access or not.

Deanna Carlson, Cowlitz County PUD, 5, 8/19/2022

- 0 - 0

Other Answers

Kevin Conway, Public Utility District No. 1 of Pend Oreille County, 1, 7/14/2022

- 0 - 0

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Eric Sutlief, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

Sean Steffensen, IDACORP - Idaho Power Company, 1, 7/29/2022

- 0 - 0

Martin Sidor, NRG - NRG Energy, Inc., 6, 8/3/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 8/4/2022

- 0 - 0

Jay Sethi, On Behalf of: Manitoba Hydro - MRO - Segments 1, 3, 5, 6

- 0 - 0

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

There is confusion with the language used in Section 6 as to whether it pertains to the assets containing the low impact BES Cyber Systems (which may contain out of scope cyber systems) or the low impact BES Cyber Systems themselves.

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

Xcel Energy supports the comments of EEI and the MRO NSRF. 

Joe Gatten, On Behalf of: Xcel Energy, Inc. - MRO, WECC - Segments 1, 3, 5, 6

- 0 - 0

PUD No. 1 of Chelan County, Segment(s) 3, 1, 6, 5, 8/11/2022

- 0 - 0

Erik Gustafson, On Behalf of: PNM Resources - Public Service Company of New Mexico - WECC, Texas RE - Segments 1, 3

- 0 - 0

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Southern agrees the language in Attachment 1 Section 6 limits the scope to low impact BES cyber systems.

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

CIP-005-5 R1.5 does not apply to Medium impact BCS if they are not at Control Centers. Why and how the Requirement in Section 6.3 applies to 'Low Impact BCS' is not very clear from the language used. The Section 6.3 does offer possible mitigation of the risks i.e., 'malicious communication and vendor remote access' however this is even more stringent on Low Impact BCS in comparison to CIP-005-5 R1.5.

BC Hydro recommends rewording or removing Section 6.3 completely.

BC Hydro, Segment(s) 3, 5, 1, 12/18/2018

- 0 - 0

Rob Watson, On Behalf of: Choctaw Generation Limited Partnership, LLLP, , Segments 5

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 8/15/2022

- 0 - 0

PG&E agrees the modification to Section 3.1 make it clear the scope of the Requirement is for low impact BES Cyber Systems.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

Claudine Bates, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

Sheila Suurmeier, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

Micah Runner, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

Ron Wilgers, On Behalf of: Black Hills Corporation - WECC - Segments 3

- 0 - 0

Santee Cooper, Segment(s) 1, 3, 5, 6, 8/15/2022

- 0 - 0

Tacoma Power, Segment(s) 1, 3, 4, 5, 6, 3/9/2021

- 1 - 0

NextEra Energy supports EEI’s comment: EEI agrees that the proposed language in Section 6 limits that scope to Section 3.1.

Justin Welty, NextEra Energy - Florida Power and Light Co., 6, 8/16/2022

- 0 - 0

 

 

Kimberly Turco on behalf of Constellation Segments 5 and 6

Kimberly Turco, Constellation, 6, 8/16/2022

- 0 - 0

 

 

Kimberly Turco on behalf of Constellation Segements 5 and 6

Alison Mackellar, Constellation, 5, 8/16/2022

- 0 - 0

John Daho, On Behalf of: MEAG Power - SERC - Segments 1

- 0 - 0

Jennifer Buckman, On Behalf of: Southern Indiana Gas and Electric Co., RF, Segments 3, 5, 6

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 8/16/2022

- 0 - 0

JT Kuehne, AEP, 6, 8/17/2022

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Michelle Amarantos, APS - Arizona Public Service Co., 5, 8/17/2022

- 0 - 0

Israel Perez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 12/20/2021

- 0 - 0

Evergy supports and incorporates by reference the comments of the Edison Electric Institute (EEI) for question #4.

Alan Kloster, On Behalf of: Kevin Frick, Evergy, 1,3,5,6; Jeremy Harris, Evergy, 1,3,5,6; Marcus Moor, Evergy, 1,3,5,6; Jennifer Flandermeyer, Evergy, 1,3,5,6

- 0 - 0

Richard Jackson, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

Joseph Amato, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 8/18/2022

- 0 - 0

SMUD / BANC, Segment(s) 3, 6, 1, 4, 5, 8/18/2022

- 0 - 0

Jesus Sammy Alcaraz, Imperial Irrigation District, 1, 8/18/2022

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 8/18/2022

- 0 - 0

Gail Golden, On Behalf of: Entergy - Entergy Services, Inc., , Segments 5

- 0 - 0

Mike Magruder, Avista - Avista Corporation, 1, 8/18/2022

- 0 - 0

NCPA does not agree with prescriptive language for 6.3 as it relates to detect known or suspected malicious communications. This would be more arduous for Low impact entities to implement compared to non-Control Center Medium Impact facilities as they don't need to comply with CIP-005 R1.5.  This creates an imbalance of requiring lower risk facilities to comply with a more strenuous requirement than higher risk facilities.  At least limiting 6.3’s scope to only Low Impact Control Centers would be somewhat congruent with the CIP-005 R1.5 requirement. 

NCPA, Segment(s) 4, 6, 6/4/2021

- 0 - 0

Dwanique Spiller, Berkshire Hathaway - NV Energy, 5, 8/19/2022

- 0 - 0

Request confirmation that the SDT expects all of Attachment 1, Section 3.1 to be in place before Section 6 requirements. If Section 3.1 is not met, then Section 6 does not apply.

 Request clarification on how Sections 3.1 and 6 impact the VSLs

Carl Pineault, On Behalf of: Hydro-Qu?bec Production, , Segments 1, 5

- 0 - 0

Wayne Sipperly, On Behalf of: North American Generator Forum, MRO, WECC, Texas RE, NPCC, SERC, RF, Segments 5

- 0 - 0

Ellese Murphy, On Behalf of: Duke Energy - MRO, WECC, Texas RE, SERC, RF - Segments 1, 3, 5, 6

- 0 - 0

Minnesota Power is in agreement with EEI’s comments.

Jamie Monette, Allete - Minnesota Power, Inc., 1, 8/19/2022

- 0 - 0

Cleco agrees with EEI comments.

Clay Walker, On Behalf of: John Lindsey, Cleco Corporation, 1,3,5,6; Robert Hirchak, Cleco Corporation, 1,3,5,6; Maurice Paulk, Cleco Corporation, 1,3,5,6

- 0 - 0

The proposed changes to limit scope are redundant.  Section 3.1 and Section 6 are explicit to low impact BCS.  If vendor remote access wasn’t already established and allowed under Section 3.1, there would either be a violation of Section 3.1 or a CIP exceptional circumstance would need to be declared.  The language is fine, but unnecessary to try to confine the scope of Section 6 as it is very explicit to low impact BCS.  

ACES Standard Collaborations, Segment(s) 1, 3, 4, 5, 8/19/2022

- 0 - 0

DTE Energy, Segment(s) 4, 3, 5, 10/5/2021

- 0 - 0

Dania Colon, Orlando Utilities Commission, 5, 8/19/2022

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 8/19/2022

- 0 - 0

Jose Avendano Mora, Edison International - Southern California Edison Company, 1, 8/19/2022

- 0 - 0

Romel Aquino, Edison International - Southern California Edison Company, 3, 8/19/2022

- 0 - 0

Teresa Krabe, Lower Colorado River Authority, 5, 8/19/2022

- 0 - 0

Megan Caulson, On Behalf of: Jennifer Wright, Sempra - San Diego Gas and Electric, 1,3,5

- 0 - 0

David Jendras, Ameren - Ameren Services, 3, 8/19/2022

- 0 - 0

James Baldwin, Lower Colorado River Authority, 1, 8/19/2022

- 0 - 0

EEI agrees that the proposed language in Section 6 limits that scope to Section 3.1.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Exelon is aligning with EEI in response to this question. 

Daniel Gacek, Exelon, 1, 8/19/2022

- 0 - 0

Exelon is aligning with EEI in response to this question. 

Kinte Whitehead, Exelon, 3, 8/19/2022

- 0 - 0

Benjamin Winslett, Georgia System Operations Corporation, 4, 8/19/2022

- 0 - 0

Mark Ciufo, On Behalf of: Payam Farahbakhsh, Hydro One Networks, Inc., 1,3

- 0 - 0

ITC is in agreement with the EEI response

Gail Elliott, On Behalf of: International Transmission Company Holdings Corporation - MRO, RF - Segments NA - Not Applicable

- 0 - 0

Devon Tremont, Taunton Municipal Lighting Plant, 1, 8/19/2022

- 0 - 0

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Request confirmation that the SDT expects all of Attachement 1, Section 3.1 to be in place before Section 6 requirements.  If Section 3.1 is not met, then Section 6 does not apply.  Request clarification on how Sections 3.1 and 6 impacts the VSLs.

Michael Russell, Massachusetts Municipal Wholesale Electric Company, 5, 8/19/2022

- 0 - 0

Request confirmation that the SDT expects all of Attachment 1, Section 3.1 to be in place before Section 6 requirements. If Section 3.1 is not met, then Section 6 does not apply.

 

 Request clarification on how Sections 3.1 and 6 impact the VSLs.

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 7/6/2022

- 0 - 0

Seattle City Light abstains

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

Florida Municipal Power Agency (FMPA), Segment(s) 5, 4, 3, 6, 6/17/2022

- 0 - 0

Russell Noble, Cowlitz County PUD, 3, 8/19/2022

- 0 - 0

Hot Answers

See comments submitted by the Edison Electric Institute

Kenya Streeter, On Behalf of: Edison International - Southern California Edison Company, , Segments 1, 3, 5, 6

- 0 - 0

The scope should be modified to read more like an objective-based requirement allowing entities more leeway and potentially more cost-effective means to comply with the specific list of assets identified. Recognition that not all communications need to be monitored to determine malicious communications through active vendor remote access will ensure resources are focused on actual risk.

Deanna Carlson, Cowlitz County PUD, 5, 8/19/2022

- 0 - 0

Other Answers

Kevin Conway, Public Utility District No. 1 of Pend Oreille County, 1, 7/14/2022

- 0 - 0

NST abstains.

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Eric Sutlief, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

Sean Steffensen, IDACORP - Idaho Power Company, 1, 7/29/2022

- 0 - 0

Martin Sidor, NRG - NRG Energy, Inc., 6, 8/3/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 8/4/2022

- 0 - 0

Jay Sethi, On Behalf of: Manitoba Hydro - MRO - Segments 1, 3, 5, 6

- 0 - 0

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

The scope should be narrowed to just where the risk exists as opposed to a broad swath of assets. The way it is written it implies that all communications need to be monitored to determine malicious communications through vendor remote access.

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

Xcel Energy agrees that the modifications can be implemented in a cost-effective manner when implemented within the timeframe identified in the associated Implementation Plan. 

Joe Gatten, On Behalf of: Xcel Energy, Inc. - MRO, WECC - Segments 1, 3, 5, 6

- 0 - 0

PUD No. 1 of Chelan County, Segment(s) 3, 1, 6, 5, 8/11/2022

- 0 - 0

Erik Gustafson, On Behalf of: PNM Resources - Public Service Company of New Mexico - WECC, Texas RE - Segments 1, 3

- 0 - 0

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

Although the cost may differ between entities, BC Hydro's assessment is that the impact may change based on understanding & clarity of terms and scope of application. As advised in comments of Question 1 above, CIP-005-5 R1.5 does not apply to Medium impact BCS if they are not at Control Centers. However requirement in CIP-003-X Section 6.3 applies to 'Low Impact BCS' which is even more stringent on Low Impact BCS in comparison to CIP-005-5 R1.5, where only High and Medium Impact BCS at Control Centers are in scope leaving all the other Medium impact BCS out of scope.

Implementing this requirement and adding detection methods for known or suspected malicious communications for both inbound and outbound communications concerning Low impact BCS will likely have significant cost impact.

BC Hydro, Segment(s) 3, 5, 1, 12/18/2018

- 0 - 0

Rob Watson, On Behalf of: Choctaw Generation Limited Partnership, LLLP, , Segments 5

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 8/15/2022

- 0 - 0

Until an approved Standard is in place, PG&E cannot make a determination if the modification are cost effective.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

We do not have insight to whether this is cost effective or not so Black Hills Corporation will not be providing a comment. 

Claudine Bates, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

We do not have insight to whether this is cost effective or not so Black Hills Corporation will not be providing a comment.

Sheila Suurmeier, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

We do not have insight to whether this is cost effective or not so Black Hills Corporation will not be providing a comment.

Micah Runner, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

We do not have insight to whether this is cost effective or not so Black Hills Corporation will not be providing a comment.

Ron Wilgers, On Behalf of: Black Hills Corporation - WECC - Segments 3

- 0 - 0

Santee Cooper, Segment(s) 1, 3, 5, 6, 8/15/2022

- 0 - 0

Including a more restrictive prescriptive control for malicious communication detection for low impact BCS that does not exist for medium impact BCS not at a Control Center is not a cost-effective approach. Medium impact BCS not at a Control Center must still follow CIP-005 R2 for remote access through an intermediate system. This was mentioned as justification for including Section 6.3 for low impact but not requiring for Medium impact BCS not at a Control Center. If an entity implements CIP-005 R2 Intermediate Systems for low impact, they will still not be compliant with CIP-003, Attachment 1, Section 6.3 as currently worded.

In order to provide a more cost effective solution, Tacoma Power suggests that an entity can mitigate the risks associated with vendor electronic remote access through various means and still address disabling of vendor electric remote access, and malicious communication protection.

Suggested wording to avoid prescriptive language and provide a more cost effective solution:

Section 6: Vendor Electronic Remote Access Security Controls: For assets containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement a process to mitigate risks associated with vendor electronic remote access, where such access has been established under Section 3.1. These processes shall address:

6.1 determining and disabling active vendor electronic remote access sessions, if applicable; and

6.2 malicious communications.

Tacoma Power, Segment(s) 1, 3, 4, 5, 6, 3/9/2021

- 2 - 0

NextEra Energy is not supplying a position nor comment on cost effectiveness of these changes.

Justin Welty, NextEra Energy - Florida Power and Light Co., 6, 8/16/2022

- 0 - 0

Constellation will not comment on cost.

 

Kimberly Turco on behalf of Constellation Segments 5 and 6

Kimberly Turco, Constellation, 6, 8/16/2022

- 0 - 0

Constellation will not comment on cost.

 

Kimberly Turco on behalf of Constellation Segements 5 and 6

Alison Mackellar, Constellation, 5, 8/16/2022

- 0 - 0

Section 6.3 is written in prescriptive way toward only one of many possible solutions for addressing malicious communications.  This does not allow entities to analyze and choose the most cost effective approach to addressing and mitigating malicious communication.

John Daho, On Behalf of: MEAG Power - SERC - Segments 1

- 0 - 0

Jennifer Buckman, On Behalf of: Southern Indiana Gas and Electric Co., RF, Segments 3, 5, 6

- 0 - 0

Texas RE does not have comments on this question.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 8/16/2022

- 0 - 0

JT Kuehne, AEP, 6, 8/17/2022

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Michelle Amarantos, APS - Arizona Public Service Co., 5, 8/17/2022

- 0 - 0

Including a more restrictive prescriptive control for malicious communication detection for low impact BCS that does not exist for medium impact BCS not at a Control Center is not a cost-effective approach. Medium impact BCS not at a Control Center must still follow CIP-005 R2 for remote access through an intermediate system. This was mentioned as justification for including Section 6.3 for low impact but not requiring for Medium impact BCS not at a Control Center. If an entity implements CIP-005 R2 Intermediate Systems for low impact, they will still not be compliant with CIP-003, Attachment 1, Section 6.3 as currently worded.

Israel Perez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

It is cost effective, but these costs will be pushed directly to ratepayers which requires FERC support to answer the ratepayers.

FE Voter, Segment(s) 1, 3, 5, 6, 4, 12/20/2021

- 0 - 0

Alan Kloster, On Behalf of: Kevin Frick, Evergy, 1,3,5,6; Jeremy Harris, Evergy, 1,3,5,6; Marcus Moor, Evergy, 1,3,5,6; Jennifer Flandermeyer, Evergy, 1,3,5,6

- 0 - 0

Reclamation identifies that it is not cost effective to have separate standards for low impact and medium impact BES Cyber Systems, especially when the language of the requirements for each impact level is identical. Reclamation observes that Project 2016-02 will bring many changes to a majority of the CIP standards; therefore, Reclamation recommends Project 2016-02  is a good avenue to incorporate low impact requirements into the CIP standards and avoid the continuous churn of CIP-003 Attachment 1 when ultimately the requirements for low impact BES Cyber Systems will end up being identical to those for medium impact BCS.

Richard Jackson, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

Joseph Amato, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 8/18/2022

- 0 - 0

SMUD and BANC support Tacoma Power's comment.

SMUD / BANC, Segment(s) 3, 6, 1, 4, 5, 8/18/2022

- 0 - 0

Jesus Sammy Alcaraz, Imperial Irrigation District, 1, 8/18/2022

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 8/18/2022

- 0 - 0

Gail Golden, On Behalf of: Entergy - Entergy Services, Inc., , Segments 5

- 0 - 0

Mike Magruder, Avista - Avista Corporation, 1, 8/18/2022

- 0 - 0

NCPA, Segment(s) 4, 6, 6/4/2021

- 0 - 0

Unable to justify cost effectiveness at this time

Dwanique Spiller, Berkshire Hathaway - NV Energy, 5, 8/19/2022

- 0 - 0

We requested redline to last approved. SMEs need to see red lines to the currently effective standard, to adequately review the proposed changes. Without this red line, the review is very challenging and may reduce the chances for approval.

 

Carl Pineault, On Behalf of: Hydro-Qu?bec Production, , Segments 1, 5

- 0 - 0

GO/GOPs will need more information to adequately assess the cost-effectiveness of the proposed approach.

Wayne Sipperly, On Behalf of: North American Generator Forum, MRO, WECC, Texas RE, NPCC, SERC, RF, Segments 5

- 0 - 0

We do not have enough information at this time to address cost-effectiveness of the revisions. 

Ellese Murphy, On Behalf of: Duke Energy - MRO, WECC, Texas RE, SERC, RF - Segments 1, 3, 5, 6

- 0 - 0

Minnesota Power is in agreement with EEI’s comments.

Jamie Monette, Allete - Minnesota Power, Inc., 1, 8/19/2022

- 0 - 0

Clay Walker, On Behalf of: John Lindsey, Cleco Corporation, 1,3,5,6; Robert Hirchak, Cleco Corporation, 1,3,5,6; Maurice Paulk, Cleco Corporation, 1,3,5,6

- 0 - 0

ACES Standard Collaborations, Segment(s) 1, 3, 4, 5, 8/19/2022

- 0 - 0

Cost effectiveness of Attachment 1, 6.1, 6.2, and 6.3 is unknown at this time since the capability will require a technical solution not currently in place.  Further, this requirement is not consistent with current CIP-005-6 and future CIP-005-7 enforceable requirements.

DTE Energy, Segment(s) 4, 3, 5, 10/5/2021

- 0 - 0

Dania Colon, Orlando Utilities Commission, 5, 8/19/2022

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 8/19/2022

- 0 - 0

Jose Avendano Mora, Edison International - Southern California Edison Company, 1, 8/19/2022

- 0 - 0

Romel Aquino, Edison International - Southern California Edison Company, 3, 8/19/2022

- 0 - 0

There is a high probability that new technology controls will be required to meet the new requirements. Entities would need to allocate funds and projects to implement new technologies. 

Teresa Krabe, Lower Colorado River Authority, 5, 8/19/2022

- 0 - 0

Megan Caulson, On Behalf of: Jennifer Wright, Sempra - San Diego Gas and Electric, 1,3,5

- 0 - 0

David Jendras, Ameren - Ameren Services, 3, 8/19/2022

- 0 - 0

There is a high probability that new technology controls will be required to meet the new requirements. Entities would need to allocate funds and projects to implement new technologies. 

James Baldwin, Lower Colorado River Authority, 1, 8/19/2022

- 0 - 0

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Exelon is aligning with EEI in response to this question. 

Daniel Gacek, Exelon, 1, 8/19/2022

- 0 - 0

Exelon is aligning with EEI in response to this question. 

Kinte Whitehead, Exelon, 3, 8/19/2022

- 0 - 0

Mark Ciufo, On Behalf of: Payam Farahbakhsh, Hydro One Networks, Inc., 1,3

- 0 - 0

ITC is in agreement with the EEI response

Gail Elliott, On Behalf of: International Transmission Company Holdings Corporation - MRO, RF - Segments NA - Not Applicable

- 0 - 0

Devon Tremont, Taunton Municipal Lighting Plant, 1, 8/19/2022

- 0 - 0

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Once again, we requested redline to last approved. SMEs need to see red lines to the currently effective standard, to adequately review the proposed changes. Without this red line, the review is very challenging and may reduce the chances for approval.

Michael Russell, Massachusetts Municipal Wholesale Electric Company, 5, 8/19/2022

- 0 - 0

Once again, we requested a redline to the last approved. SMEs need to see red lines to the currently effective standard, to adequately review the proposed changes. Without this red line, the review is very challenging and may reduce the chances of approval.

Otherwise, TFIST abstains from commenting on cost effective.

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 7/6/2022

- 0 - 0

Seattle City Light abstains

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

Florida Municipal Power Agency (FMPA), Segment(s) 5, 4, 3, 6, 6/17/2022

- 0 - 0

See comments as supplied by Deanna Carlson from Cowlitz PUD.

Russell Noble, Cowlitz County PUD, 3, 8/19/2022

- 0 - 0

Hot Answers

See comments submitted by the Edison Electric Institute

Kenya Streeter, On Behalf of: Edison International - Southern California Edison Company, , Segments 1, 3, 5, 6

- 0 - 0

Cowlitz PUD, Segment 5 8/19/2022

Deanna Carlson, Cowlitz County PUD, 5, 8/19/2022

- 0 - 0

Other Answers

Kevin Conway, Public Utility District No. 1 of Pend Oreille County, 1, 7/14/2022

- 0 - 0

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Eric Sutlief, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

Sean Steffensen, IDACORP - Idaho Power Company, 1, 7/29/2022

- 0 - 0

Martin Sidor, NRG - NRG Energy, Inc., 6, 8/3/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 8/4/2022

- 0 - 0

Jay Sethi, On Behalf of: Manitoba Hydro - MRO - Segments 1, 3, 5, 6

- 0 - 0

CenterPoint Energy Houston Electric, LLC (CEHE) supports the 36 calendar month implementation.

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Large entities with hundreds of low impact facilities will need more implementation time for addressing the changes applicable to low impact assets.  Suggested timeline is a 5 year plan, implementing 20% of the assets per year.

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

Xcel Energy supports the comments of EEI and the MRO NSRF. 

Joe Gatten, On Behalf of: Xcel Energy, Inc. - MRO, WECC - Segments 1, 3, 5, 6

- 0 - 0

PUD No. 1 of Chelan County, Segment(s) 3, 1, 6, 5, 8/11/2022

- 0 - 0

Erik Gustafson, On Behalf of: PNM Resources - Public Service Company of New Mexico - WECC, Texas RE - Segments 1, 3

- 0 - 0

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Southern agrees and supports the proposed 36-month implementation plan.

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

BC Hydro recommends a longer implementation plan, e.g. more than ~36 months, considering the cost and scope impact as identified in comments to Question 1 and 4 above. Once the clarity of terms and definitions is obtained as identified in comments to Question 1 and 4, BC Hydro will be in a better position to provide an alternate detailed implementation plan to meet the target completion deadline.

BC Hydro, Segment(s) 3, 5, 1, 12/18/2018

- 0 - 0

Rob Watson, On Behalf of: Choctaw Generation Limited Partnership, LLLP, , Segments 5

- 0 - 0

Increasing the implementation time from 18 to 36 months should allow adequate time for implementation.

Glen Farmer, Avista - Avista Corporation, 5, 8/15/2022

- 0 - 0

PG&E agrees with the 36-month implementation plan and that it would be sufficient time for PG&E to implement the proposed modifications.

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

We do not have insight to whether this is cost effective or not so Black Hills Corporation will not be providing a comment. 

Claudine Bates, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

We do not have insight to whether this is cost effective or not so Black Hills Corporation will not be providing a comment.

Sheila Suurmeier, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

We do not have insight to whether this is cost effective or not so Black Hills Corporation will not be providing a comment.

Micah Runner, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

We do not have insight to whether this is cost effective or not so Black Hills Corporation will not be providing a comment.

Ron Wilgers, On Behalf of: Black Hills Corporation - WECC - Segments 3

- 0 - 0

Santee Cooper, Segment(s) 1, 3, 5, 6, 8/15/2022

- 0 - 0

Tacoma Power, Segment(s) 1, 3, 4, 5, 6, 3/9/2021

- 1 - 0

NextEra Energy supports EEI’s comment: EEI supports the proposed 36-month implantation plan for attachment 1, Section 6.

Justin Welty, NextEra Energy - Florida Power and Light Co., 6, 8/16/2022

- 0 - 0

Yes. The proposed 36 months would give enough time to put the process, procedures and technology in place to meet the proposed language in Section 6.

 

Kimberly Turco on behalf of Constellation Segments 5 and 6

Kimberly Turco, Constellation, 6, 8/16/2022

- 0 - 0

Yes. The proposed 36 months would give enough time to put the process, procedures and technology in place to meet the proposed language in Section 6.

 

Kimberly Turco on behalf of Constellation Segements 5 and 6

Alison Mackellar, Constellation, 5, 8/16/2022

- 0 - 0

John Daho, On Behalf of: MEAG Power - SERC - Segments 1

- 0 - 0

Jennifer Buckman, On Behalf of: Southern Indiana Gas and Electric Co., RF, Segments 3, 5, 6

- 0 - 0

Texas RE does not have comments on this question.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 8/16/2022

- 0 - 0

JT Kuehne, AEP, 6, 8/17/2022

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Michelle Amarantos, APS - Arizona Public Service Co., 5, 8/17/2022

- 0 - 0

Israel Perez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

FE Voter, Segment(s) 1, 3, 5, 6, 4, 12/20/2021

- 0 - 0

Evergy supports and incorporates by reference the comments of the Edison Electric Institute (EEI) for question #6.

Alan Kloster, On Behalf of: Kevin Frick, Evergy, 1,3,5,6; Jeremy Harris, Evergy, 1,3,5,6; Marcus Moor, Evergy, 1,3,5,6; Jennifer Flandermeyer, Evergy, 1,3,5,6

- 0 - 0

Richard Jackson, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

Joseph Amato, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 8/18/2022

- 0 - 0

SMUD / BANC, Segment(s) 3, 6, 1, 4, 5, 8/18/2022

- 0 - 0

Jesus Sammy Alcaraz, Imperial Irrigation District, 1, 8/18/2022

- 0 - 0

While WECC does not believe the extended 36-month Implementation Plan is reason to vote NO, we believe that considering the risks that are facing the system, the DT should consider moving the Implementation back to 24 months as was included in earlier versions of the draft standard. However, if a 36-month Implementation Plan is what is necessary to gain approval of the Standard, WECC understands.

Steven Rueckert, Western Electricity Coordinating Council, 10, 8/18/2022

- 0 - 0

Risk: Supply chain risk to be taken into factor.

Gail Golden, On Behalf of: Entergy - Entergy Services, Inc., , Segments 5

- 0 - 0

Increasing the implementation time from 18 to 36 months should allow adequate time for implementation.

Mike Magruder, Avista - Avista Corporation, 1, 8/18/2022

- 0 - 0

NCPA, Segment(s) 4, 6, 6/4/2021

- 0 - 0

Dwanique Spiller, Berkshire Hathaway - NV Energy, 5, 8/19/2022

- 0 - 0

We agree with 36-months.

Request deletion of the following language because this language refers to a removed Section – “Where the standard drafting team identified the need for a longer implementation period for compliance with a particular section of a proposed Reliability Standard (i.e., an entire Requirement or a portion thereof), the additional time for compliance with that section is specified below. The phased-in compliance date for that particular section represents the date that Responsible Entities must begin to comply with that particular section of the Reliability Standard, even where the Reliability Standard goes into effect at an earlier date.”

Carl Pineault, On Behalf of: Hydro-Qu?bec Production, , Segments 1, 5

- 0 - 0

The NAGF supports the SDT’s proposed implementation timeframe recommendation.

Wayne Sipperly, On Behalf of: North American Generator Forum, MRO, WECC, Texas RE, NPCC, SERC, RF, Segments 5

- 0 - 0

Duke Energy thanks the Standard Drafting Team for this important revision. We fully support the proposed implementation timeline.

Ellese Murphy, On Behalf of: Duke Energy - MRO, WECC, Texas RE, SERC, RF - Segments 1, 3, 5, 6

- 0 - 0

Minnesota Power is in agreement with EEI’s comments.

Jamie Monette, Allete - Minnesota Power, Inc., 1, 8/19/2022

- 0 - 0

Cleco agrees with EEI comments.

Clay Walker, On Behalf of: John Lindsey, Cleco Corporation, 1,3,5,6; Robert Hirchak, Cleco Corporation, 1,3,5,6; Maurice Paulk, Cleco Corporation, 1,3,5,6

- 0 - 0

ACES Standard Collaborations, Segment(s) 1, 3, 4, 5, 8/19/2022

- 0 - 0

It is difficult to estimate as the scope of 6.3 is not clear yet.

DTE Energy, Segment(s) 4, 3, 5, 10/5/2021

- 0 - 0

Dania Colon, Orlando Utilities Commission, 5, 8/19/2022

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 8/19/2022

- 0 - 0

Jose Avendano Mora, Edison International - Southern California Edison Company, 1, 8/19/2022

- 0 - 0

Romel Aquino, Edison International - Southern California Edison Company, 3, 8/19/2022

- 0 - 0

Teresa Krabe, Lower Colorado River Authority, 5, 8/19/2022

- 0 - 0

Megan Caulson, On Behalf of: Jennifer Wright, Sempra - San Diego Gas and Electric, 1,3,5

- 0 - 0

David Jendras, Ameren - Ameren Services, 3, 8/19/2022

- 0 - 0

James Baldwin, Lower Colorado River Authority, 1, 8/19/2022

- 0 - 0

EEI supports the proposed 36-month implantation plan for attachment 1, Section 6.

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Exelon is aligning with EEI in response to this question. 

Daniel Gacek, Exelon, 1, 8/19/2022

- 0 - 0

Exelon is aligning with EEI in response to this question. 

Kinte Whitehead, Exelon, 3, 8/19/2022

- 0 - 0

Mark Ciufo, On Behalf of: Payam Farahbakhsh, Hydro One Networks, Inc., 1,3

- 0 - 0

ITC is in agreement with the EEI response

Gail Elliott, On Behalf of: International Transmission Company Holdings Corporation - MRO, RF - Segments NA - Not Applicable

- 0 - 0

Devon Tremont, Taunton Municipal Lighting Plant, 1, 8/19/2022

- 0 - 0

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Agree with 36-months.  Request deletion of the following language because this language refers to a removed Section - "Where the standard drafting team identified the need for a longer implementation period for compliance with a particualar section of a proposed Reliability Standard (i.e., and entire Requirement or a portion thereof), the additional time for compliance with that section is specified below.  The phased-in compliance date for that particular section represents the date that Responsible Entities must begin to comply with that particular section of the Reliability Standard, even where the Reliability Standard does into effect at an earlier date."

Michael Russell, Massachusetts Municipal Wholesale Electric Company, 5, 8/19/2022

- 0 - 0

We agree with 36 months.

Request deletion of the following language because this language refers to a removed Section – “Where the standard drafting team identified the need for a longer implementation period for compliance with a particular section of a proposed Reliability Standard (i.e., an entire Requirement or a portion thereof), the additional time for compliance with that section is specified below. The phased-in compliance date for that particular section represents the date that Responsible Entities must begin to comply with that particular section of the Reliability Standard, even where the Reliability Standard goes into effect at an earlier date.”

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 7/6/2022

- 0 - 0

Seattle City Light abstains

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

Florida Municipal Power Agency (FMPA), Segment(s) 5, 4, 3, 6, 6/17/2022

- 0 - 0

Russell Noble, Cowlitz County PUD, 3, 8/19/2022

- 0 - 0

Hot Answers

See comments submitted by the Edison Electric Institute

Kenya Streeter, On Behalf of: Edison International - Southern California Edison Company, , Segments 1, 3, 5, 6

- 0 - 0

There should be additional clarification on Attachment 1 Section 6.3. It appears that Low Requirement has a larger scope than the corresponding Medium Requirement.  As written, Section 6.3 applies to all vendor communications.

Deanna Carlson, Cowlitz County PUD, 5, 8/19/2022

- 0 - 0

Other Answers

We appreciate the time and level of effort that the Drafting Team has put in to address the many concerns related to vendor access to Low Impact Cyber Systems.  Their efforts will eventually result in modifications to CIP-003 that will benefit the industry, protect the Bulk Electric System, and better serve the ratepayers.

Kevin Conway, Public Utility District No. 1 of Pend Oreille County, 1, 7/14/2022

- 0 - 0

NST believes redline versions of-proposed Standards should be markups to "last approved," not markups to previous proposed versions. The practice of redlining previous drafts makes it difficult to compare proposed new or modified requirement language to current, in-effect requirements.


NST believes the SDT should, in addition to addressing the NERC Board resolution, revise CIP-003 Requirement R2 to state that documented cyber security plan(s) for a Responsible Entity's low impact BES Cyber Systems are required to address Attachment 1 Sections 3, 5, and 6 only if the following conditions exist:


For Section 3, only if one or more of the Responsible Entity's assets that contain low impact BCS has external connectivity of a type that matches the descriptions in Sections 3.1 and/or 3.2.

For Section 5, only if TCAs and RMs are used at one or more of the Responsible Entity's assets that contain low impact BCS and are occasionally connected to BCS.

For Section 6, only if (a) Section 3.1 is applicable and (b) vendor remote access is permitted.

A Responsible Entity with no vendor remote access should not be expected to document how it addresses Section 6 requirements.

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Eric Sutlief, On Behalf of: CMS Energy - Consumers Energy Company - RF - Segments 3, 4, 5

- 0 - 0

Sean Steffensen, IDACORP - Idaho Power Company, 1, 7/29/2022

- 0 - 0

Martin Sidor, NRG - NRG Energy, Inc., 6, 8/3/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 8/4/2022

- 0 - 0

Attachment 1, Section 6, sub-section 3. The wording is good but can further be clarified by adding “for vendor electronic remote access” to the end:

One or more method(s) for detecting known or suspected inbound and outbound malicious communications for vendor electronic remote access.

 

Attachment 2, Section 6, sub-section 3. (examples of evidence) the wording is good but can further be clarified:

 

Network based Anti-malware technologies such as deep packet inspection;

Intrusion Detection System (IDS)/Intrusion Prevention System (IPS); or

Automated or manual log reviews; or

Automated User Behaviour Analytics (UBA); or

SIEM network traffic or vendor remote access log analysis and alerting; or

other operational, procedural, or technical controls.

 

Jay Sethi, On Behalf of: Manitoba Hydro - MRO - Segments 1, 3, 5, 6

- 0 - 0

CEHE recommends the following revisions be made to the CIP-003-X Technical Rationale document for clarity: 

1. Define the acronym “SAR” as “Standard Authorization Request” and 

2. On page 5, under “1. Electronic remote access:”, add a statement to clarify that “electronic remote access” includes interactive and system-to-system remote access. 

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Dominion, Segment(s) 3, 5, 1, 9/19/2019

- 0 - 0

Xcel Energy supports the comments of EEI and the MRO NSRF. 

Joe Gatten, On Behalf of: Xcel Energy, Inc. - MRO, WECC - Segments 1, 3, 5, 6

- 0 - 0

In the Consideration of Comments document for the Draft 2 ballot, the SDT states that “…the SDT believes “remote access” is any access that crosses this boundary (Attachment 1 Section 3.1). If a vendor is “onsite” but starts the connection process outside this boundary, this connection should be considered remote access.” CHPD believes that by including this statement in the Technical Rational document it will provide stakeholders and the ERO Enterprise with a better understanding of the requirements in the CIP-003-X Reliability Standard.

PUD No. 1 of Chelan County, Segment(s) 3, 1, 6, 5, 8/11/2022

- 0 - 0

Erik Gustafson, On Behalf of: PNM Resources - Public Service Company of New Mexico - WECC, Texas RE - Segments 1, 3

- 0 - 0

Andrea Jessup, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Consider updating Section 6.3 to be more clear in identifying the language is specifically geared towards Vendor Electronic Remote Access only.

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

BC Hydro ackowledges the SDT's effort and hard work which went into putting together these complex changes to CIP-003-X. As identified in comments of question 1 to 4 above, the definitions of terms and clarity of application with some specific industry use case examples will help providing a more clear understanding and likely result in a faster and appropriate approvals of these proposed changes.

BC Hydro, Segment(s) 3, 5, 1, 12/18/2018

- 0 - 0

Rob Watson, On Behalf of: Choctaw Generation Limited Partnership, LLLP, , Segments 5

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 8/15/2022

- 0 - 0

PG&E wishes to thank the SDT for listening to the industry’s input and the effort in making these modifications to address the NERC Boards resolution

PG&E All Segments, Segment(s) 1, 3, 5, 2/10/2020

- 0 - 0

n/a

Claudine Bates, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

N/A

Sheila Suurmeier, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

NA

Micah Runner, On Behalf of: Black Hills Corporation, , Segments 1, 3, 5, 6

- 0 - 0

N/A

Ron Wilgers, On Behalf of: Black Hills Corporation - WECC - Segments 3

- 0 - 0

Santee Cooper, Segment(s) 1, 3, 5, 6, 8/15/2022

- 0 - 0

Tacoma Power, Segment(s) 1, 3, 4, 5, 6, 3/9/2021

- 0 - 0

NextEra Energy thanks the SDT for its service of improving the security of the bulk electric system.   

Justin Welty, NextEra Energy - Florida Power and Light Co., 6, 8/16/2022

- 0 - 0

Constellation does not have any additional comments.

 

Kimberly Turco on behalf of Constellation Segments 5 and 6

Kimberly Turco, Constellation, 6, 8/16/2022

- 0 - 0

Constellation does not have additional comments. 

Kimberly Turco on behalf of Constellation Segements 5 and 6

Alison Mackellar, Constellation, 5, 8/16/2022

- 0 - 0

Even though Attachment 1, Section 6 addresses the risk of malicious communication, it does so in a prescriptive way in that the standard is directing utilities toward a particular solution (e.g. detecting with software/hardware or detection processes) rather than allowing the utility to choose the best approach/method to address and mitigate malicious communication.

John Daho, On Behalf of: MEAG Power - SERC - Segments 1

- 0 - 0

Jennifer Buckman, On Behalf of: Southern Indiana Gas and Electric Co., RF, Segments 3, 5, 6

- 0 - 0

In Attachment 1, Section 6, Texas RE recommends specifying “pursuant to CIP-002” rather than referencing another NERC Reliability Standard, as requirements should be complete and self-contained as noted in the Ten Benchmarks of an Excellent Reliability Standard.  Texas RE recommends the following language: “For each asset that contains a low impact BES Cyber System, and for which the Responsible Entity allows vendor remote access, the Responsible Entity shall implement a process to mitigate risks associated with vendor electronic remote access.”

 

Additionally, Texas RE recommends the SDT Include language for (1) software integrity and authenticity, (2) information system planning, and (3) vendor risk and procurement controls, which addresses various aspects of supply chain risk management as is consistent with Reliability Standards CIP-013 and CIP-010.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 8/16/2022

- 0 - 0

No additional comments at this time. AEP thanks the SDT for their efforts on this draft.

JT Kuehne, AEP, 6, 8/17/2022

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Michelle Amarantos, APS - Arizona Public Service Co., 5, 8/17/2022

- 0 - 0

Israel Perez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

N/A

FE Voter, Segment(s) 1, 3, 5, 6, 4, 12/20/2021

- 0 - 0

Alan Kloster, On Behalf of: Kevin Frick, Evergy, 1,3,5,6; Jeremy Harris, Evergy, 1,3,5,6; Marcus Moor, Evergy, 1,3,5,6; Jennifer Flandermeyer, Evergy, 1,3,5,6

- 0 - 0

Reclamation appreciates the SDT’s efforts to incorporate the NIST Framework into the NERC Standards. Reclamation encourages the SDT to continue this practice to ensure that NERC standards do not duplicate requirements contained within the NIST Framework.

Richard Jackson, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

BHE requests the words “and timeframes [keep the “to”] authorize,” be removed from the Technical Rationale, page 5: “The language allows entities to define how and where vendor electronic remote access occurs and the ideal methods and timeframes to authorize, establish, and disable vendor electronic remote access.” BHE is concerned this reference to timeframes and authorization could lead Regional Entities to question both, when neither appear in the 6.1 obligation to determine access.

BHE also recommends for Attachment 2, Section 6.3, to lowercase “Intrusion Detection System/Intrusion Prevention System” since it’s not a glossary term and not a formal name.

Thanks to the SDT for the fine work on this standard.

Joseph Amato, Berkshire Hathaway Energy - MidAmerican Energy Co., 3, 8/18/2022

- 0 - 0

SMUD / BANC, Segment(s) 3, 6, 1, 4, 5, 8/18/2022

- 0 - 0

With the consideration of the FERC NOPR. Additional architecture diagrams should be illustrated for a possible IDS/IPS implementation similar to when EAC under section 3, there was guidance architecture diagrams.

 

Jesus Sammy Alcaraz, Imperial Irrigation District, 1, 8/18/2022

- 0 - 0

None. Thank you for the opportunity to comment.

Steven Rueckert, Western Electricity Coordinating Council, 10, 8/18/2022

- 0 - 0

Is the intent of this section to not include dial-up? If so, it would be better to clarify in the language.

Gail Golden, On Behalf of: Entergy - Entergy Services, Inc., , Segments 5

- 0 - 0

Mike Magruder, Avista - Avista Corporation, 1, 8/18/2022

- 0 - 0

NCPA, Segment(s) 4, 6, 6/4/2021

- 0 - 0

Dwanique Spiller, Berkshire Hathaway - NV Energy, 5, 8/19/2022

- 0 - 0

we requested redline to last approved. SMEs need to see red lines to the currently effective standard, to adequately review the proposed changes. Without this red line, the review is very challenging and may reduce the chances for approval.

Request consistency the Attachment 1 Section 6 terms. The current language requires a plan, a process, processes, and methods but evaluates compliance based on security controls. 1) CIP-003 R2 states ”shall implement one or more documented cyber security plan(s)”; 2) Attachment 1 Section 6 first says “shall implement a process“ and then says “These processes shall include”; 3) Section 6.1 – 6.3 each require “One or more methods”; and 4) The VSL for R2 states: “but failed to implement vendor electronic remote access security controls according to Requirement R2, Attachment 1, Section 6.”

 

Recommend consistency between Attachment 1, Section 6 and other Attachment 1 Sections by changing “process” to “plan.” Suggest changing from “For assets containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement a process to mitigate risks associated with electronic vendor electronic remote access, where such access has been established under Section 3.1. These processes shall include:” to “For assets containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement one of more plans to mitigate risks associated with electronic vendor electronic remote access, where such access has been established under Section 3.1. These plans shall include:”

 

Request clarification on how a new Low Impact Requirement can be a higher bar than the corresponding High / Medium Impact Requirements. The equivalent requirement to Section 6.3, for high and medium impact, is CIP-005-7 R1.5 which is only applicable to high impact BCS and medium impact BCS at a Control Center. The existing 6.3 would require a low impact control that is not required for medium impact that is not at a Control Center.

Request clarification on Attachment 1 Section 6.3. Why a Low Requirement has a larger scope than the corresponding Medium Requirement (CIP-005 R1.6) The proposed Requirement for CIP-005 R1.6 says “detecting known or suspected malicious Internet Protocol (IP) communications entering or leaving an ESP.” 6.3 says “One or more method(s) for detecting known or suspected inbound and outbound malicious communications.” 6.3 applies to all vendor communications, not just IP. Next CIP-005 R1.6’s Applicable Systems says “Medium impact BCS at Control Centers” 6.3 applies to all vendor communications, not just Control Centers.

Request clarification on why Attachment 1, 6.3 does not use the phrase “vendor electronic remote access” while Section 6 and, 6.1 and 6.2 use this phrase. While in the parent language, we request consistency among 6.1, 6.2 and 6.3.

Carl Pineault, On Behalf of: Hydro-Qu?bec Production, , Segments 1, 5

- 0 - 0

The NAGF requests the SDT to consider adding language in Attachment 2 Section 6.3 to clarify that documentation of vendor contractual agreements to maintain malicious communication security controls would be an appropriate approach to meet compliance with Attachment 1 Section 6.3.

Wayne Sipperly, On Behalf of: North American Generator Forum, MRO, WECC, Texas RE, NPCC, SERC, RF, Segments 5

- 0 - 0

Like NAGF, Duke Energy asks the Standard Drafting Team to consider adding language in Attachment 2 Section 6 Part 3 to explicity clarify that documentation of vendor contractual agreements to maintain malicious communication security controls could be an approach to comply with Attachment 1 Section 6.3. Without this addition, compliance with the revisions could be challenging for OEM connections, given that many vendors consider their communications with covered equipment to be proprierty information or intellectual property that they are not willing to have inspected.

We also recommend that the Drafting Team reconsider the one example in Attachment 2 Section 6 Part 3 where it says “anti-malware technologies e.g. full packet inspection.” We would either like to see the one example taken away, or more added, since one example could imply one best option. 

Ellese Murphy, On Behalf of: Duke Energy - MRO, WECC, Texas RE, SERC, RF - Segments 1, 3, 5, 6

- 0 - 0

Jamie Monette, Allete - Minnesota Power, Inc., 1, 8/19/2022

- 0 - 0

Clay Walker, On Behalf of: John Lindsey, Cleco Corporation, 1,3,5,6; Robert Hirchak, Cleco Corporation, 1,3,5,6; Maurice Paulk, Cleco Corporation, 1,3,5,6

- 0 - 0

We would like to thank the SDT for their efforts and allowing the industry to participate in the drafting process

ACES Standard Collaborations, Segment(s) 1, 3, 4, 5, 8/19/2022

- 0 - 0

DTE Energy, Segment(s) 4, 3, 5, 10/5/2021

- 0 - 0

Dania Colon, Orlando Utilities Commission, 5, 8/19/2022

- 0 - 0

Section 6 states “the Responsible Entity shall implement a process“while CIP-003-X R2, for which Section 6 is dependent, requires the implementation of a plan.  The second paragraph in Attachment 1 states “Responsible Entities with multiple-impact BES Cyber Systems ratings can utilize policies, procedures, and processes for their high or medium impact BES Cyber Systems to fulfill the sections for the development of low impact cyber security plan(s).”  Additionally, Attachment 2, Section 6 states “For Section 6.3, documentation showing implementation of processes or technologies”. The VSL related to Section 6 only references a “plan”.  Suggest removing the requirement to use a “process” from Attachment 1 section 6. Additionally, suggest that the language of Attachment 1 Section 6 and Attachment 2 section 6 and the VSLs be consistent. 

 

The Technical Rational document, page 6, par. 3 states “The objective of Attachment 1 Section 6.1 is for entities to determine vendor electronic remote access to their low impact BES Asset(s) and/or BES Cyber Systems.” Request that the “their low impact BES Asset(s) and/or” be struck.  The inclusion of these words brings non-BCS into scope.

 

Brian Evans-Mongeon, Utility Services, Inc., 4, 8/19/2022

- 0 - 0

See comments submitted by the Edison Electric Institute

Jose Avendano Mora, Edison International - Southern California Edison Company, 1, 8/19/2022

- 0 - 0

See comments submitted by the Edison Electric Institute

Romel Aquino, Edison International - Southern California Edison Company, 3, 8/19/2022

- 0 - 0

Teresa Krabe, Lower Colorado River Authority, 5, 8/19/2022

- 0 - 0

Megan Caulson, On Behalf of: Jennifer Wright, Sempra - San Diego Gas and Electric, 1,3,5

- 0 - 0

Ameren would like more clarification on what is considered malicious activity.  In Attachment 1 Section 6, Ameren believes that 6.2 and 6.3 should be switched because the determination to disable the vendor's access would be made after suspicious communication has been detected. 

David Jendras, Ameren - Ameren Services, 3, 8/19/2022

- 0 - 0

James Baldwin, Lower Colorado River Authority, 1, 8/19/2022

- 0 - 0

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Exelon is aligning with EEI in response to this question. 

Daniel Gacek, Exelon, 1, 8/19/2022

- 0 - 0

Kinte Whitehead, Exelon, 3, 8/19/2022

- 0 - 0

Suggest to restrict to scope of section 6.3 to Asset contacting a Low Impact BCS at a control center or remove the section 6.3 sub requirement entirely. The rationale is the low impact BCS should not have a higher requirement that medium impact. Alternatively, include the detection of known/suspected inbound and outbound malicous communication requirement in Medium Impact BCS that is not control center, since the justification of using Intermediate system and multifactor authentication (CIP-005 IRA requirements) as a risk mitigation does not cover system to system communciations from/to vendors.

 

Mark Ciufo, On Behalf of: Payam Farahbakhsh, Hydro One Networks, Inc., 1,3

- 0 - 0

Gail Elliott, On Behalf of: International Transmission Company Holdings Corporation - MRO, RF - Segments NA - Not Applicable

- 0 - 0

Devon Tremont, Taunton Municipal Lighting Plant, 1, 8/19/2022

- 0 - 0

Barry Jones, On Behalf of: sean erickson, Western Area Power Administration, 1,6

- 0 - 0

Once again, we requested redline to last approved. SMEs need to see red lines to the currently effective standard, to adequately review the proposed changes. Without this red line, the review is very challenging and may reduce the chances for approval. 

Request consistency the Attachment 1 Section 6 terms. The current language requires a plan, a process, processes, and methods but evaluates compliance based on security controls. 1) CIP-003 R2 states ”shall implement one or more documented cyber security plan(s)”; 2) Attachment 1 Section 6 first says “shall implement a process“ and then says “These processes shall include”; 3) Section 6.1 – 6.3 each require “One or more methods”; and 4) The VSL for R2 states: “but failed to implement vendor electronic remote access security controls according to Requirement R2, Attachment 1, Section 6.” 

Recommend consistency between Attachment 1, Section 6 and other Attachment 1 Sections by changing “process” to “plan.” Suggest changing from “For assets containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement a process to mitigate risks associated with electronic vendor electronic remote access, where such access has been established under Section 3.1. These processes shall include:” to “For assets containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement one of more plans to mitigate risks associated with electronic vendor electronic remote access, where such access has been established under Section 3.1. These plans shall include:” 

Request clarification on how a new Low Impact Requirement can be a higher bar than the corresponding High / Medium Impact Requirements. The equivalent requirement to Section 6.3, for high and medium impact, is CIP-005-7 R1.5 which is only applicable to high impact BCS and medium impact BCS at a Control Center. The existing 6.3 would require a low impact control that is not required for medium impact that is not at a Control Center. 

Request clarification on Attachment 1 Section 6.3. Why a Low Requirement has a larger scope than the corresponding Medium Requirement (CIP-005 R1.6) The proposed Requirement for CIP-005 R1.6 says “detecting known or suspected malicious Internet Protocol (IP) communications entering or leaving an ESP.” 6.3 says “One or more method(s) for detecting known or suspected inbound and outbound malicious communications.” 6.3 applies to all vendor communications, not just IP. Next CIP-005 R1.6’s Applicable Systems says “Medium impact BCS at Control Centers” 6.3 applies to all vendor communications, not just Control Centers. 

Request clarification on why Attachment 1, 6.3 does not use the phrase “vendor electronic remote access” while Section 6 and, 6.1 and 6.2 use this phrase. While in the parent language, we request consistency among 6.1, 6.2 and 6.3.

 

Michael Russell, Massachusetts Municipal Wholesale Electric Company, 5, 8/19/2022

- 0 - 0

Once again, we requested a redline to last approved. SMEs need to see red lines to the currently effective standard, to adequately review the proposed changes. Without this red line, the review is very challenging and may reduce the chances for approval.

 

Request consistency in the Attachment 1 Section 6 terms. The current language requires a plan, a process, processes, and methods but evaluates compliance based on security controls. 1) CIP-003 R2 states ”shall implement one or more documented cyber security plan(s)”; 2) Attachment 1 Section 6 first says “shall implement a process“ and then says “These processes shall include”; 3) Section 6.1 – 6.3 each require “One or more methods”; and 4) The VSL for R2 states: “but failed to implement vendor electronic remote access security controls according to Requirement R2, Attachment 1, Section 6.”

 

Recommend consistency between Attachment 1, Section 6, and other Attachment 1 Sections by changing “process” to “plan.” Suggest changing from “For assets containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement a process to mitigate risks associated with electronic vendor electronic remote access, where such access has been established under Section 3.1. These processes shall include:” to “For assets containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement one or more plans to mitigate risks associated with electronic vendor electronic remote access, where such access has been established under Section 3.1. These plans shall include:”

 

Request clarification on how a new Low Impact Requirement can be a higher bar than the corresponding High / Medium Impact Requirements. The equivalent requirement to Section 6.3, for high and medium impact, is CIP-005-7 R1.5 which is only applicable to high impact BCS and medium impact BCS at a Control Center. The existing 6.3 would require a low impact control that is not required for the medium impact that is not at a Control Center.

 

Request clarification on Attachment 1 Section 6.3. Why a Low Requirement has a larger scope than the corresponding Medium Requirement (CIP-005 R1.6) The proposed Requirement for CIP-005 R1.6 says “detecting known or suspected malicious Internet Protocol (IP) communications entering or leaving an ESP.” 6.3 says “One or more method(s) for detecting known or suspected inbound and outbound malicious communications.” 6.3 applies to all vendor communications, not just IP. Next CIP-005 R1.6’s Applicable Systems says “Medium impact BCS at Control Centers” 6.3 applies to all vendor communications, not just Control Centers.

Request clarification on why Attachment 1, 6.3 does not use the phrase “vendor electronic remote access” while Section 6 and, 6.1 and 6.2 use this phrase. While in the parent language, we request consistency among 6.1, 6.2, and 6.3.

NPCC Regional Standards Committee, Segment(s) 10, 2, 4, 7, 3, 1, 5, 6, 7/6/2022

- 0 - 0

Seattle City Light abstains

Seattle City Light, Segment(s) 1, 3, 4, 5, 6, 10/5/2015

- 0 - 0

Florida Municipal Power Agency (FMPA), Segment(s) 5, 4, 3, 6, 6/17/2022

- 0 - 0

See comments as supplied by Deanna Carlson from Cowlitz PUD.

Russell Noble, Cowlitz County PUD, 3, 8/19/2022

- 0 - 0