2016-02 Modifications to CIP Standards | Virtualization - Draft 4

Description:

Start Date: 08/17/2022
End Date: 10/07/2022

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End
2016-02 Modifications to CIP Standards | Virtualization CIP-002-7 AB 4 ST 2016-02 Modifications to CIP Standards | Virtualization CIP-002-7 01/22/2021 02/19/2021 09/28/2022 10/07/2022
2016-02 Modifications to CIP Standards | Virtualization CIP-003-9 AB 4 ST 2016-02 Modifications to CIP Standards | Virtualization CIP-003-9 01/22/2021 02/19/2021 09/28/2022 10/07/2022
2016-02 Modifications to CIP Standards | Virtualization CIP-004-7 AB 4 ST 2016-02 Modifications to CIP Standards | Virtualization CIP-004-7 01/22/2021 02/19/2021 09/28/2022 10/07/2022
2016-02 Modifications to CIP Standards | Virtualization CIP-005-8 AB 4 ST 2016-02 Modifications to CIP Standards | Virtualization CIP-005-8 01/22/2021 02/19/2021 09/28/2022 10/07/2022
2016-02 Modifications to CIP Standards | Virtualization CIP-006-7 AB 4 ST 2016-02 Modifications to CIP Standards | Virtualization CIP-006-7 01/22/2021 02/19/2021 09/28/2022 10/07/2022
2016-02 Modifications to CIP Standards | Virtualization CIP-007-7 AB 4 ST 2016-02 Modifications to CIP Standards | Virtualization CIP-007-7 01/22/2021 02/19/2021 09/28/2022 10/07/2022
2016-02 Modifications to CIP Standards | Virtualization CIP-008-7 AB 4 ST 2016-02 Modifications to CIP Standards | Virtualization CIP-008-7 01/22/2021 02/19/2021 09/28/2022 10/07/2022
2016-02 Modifications to CIP Standards | Virtualization CIP-009-7 AB 4 ST 2016-02 Modifications to CIP Standards | Virtualization CIP-009-7 01/22/2021 02/19/2021 09/28/2022 10/07/2022
2016-02 Modifications to CIP Standards | Virtualization CIP-010-5 AB 4 ST 2016-02 Modifications to CIP Standards | Virtualization CIP-010-5 01/22/2021 02/19/2021 09/28/2022 10/07/2022
2016-02 Modifications to CIP Standards | Virtualization CIP-011-3 AB 4 ST 2016-02 Modifications to CIP Standards | Virtualization CIP-011-3 01/22/2021 02/19/2021 09/28/2022 10/07/2022
2016-02 Modifications to CIP Standards | Virtualization CIP-013-3 AB 4 ST 2016-02 Modifications to CIP Standards | Virtualization CIP-013-3 01/22/2021 02/19/2021 09/28/2022 10/07/2022

Filter:

Hot Answers

NST sees no reason to change the existing definition's use of "remote access client or other remote access technology." The second part of the proposed definition would, as written, apply to any remote connection using a communications path that included routable to serial conversion, regardless of where that conversion took place (e.g., remote location vs. "local," or "inside the BES asset" location). NST is aware of concerns that using phrases such as "outside the asset" in this context might cause confusion about its relationship to electronic access control requirements for BES assets containing low impact BCS, but we nonetheless recommend using it to avoid overly broad application of "IRA" to communications using both routable and serial wide-area connections.

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Southern agrees with the proposed changes for the IRA definition.

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

Other Answers

The term “Cyber System” is too broad in scoping IRA.  Suggest revise to clarify that the target of IRA is BES Cyber System rather than “Cyber System” to avoid including EACMS, SCI, PCA, etc.

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Donald Lock, Talen Generation, LLC, 5, 9/28/2022

- 0 - 0

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 9/28/2022

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 9/28/2022

- 0 - 0

Mike Magruder, Avista - Avista Corporation, 1, 9/29/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 9/29/2022

- 0 - 0

Hot Answers

Definition of VCA: NST believes the proposed definition of VCA should more closely resemble the existing definition of "Cyber Asset" or, better still, be eliminated altogether. The existing definition of "Cyber Asset" could be easily "unbound" from "hardware" with this or a similar modification:


Change from, "Programmable electronic devices, including the hardware, software, and data in those devices" to, "Hardware-based or virtual programmable electronic devices, including the software and data in those devices."


Definition of TCA: NST considers the statement in the proposed definition of TCA, "Virtual machines hosted on a physical TCA are treated as software on that physical TCA" to be oddly inconsistent with the proposed definition of VCA. Furthermore, we disagree with the SDT's opinion that if a physical TCA hosts one or more virtual TCAs, there should be no need to track and manage each individual physical and virtual device.


Definition of ESP: NST believes the proposed new part of the current ESP definition, “or a logical boundary defined by one or more EAPs” is redundant and unnecessary. We therefore recommend maintaining the currently approved ESP definition.


Definition of ERC: NST believes the use of the word, "through (an ESP)" has the potential to cause confusion over what kind of routable communications qualify as ERC. ERC to or from a Cyber Asset should be clearly defined as "through" an ESP boundary or access point, not "through" an ESP (the online Merriam Webster dictionary defines "through" as "a function word to indicate movement into at one side or point and out at another and especially the opposite side of // 'drove a nail through the board'"). NST believes the existing definition of ERC can and should be retained as-is.


Definition of EAP: NST believes the proposed definition of EAP is problematic in two respects. First, we believe it could be interpreted to mean an EAP should control all routable communication between a BCS and any other Cyber Asset regardless of whether that "other" device is within or outside of the same ESP protecting the BCS. Second, we believe the SDT should better define "policy enforcement point," lest Responsible Entities, Regional Entities, and NERC develop their own conflicting definitions.

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Southern agrees with the proposed changes of the CIP standards definitions. Suggestions for updates have been listed below.

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

Other Answers

In the proposed definition of “Cyber Asset”, the definition of “application container” versus VCA is unclear.  The term “container” used in this definition needs further clarification.

In the proposed definition of “Management Interface”, the definition of “administrative interface” is unclear.  The term “administrative interface” used in this definition needs further clarification.

In the proposed definition of TCA, removal of the qualifier “directly” may inappropriately expand the scope of the requirement to include devices connecting via IRA or Intermediate System.

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Greater clarity is needed regarding Cyber Assets, CIP Systems and Cyber Systems.  The differences between these terms should be made more explicit, overlaps should be eliminated, and redundant terms should be eliminated also.

Donald Lock, Talen Generation, LLC, 5, 9/28/2022

- 0 - 0

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 9/28/2022

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 9/28/2022

- 0 - 0

Mike Magruder, Avista - Avista Corporation, 1, 9/29/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 9/29/2022

- 0 - 0

Hot Answers

NST believes modifications to CIP-005 should be limited to conforming changes only.

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Southern does not agree with the proposed change in Part 1.3. The way EACMS is written, it suggests that it includes all forms of EACMS and is too broad. The original approved standard lists Electronic Access Points for High and Medium BCS which more aligns with equipment within an ESP.

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

Other Answers

There is insufficient clarity provided within the proposed terms to ensure consistent understanding and implementation of “Management Interface”.  See response to #2 above.

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Donald Lock, Talen Generation, LLC, 5, 9/28/2022

- 0 - 0

Disagree with adding R1.6 to CIP-005 as CIP-005 is written for protections of logical devices and data.  This should be restored back to CIP-006 R1 Part 1.10. 

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 9/28/2022

- 0 - 0

New requirement to deny access to the Management Interface from BCS and associated PCAs (R1.3). – This would require significant effort for us if approved. As written, the proposed changes appear to require significant modification to our current network architecture without clearly indicating even how this can be accomplished in a compliant fashion or how that improves upon the existing security posture.

Glen Farmer, Avista - Avista Corporation, 5, 9/28/2022

- 0 - 0

New requirement to deny access to the Management Interface from BCS and associated PCAs (R1.3). – This would require significant effort for us if approved. As written, the proposed changes appear to require significant modification to our current network architecture without clearly indicating even how this can be accomplished in a compliant fashion or how that improves upon the existing security posture.

Mike Magruder, Avista - Avista Corporation, 1, 9/29/2022

- 0 - 0

Tri-State mostly agrees with the definition but thinks the second bullet,"Communication that originates from an Intermediate System"under what "IRA is not" is confusing.   Isn't that system to system communication?

 

Donna Wood, Tri-State G and T Association, Inc., 1, 9/29/2022

- 0 - 0

Hot Answers

NST believes modifications to CIP-007 should be limited to conforming changes only.

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Southern disagrees with the proposed changes to CIP-007 R1.3 Applicable Systems. Adding EACMS and PACS in both High and Medium Impact BCS increases the requirements for associated virtual assets. Suggest changing the language to High/Medium Impact BCS and their associated PCA.

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

Other Answers

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Donald Lock, Talen Generation, LLC, 5, 9/28/2022

- 0 - 0

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 9/28/2022

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 9/28/2022

- 0 - 0

Mike Magruder, Avista - Avista Corporation, 1, 9/29/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 9/29/2022

- 0 - 0

Hot Answers

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Southern agrees and appreciates the included language of “SCI supporting an Applicable System in this Part” across the many standards.

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

Other Answers

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Donald Lock, Talen Generation, LLC, 5, 9/28/2022

- 0 - 0

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 9/28/2022

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 9/28/2022

- 0 - 0

Mike Magruder, Avista - Avista Corporation, 1, 9/29/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 9/29/2022

- 0 - 0

Hot Answers

NST believes modifications to CIP-010 should be limited to conforming changes only.

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Part 1.1 Requirements includes “cyber security controls required by CIP-005 and CIP-007” and is currently read to be a broad interpretation. Suggest replace “could weaken” with “would impact.”

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

Other Answers

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Donald Lock, Talen Generation, LLC, 5, 9/28/2022

- 0 - 0

The language “…changes to settings that could weaken configured cyber security controls required by CIP-005 and CIP-007” is subjective.  There could be any number of “settings” that “could weaken” the security controls.  Can guidance be given such as some exapmples of these settings that could be used to weaken the security controls?  Also, is “software patches” synonymous with “security patches” or are these two (2) different entities of their own? 

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 9/28/2022

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 9/28/2022

- 0 - 0

Mike Magruder, Avista - Avista Corporation, 1, 9/29/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 9/29/2022

- 0 - 0

Hot Answers

NST disagrees with proposed changes to CIP-003 and CIP-011 due to the fact proposed changes go beyond conforming changes.


NST disagrees with proposed changes to CIP-009, as omitting SCI from all Requirements and Parts except for R1 Part 1.5 it would establish “implied requirements,” as discussed in our comments on Question 9, below. NST acknowledges that in some recovery situations, it might only be necessary to recover a virtual BES Cyber System and not its supporting SCI. However, given that failure or destruction of an SCI could, in some scenarios, wipe out an entire Control Center, NST believes that inclusion of SCI in a Responsible Entity’s recovery plan(s) should be mandatory rather than a suggested best practice.


NST agrees with proposed conforming changes to CIP-004, CIP-006, CIP-008 and CIP-013.

 

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Southern agrees with the conforming changes or scoping clarifications related to SCI made to the various CIP standards.

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

Other Answers

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Donald Lock, Talen Generation, LLC, 5, 9/28/2022

- 0 - 0

As mentioned earlier, disagree with adding R1.6 to CIP-005 as CIP-005 is written for protections of logical devices and data.  This should be restored back to CIP-006 R1 Part 1.10.

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 9/28/2022

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 9/28/2022

- 0 - 0

Mike Magruder, Avista - Avista Corporation, 1, 9/29/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 9/29/2022

- 0 - 0

Hot Answers

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Southern understands and agrees with the revised implementation plan which includes 3 defined early adoption dates as an option. Southern also understands that if one of the options were chosen, we would have 15 calendar days to notify our Regional Entity of the selected option.

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

Other Answers

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Donald Lock, Talen Generation, LLC, 5, 9/28/2022

- 0 - 0

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 9/28/2022

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 9/28/2022

- 0 - 0

Mike Magruder, Avista - Avista Corporation, 1, 9/29/2022

- 0 - 0

Donna Wood, Tri-State G and T Association, Inc., 1, 9/29/2022

- 0 - 0

Hot Answers

NST disagrees with the SDT decision to not compel Responsible Entities to identify and maintain a list of SCI that support BES Cyber Systems in CIP-002. In order to demonstrate compliance with various CIP-003 – CIP-013 requirements for SCI, a Responsible Entity would surely have to demonstrate that all its SCI were accounted for. NST is aware of the fact there is no existing CIP requirement to maintain an inventory of “associated” devices including PCAs, EACMS, and PACS, but doing so was some years ago memorably characterized by a well-known representative of a Regional Entity as an "implied requirement." NST believes an SDT goal should be to avoid adding to the list of "implied requirements."

NST believes the proposed “Exemption” statement in every CIP Standard, 4.2.3.3, “Cyber Systems, associated with communication links, between the Cyber Systems providing confidentiality and integrity of an Electronic Security Perimeter (ESP) that extends to one or more geographic locations” is both confusing and inaccurate. One provides for the confidentiality and integrity of data, not ESPs. N&ST suggests rewording that’s consistent with the language of proposed CIP-005 Requirement R1 Part 1.4, such as “Cyber Systems associated with communication links used to span a single ESP among two or more geographic locations.”

NST notes the second of two proposed "Measures" for CIP-007 R1 Part 1.3 suggests evidence of compliance with the "non-sharing" of SCI CPU and memory requirement could include "Hardware partitioning of physical Cyber Assets." If our understanding of "hardware partitioning" is correct (that it means, for example, all the Medium Impact BCS that co-reside with High Impact BCS on a single hardware platform are moved to different hardware), then according to the proposed definition of SCI, the end result of "hardware partitioning" would be one or more hardware platforms that are no longer SCI, which would render all proposed requirements for SCI, including CIP-007 R1 Part 1.3, inoperable.

Roger Fradenburgh, On Behalf of: Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1; Nicholas Lauriat, Network and Security Technologies, 1

- 0 - 0

Southern suggests that the definition for “Cyber System” be modified to eliminate the “A group of” language and simply begin with “One or more Cyber Assets, Virtual Cyber Assets, or Shared Cyber Infrastructure.”

 

Southern Company, Segment(s) 1, 3, 6, 5, 1/14/2021

- 0 - 0

Other Answers

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

Donald Lock, Talen Generation, LLC, 5, 9/28/2022

- 0 - 0

Steve Toosevich, NiSource - Northern Indiana Public Service Co., 1, 9/28/2022

- 0 - 0

Glen Farmer, Avista - Avista Corporation, 5, 9/28/2022

- 0 - 0

Mike Magruder, Avista - Avista Corporation, 1, 9/29/2022

- 0 - 0

N/A

Donna Wood, Tri-State G and T Association, Inc., 1, 9/29/2022

- 0 - 0