This comment form is no longer interactive because the comment period is closed.

2016-02 Modifications to CIP Standards | CIP-003-7 and Implementation Plan

Description:

Start Date: 10/21/2016
End Date: 12/05/2016

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End
2016-02 Modifications to CIP Standards CIP-003-7 Implementation Plan AB 2 OT 2016-02 Modifications to CIP Standards CIP-003-7 Implementation Plan 07/21/2016 08/19/2016 11/23/2016 12/05/2016
2016-02 Modifications to CIP Standards CIP-003-7 AB 2 ST 2016-02 Modifications to CIP Standards CIP-003-7 07/21/2016 08/19/2016 11/23/2016 12/05/2016
2016-02 Modifications to CIP Standards CIP-003-7 Non-binding Poll AB 2 NB 2016-02 Modifications to CIP Standards CIP-003-7 Non-binding Poll 07/21/2016 08/19/2016 11/23/2016 12/05/2016

Filter:

Hot Answers

Michael Mertz, 12/5/2016

- 0 - 0

As the SDT doesn’t appear to have made any changes to R2, we are confused as to how LERC concepts were incorporated via only the removal of the defined terms.

The retirement of the terms Low Impact External Routable Connectivity (LERC) and Low Impact BES Cyber System Electronic Access Point (LEAP) provides less clarity in the information addressing electronic access controls in section R1 - 1.2.3.

Also, R1.2  mentions assets identified in CIP-002 and  low impact BES Cyber Systems. However, it is unclear whether the parts listed below ( Parts 1.2.1 - 1.2.4) are creating requirements associated with CIP-002 or CIP-003-7.

Changing “specified” to “identified” in the following: “and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any.” will make the electronic access device more clearly defined by the entity.

SPP Standards Review Group, Segment(s) , 12/5/2016

- 0 - 0

Other Answers

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 11/10/2016

- 0 - 0

- 0 - 0

David Ramkalawan, 11/17/2016

- 0 - 0

LADWP technical standards and policies for equipment and infrastructure inherently provide the security attributes required by the proposed changes to CIP-003-7.

faranak sarbaz, Los Angeles Department of Water and Power, 1, 11/18/2016

- 0 - 0

Mark Riley, Associated Electric Cooperative, Inc., 1, 11/22/2016

- 0 - 0

Jeff Johnson, On Behalf of: Sempra - San Diego Gas and Electric - WECC - Segments 4

- 0 - 0

Sean Bodkin, Dominion - Dominion Resources, Inc., 6, 11/30/2016

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 11/30/2016

- 0 - 0

Blair Mukanik, Manitoba Hydro , 6, 12/1/2016

- 0 - 0

Yuguang Xiao, Manitoba Hydro , 5, 12/1/2016

- 0 - 0

BPA supports the retirement of LERC and LEAP and the removal of references in Attachment 1.

Ryan Buss, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Maryclaire Yatsko, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

- 0 - 0

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 9/1/2016

- 0 - 0

City Light has no comments for Q1

Ginette Lacasse, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

SRP agrees with the removal of the terms LERC and LEAP and appreciates the SDT for simplifying the requirement language. After reviewing where the language was replaced, SRP agrees with the verbiage used to substitute the terms. Additionally, SRP appreciates the removal of the use of asset boundary from the language. The requirements are much clearer than before.

Christopher Chavez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Philip Huff, 12/5/2016

- 0 - 0

Philip Huff, 12/5/2016

- 0 - 0

Andrew Pusztai, 12/5/2016

- 0 - 0

None

Daniel Gacek, Exelon, 1, 12/5/2016

- 0 - 0

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Roger Dufresne, 12/5/2016

- 0 - 0

Wesley Maurer, 12/5/2016

- 0 - 0

FMPA, Segment(s) , 12/5/2016

- 0 - 0

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Alexander Vedvik, On Behalf of: Alexander Vedvik, , Segments 9

- 0 - 0

Ronnie Frizzell, 12/5/2016

- 0 - 0

David Rivera, New York Power Authority, 3, 12/5/2016

- 0 - 0

PSEG, Segment(s) 5, 6, 3, 1, 12/2/2016

- 0 - 0

N&ST appreciates the SDT’s efforts to address Order 822’s directive to add clarity to the definition of LERC. However, we believe that simply retiring the term will not adequately resolve the fundamental question of when, and under what conditions, electronic access controls (draft CIP-003-7 Attachment 1 Section 3) must be applied in order to protect low impact BES Cyber Systems (see N&ST comments on “Guidelines and Technical Basis,” following). Accordingly, N&ST suggests taking advantage of the existing, industry, NERC and FERC approved of “External Routable Connectivity” and modifying it for low impact as follows: LERC = “The ability to access a low impact BES Cyber System from a Cyber Asset that is outside of the BES asset in which it is contained via a bi-directional routable protocol connection.” The exception for point-to-point connections between IEDs for time-sensitive control and protection functions can be retained from the original LERC definition. N&ST wishes to point out this proposed definition does not in any way introduce the concept of an Electronic Security Perimeter to low impact environments, which is something that FERC has indicated it is presently not inclined to require (Order 822, paragraph 75).

N&ST agrees with the proposed retirement of the term, “LEAP."

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

CIP-003-7 draft currently states that the Responsible Entity (RE) shall implement electronic access controls, but it does not clearly state in CIP-003 Attachment 1 Section 3.1 that electronic access controls are only required IF all three criteria is present. Please modify the CIP-003 Attachment 1 Section 3.1 to clearly state that. In addition, please consider adding a statement that if the criteria is not applicable, i.e., if there is not “a routable protocol”, the RE is not required to establish electronic access controls.

David Greyerbiehl, CMS Energy - Consumers Energy Company, 5, 12/5/2016

- 0 - 0

N&ST appreciates the SDT’s efforts to address Order 822’s directive to add clarity to the definition of LERC. However, we believe that simply retiring the term will not adequately resolve the fundamental question of when, and under what conditions, electronic access controls (draft CIP-003-7 Attachment 1 Section 3) must be applied in order to protect low impact BES Cyber Systems (see N&ST comments on “Guidelines and Technical Basis,” following). Accordingly, N&ST suggests taking advantage of the existing, industry, NERC and FERC approved of “External Routable Connectivity” and modifying it for low impact as follows: LERC = “The ability to access a low impact BES Cyber System from a Cyber Asset that is outside of the BES asset in which it is contained via a bi-directional routable protocol connection.” The exception for point-to-point connections between IEDs for time-sensitive control and protection functions can be retained from the original LERC definition. N&ST wishes to point out this proposed definition does not in any way introduce the concept of an Electronic Security Perimeter to low impact environments, which is something that FERC has indicated it is presently not inclined to require (Order 822, paragraph 75).

N&ST agrees with the proposed retirement of the term, “LEAP.”

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

Barry Lawson, National Rural Electric Cooperative Association, 4, 12/5/2016

- 0 - 0

The description of the current draft states:

 "The SDT simplified Section 3 of Attachment 1 to require the Responsible Entity to permit only necessary inbound and outbound electronic access when using a routable protocol entering or leaving the asset between low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low impact BES Cyber system(s). When this communication is present, Responsible Entities are required to implement electronic access controls unless that communication meets the exclusion language (previously in the definition of LERC) contained in (iii) which reads: “not used for time‐sensitive protection or control functions between intelligent electronic devices (e.g. communications using protocol IEC TR‐61850‐90‐5 R‐ GOOSE)”."

This unnecessarily includes all communications traffic which may not even be destined for a BES cyber system at that site.  As a matter of normal operation our internal communications network switches traffic through site which are not the final destination for the traffic.  This new definition would bring all of that traffic unnecessarily into scope.  Even if the requirements to adhere to the applicable standard are low, Idaho Power will be spend unnecessary dollars on keep track of and report on this. 

The definition should be modified to only include traffic destined for a local BES cyber system.  An additional exception stating "excluding traffic not destined for a local BES cyber system."  The SDT does not seem to understand that not all traffic crossing an asset boundary is destined for that asset, some traffic may continue on from the asset to other assets.  Traffic destined for other assets should not be controlled and specifically permitted at every stop along the way.  It should be controlled at the communications ingress and egress points only.

Laura Nelson, IDACORP - Idaho Power Company, 1, 12/5/2016

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 12/5/2016

- 0 - 0

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 12/5/2016

- 1 - 0

Paul Malozewski, Hydro One Networks, Inc., 3, 12/5/2016

- 0 - 0

The concepts that replaced the Defined Terms are an improvement from the previous definitions for LERC and LEAP. The new concept puts emphasis in protecting BES Cyber Assets, but lacks clarity on how compliance with the Standard will be achieved.

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 12/5/2016

- 0 - 0

David Gordon, 12/5/2016

- 0 - 0

The concepts that replaced the Defined Terms are an improvement from the previous definitions for LERC and LEAP. The new concept puts emphasis in protecting BES Cyber Assets, but lacks clarity on how compliance with the Standard will be achieved.

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

While the revisions to CIP-003 obviate the need for the problematice LERC and LEAP definitions, they retain some of the ambiguity regarding physical versus logical characteristics.  Suggested revision: 

“3.1 Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity for any user-intiated communications that are:

i. between a low impact BES Cyber System(s) and an external network(s) or a Cyber Asset(s) residing outside of a network to which low impact BES Cyber System(s) are connected;

ii. using a routable protocol when entering or leaving the network on which the low impact BES Cyber System(s) reside; and,

iii. not used for time‐sensitive protection or control functions between intelligent electronic devices (e.g. communications using protocol IEC TR‐61850‐90‐5 R‐GOOSE).” 

Sarah Gasienica, 12/5/2016

- 0 - 0

- 0 - 0

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Duke Energy requests further clarification from the drafting team regarding the removal of the term “bi directional”from Section 3 in Attachment 1. Is it the drafting team’s interpretation that the term “bi directional” was redundant, and thus not necessary in the language? The term “bi directional” is not included in the definition of “Routable Protocol,” and removing the term in this instance promotes ambiguity, and could impact applicability of the standard.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Texas RE appreciates the SDT’s continued efforts to develop a workable definition of Low Impact External Routable Connectivity (LERC) that addresses FERC’s directive in Order No. 822.  As FERC’s directive made clear, the focus of this project should be on developing a workable modification to the LERC definition consistent with “the commentary in the Guidelines and Technical Basis section of CIP-003-6.”  In fulfilling this mandate, the SDT has elected to retire the LERC definition and instead incorporate elements of the LERC and Low-Impact BES Cyber System Electronic Access Point (LEAP) concepts into a new requirement focused on electronic access controls.  While the SDT’s approach appears to also meet the terms of the FERC directive, Texas RE remains concerned that introducing such new concepts may lead to confusion.  Given this fact, Texas RE continues to believe that the better approach is to draw from facility Electronic Access Point concepts already set forth in CIP-005.  As such, Texas RE proposes the following revision to Attachment 2, Section 3.1 in lieu of the SDT’s current approach:  Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default.”.  With this change, Texas RE’s proposed Section 3.1 would read as follows:

 

Section 3. Electronic Access Controls: For each asset containing low impact BES Cyber

System(s) identified pursuant to CIP‐002, the Responsible Entity shall implement

electronic access controls to:

 

3.1 Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default for any communications that are:

 

i. between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low impact BES Cyber System(s);

 

ii. using a routable protocol when entering or leaving the asset containing the low impact BES Cyber System(s); and,

 

iii. not used for time‐sensitive protection or control functions between intelligent electronic devices (e.g. communications using protocol IEC TR‐61850‐90‐5 R‐GOOSE).

 

3.2 Authenticate all Dial‐up Connectivity, if any, that provides access to low impact BES Cyber System(s), per Cyber Asset capability.

 

 

Texas RE believes that such an approach would make the CIP Standards more consistent with one another while avoiding introducing new and untested concepts in a project designed to have a limited scope.

 

Texas RE acknowledges that FERC did not direct NERC to utilize the concept of Electronic Security Perimeters for low impact systems and to leverage existing definitions for EAP and ERC.  However, given the approach taken by the SDT in response to FERC’s narrow directive, Texas RE believes that the SDT may wish to consider extending the familiar concepts in the existing ERC definition to the LERC environment at this juncture as part of the developing a new electronic access control requirements.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 12/5/2016

- 0 - 0

- 0 - 0

RSC no Dominion, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 12/5/2016

- 0 - 0

Michael DeLoach, 12/5/2016

- 0 - 0

Joe Tarantino, On Behalf of: Sacramento Municipal Utility District - WECC - Segments 1, 3, 4, 5, 6

- 0 - 0

Patricia Lynch, 12/5/2016

- 0 - 0

adopt PSEG comments

Tim Kucey, PSEG - PSEG Fossil LLC, 5, 12/5/2016

- 0 - 0

1)      The SDT’s approach to retire the definitions of LERC and LEAP by implementing low impact electronic access controls is one way to address the directive in FERC Order No. 822, which focused on the ambiguity of the word “direct.”  However, this approach creates unintended consequences for compliance.  In particular, the proposed revisions implicitly require low impact entities to have an identified list of low impact assets, which is specifically excluded in CIP-002.

2)      The SDT’s proposed approach will create difficulty for both industry to demonstrate compliance and for auditors to determine reasonable assurance. 

3)      We suggest the SDT consider another method to address the FERC directive that still preserves the low impact requirements and the explicit exclusion from being required to have an inventory list of low impact assets. 

4)      One possible approach is for low impact entities to have a documented process that applies electronic access controls to low impact assets. 

a.      Auditors could verify that the entity has developed the documented process, and the entity could demonstrate compliance by providing the document as evidence. 

b.      This approach also preserves the disparate treatment of low and medium impact assets, by assigning different levels of requirements that are commensurate with the risks they pose to the Bulk Electric System.

ACES Standards Collaborators, Segment(s) 1, 5, 3, 6, 4, 12/5/2016

- 0 - 0

Reclamation commends the SDT on this effort to simplify the standard. 

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, WECC, Segments 1, 5

- 0 - 0

- 0 - 0

Laurie Williams, PNM Resources - Public Service Company of New Mexico, 1, 12/5/2016

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 8/3/2016

- 0 - 0

Hot Answers

Michael Mertz, 12/5/2016

- 0 - 0

We suggest the drafting team re-evaluate the electronic access control is required. We feel that the electronic access control should be applied to each of the low impact BES Cyber System(s) in the identified asset containing low impact BES Cyber Assets instead of the asset that contains the low impact Cyber Systems.

SPP Standards Review Group, Segment(s) , 12/5/2016

- 0 - 0

Other Answers

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 11/10/2016

- 0 - 0

- 0 - 0

David Ramkalawan, 11/17/2016

- 0 - 0

faranak sarbaz, Los Angeles Department of Water and Power, 1, 11/18/2016

- 0 - 0

Mark Riley, Associated Electric Cooperative, Inc., 1, 11/22/2016

- 0 - 0

Jeff Johnson, On Behalf of: Sempra - San Diego Gas and Electric - WECC - Segments 4

- 0 - 0

Sean Bodkin, Dominion - Dominion Resources, Inc., 6, 11/30/2016

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 11/30/2016

- 0 - 0

We disagree with the language within Attachment 1 - 3.1 (i) as it applies to using the assets physical border as the defining line where electronic access controls must be deployed, as it is inconsistent with allowable solutions for higher impact levels.  The asset border concept has logical consistency issues by allowing unfettered routable communication across a large site such as a generation facility, but disallowing routable communications without access controls between different assets that are close together such as a generation station and a switchyard.  Suggest utilizing the concept of Electronic Security Perimeters which allows the entity to define a logical border within an asset or cross two assets like a medium impact ESP with access points deployment.

Blair Mukanik, Manitoba Hydro , 6, 12/1/2016

- 0 - 0

We disagree with the language within Attachment 1 - 3.1 (i) as it applies to using the assets physical border as the defining line where electronic access controls must be deployed, as it is inconsistent with allowable solutions for higher impact levels.  The asset border concept has logical consistency issues by allowing unfettered routable communication across a large site such as a generation facility, but disallowing routable communications without access controls between different assets that are close together such as a generation station and a switchyard.  Suggest utilizing the concept of Electronic Security Perimeters which allows the entity to define a logical border within an asset or cross two assets like a medium impact ESP with access points deployment.

Yuguang Xiao, Manitoba Hydro , 5, 12/1/2016

- 0 - 0

Ryan Buss, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Seminole appreciates the Standard Development Team’s work on this requirement, especially the efforts to make this a non-prescriptive risk based security standard.   Seminole generally supports the revision, but suggests a minor change to clarify the requirement.

While Seminole supports this component of the requirement, we suggest adding a clarification to Attachment 1, Section 3.  The statement in 3.1.i

“between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low impact BES Cyber System(s);”

Is unclear and can be interpreted in two different ways for audit purposes.

1. If a BES Cyber Asset is present behind the firewall, all traffic must be controlled and documented; or

2. Only traffic passing through the firewall to a BES Cyber System must be controlled and documented, other traffic destined to a non-BES Cyber System does not require any controls.

Seminole recommends that suitable language be added to clarify the intent for auditing purposes.  For example:

1. “between a routable network containing a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low impact BES Cyber System(s);

2. “between a BES Cyber Asset contained within a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low impact BES Cyber System(s);”

Maryclaire Yatsko, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

- 0 - 0

AZPS recommends that the SDT consider adding clarity regarding routable communication between Low Impact BCSs and those Cyber Assets that are located within the same asset (facility).  While the proposed requirement is clear that routable communications from a Low Impact BCS that travel outside of the asset (facility) must have electronic access controls in place, it is unclear whether there is a similar expectation for routable communication with Cyber Assets located within the same asset, but that are not associated with the Low Impact BCS.  AZPS notes that the diagrams contained in the supplemental materials appear to contain some electronic controls associated with Low Impact BCS, which may be contributing to confusion and ambiguity.  While we believe the current language is an improvement, AZPS may not be able to vote affirmatively on this requirement if the ambiguity is not addressed.

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 9/1/2016

- 0 - 0

Seattle City Light appreciates the efforts of the Standard Drafting Team to respond to comments regarding the previous draft of CIP-003-7 and is supportive of the approach taken in the present draft. That said, Seattle urges a change in the language of R3.1, to make it crystal clear that all three criteria must be satisfied in order for the obligation to apply. Seattle finds the convention to be unnecessarily confusing (because its an arcane and obscure variant of ordinary English usage) that a numbered list denotes an “and” relationship among members of the list and that a bulleted list denotes an “or” relationship. Seattle suggests the following change (additions in ALL CAPS):

 3.1 Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity for any communications that SATISFY ALL THREE OF THE FOLLOWING CRITERIA:

i. ARE between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low   impact BES Cyber System(s);

ii. USE a routable protocol when entering or leaving the asset containing the low impact BES Cyber System(s); and,

iii. ARE not used for time‐sensitive protection or control functions between intelligent electronic devices (e.g. communications using protocol IEC TR‐61850‐90‐5 R‐GOOSE).

Ginette Lacasse, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

SRP agrees each asset containing low impact BES Cyber System(s) should be afforded electronic access controls For any communication that meets the criteria in 3.1.i-iii.

Christopher Chavez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Philip Huff, 12/5/2016

- 0 - 0

Philip Huff, 12/5/2016

- 0 - 0

Andrew Pusztai, 12/5/2016

- 0 - 0

None

Daniel Gacek, Exelon, 1, 12/5/2016

- 0 - 0

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Roger Dufresne, 12/5/2016

- 0 - 0

Wesley Maurer, 12/5/2016

- 0 - 0

FMPA, Segment(s) , 12/5/2016

- 0 - 0

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

However, the PSCW suggests that NERC consider comments by Manitoba Hydro and Seminole Electric Cooperative, Inc., in order to make the final revision as clear as possible to all registered entities.

Alexander Vedvik, On Behalf of: Alexander Vedvik, , Segments 9

- 0 - 0

Ronnie Frizzell, 12/5/2016

- 0 - 0

NYPA is NOT supportive of the proposed changes to Attachment 1-Section 3.  It is confusing what is the necessary treatment for cyber assets included in a “Facility” but not a BES Cyber System.  In addition the definition of terms regarding “asset”, “routable communication”, “any communication”, and “electronic access” as included in attachment 1 and the supplemental information is necessary for clarification and applicability.

David Rivera, New York Power Authority, 3, 12/5/2016

- 0 - 0

PSEG, Segment(s) 5, 6, 3, 1, 12/2/2016

- 0 - 0

Based on N&ST recommendation for a revised definition of LERC, N&ST recommends changing requirement statement 3.1 to: “For LERC, if any, permit only necessary inbound and outbound electronic access as determined by the Responsible Entity.”

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

CIP-003-7 draft currently states that the Responsible Entity (RE) shall implement electronic access controls, but it does not clearly state in CIP-003 Attachment 1 Section 3.1 that electronic access controls are only required IF all three criteria is present. Please modify the CIP-003 Attachment 1 Section 3.1 to clearly state that. In addition, please consider adding a statement that if the criteria is not applicable, i.e., if there is not “a routable protocol”, the RE is not required to establish electronic access controls.

David Greyerbiehl, CMS Energy - Consumers Energy Company, 5, 12/5/2016

- 0 - 0

Based on N&ST recommendation for a revised definition of LERC, N&ST recommends changing requirement statement 3.1 to: “For LERC, if any, permit only necessary inbound and outbound electronic access as determined by the Responsible Entity.”

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

Barry Lawson, National Rural Electric Cooperative Association, 4, 12/5/2016

- 0 - 0

This section needs to be modified to be congruent with a LERC definition which is allows for the exception of traffic not destined for a local BES cyber system.

Laura Nelson, IDACORP - Idaho Power Company, 1, 12/5/2016

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 12/5/2016

- 0 - 0

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 12/5/2016

- 0 - 0

Paul Malozewski, Hydro One Networks, Inc., 3, 12/5/2016

- 0 - 0

See comments from #7.

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 12/5/2016

- 0 - 0

MMWEC is voting to approve with the following comment:

MMWEC recommends changing the proposed CIP-003-7 Attachment 1, Section 3.1(ii) to the following: 

"ii. using a routable protocol when entering or leaving the asset containing the low impact BES Cyber Systems(s) or using a routable protocol when the BES Cyber Asset is addressable using a routable protocol from outside the asset; and,”

Rationale

As currently written the criteria in Attachment 1, Section 3.1 for requiring electronic access controls would exempt communication to a BES Cyber Asset that uses an IP to serial protocol converter if that converter is located outside of the asset and only serial communications enter the asset. This would be the case even if the protocol converter faces the public Internet.

The GTB (p. 33) states that entities can “identify an ‘electronic boundary’ associated with the asset.” Thus, an entity could designate the electronic boundary to be between the BES Cyber Asset and the protocol converter in order to assert that there is no routable communications crossing the electronic boundary. Although compliant, this would not be secure, since the BES Cyber Asset would be addressable from a Cyber Asset located outside the asset.

The recommended change to Section 3.1(ii) would reduce the risk of BES Cyber Assets that are connected to the Internet by a protocol converter from being identified by tools such as Shodan.

David Gordon, 12/5/2016

- 0 - 0

See comments from #7

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

Please see above comments regarding physical and logical characteristics.

Sarah Gasienica, 12/5/2016

- 0 - 0

- 0 - 0

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Duke Energy recommends the following language change to Attachment 1, Section 3.1 i:

“between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset, as determined by the Responsible Entity, containing low impact BES Cyber System(s);”

We feel that the addition of “as determined by the Responsible Entity” is necessary in that it reduces ambiguity, and promotes consistency with other aspects of this section.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Tri-State agrees with the revisions but we recommend the SDT include an “and” at the end of i. in Attachment 1 Section 3.1.  We acknowledge that there is some language in the Supplemental Material stating electronic access controls are only required for communications when all three of the criteria are met but we believe that is an important detail that should be captured in the attachment.

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Please see Texas RE’s response to number 1.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 12/5/2016

- 0 - 0

- 0 - 0

RSC no Dominion, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 12/5/2016

- 0 - 0

Question is not written consistant with the proposed Section 2 language.  The electronic access controls are to be applied to the external (to the asset) routable communications from/to low impact BES Cyber Systems not all routable communications to the asset. 

Comments: The wording under Section 3 item ii brings into scope every routable connection that enters or leaves an asset containing low impact BES Cyber System.  This is an overly broad classification and reaches beyond the regulation of equipment involved in the operation of the BES.  There can be multiple routable conections into and out of an asset containing low impact BES Cyber Ssytems that provide no connection to low impact BES Cyber Assets. Item ii should be removed from Section 3.

Michael DeLoach, 12/5/2016

- 0 - 0

SMUD/BANC is not supportive of the proposed changes to Attachment 1-Section 3.  It is confusing what is the necessary treatment for cyber assets included in a “Facility” but not a BES Cyber System.  In addition the definition of terms regarding “asset”, “routable communication”, “any communication”, and “electronic access” as included in attachment 1 and the supplemental information is necessary for clarification and applicability. 

Joe Tarantino, On Behalf of: Sacramento Municipal Utility District - WECC - Segments 1, 3, 4, 5, 6

- 0 - 0

Patricia Lynch, 12/5/2016

- 0 - 0

adopt PSEG comments

Tim Kucey, PSEG - PSEG Fossil LLC, 5, 12/5/2016

- 0 - 0

1)      This requirement suggests that Responsible Entities must identify or otherwise list their low impact Cyber Assets similar in nature to a medium-impact requirement; otherwise how will compliance be evaluated?  This approach contradicts CIP-002, which states an inventory list of low impact BES Cyber Systems (or Cyber Assets) is not required.

2)      Responsible Entities are only required to implement electronic access controls to assets containing low impact BES Cyber Systems with necessary inbound and outbound electronic access.  There does not appear to be much clarity around the criteria for access “necessity” and therefore the benchmark for the requirement of implementing electronic access controls is unclear and unmeasurable.  How will compliance with this be evaluated?

3)      Consider requiring a documented methodology for implementing electronic access controls for each asset containing low impact BES Cyber Systems. 

a.      This alleviates any implied requirement for maintaining an inventory list of low impact assets, and would allow the Responsible Entity to incorporate use of exclusion criteria to those communications it deems applicable.

ACES Standards Collaborators, Segment(s) 1, 5, 3, 6, 4, 12/5/2016

- 0 - 0

Reclamation commends the SDT on this effort to simplify the standard. 

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, WECC, Segments 1, 5

- 0 - 0

- 0 - 0

Laurie Williams, PNM Resources - Public Service Company of New Mexico, 1, 12/5/2016

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 8/3/2016

- 0 - 0

Hot Answers

We recommend rearranging the Electronic Access Controls (currently Section 3) so that it should become Section 2 and the Physical Electronic Access Controls (currently Section 2) should become Section 3. Section 2 refers to Section 3.1 in both Attachment 1 and the Guidelines and Technical Basis and therefore it would be easier to read if the Electronic Access Controls section appeared first.

Michael Mertz, 12/5/2016

- 0 - 0

SPP Standards Review Group, Segment(s) , 12/5/2016

- 0 - 0

Other Answers

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 11/10/2016

- 0 - 0

- 0 - 0

David Ramkalawan, 11/17/2016

- 0 - 0

faranak sarbaz, Los Angeles Department of Water and Power, 1, 11/18/2016

- 0 - 0

Mark Riley, Associated Electric Cooperative, Inc., 1, 11/22/2016

- 0 - 0

Jeff Johnson, On Behalf of: Sempra - San Diego Gas and Electric - WECC - Segments 4

- 0 - 0

Sean Bodkin, Dominion - Dominion Resources, Inc., 6, 11/30/2016

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 11/30/2016

- 0 - 0

Blair Mukanik, Manitoba Hydro , 6, 12/1/2016

- 0 - 0

Yuguang Xiao, Manitoba Hydro , 5, 12/1/2016

- 0 - 0

Ryan Buss, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Maryclaire Yatsko, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

- 0 - 0

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 9/1/2016

- 0 - 0

Ginette Lacasse, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

Christopher Chavez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Philip Huff, 12/5/2016

- 0 - 0

Philip Huff, 12/5/2016

- 0 - 0

Andrew Pusztai, 12/5/2016

- 0 - 0

We would like to see some additional language in the GTB to clarify that the intent is not to require a separate need justification for physical security control to the systems that provide electronic access controls. For example, in a substation, if we justify a need for a population of people who need access to the control house where Low BCA's are located, we would not expect to have to separately justify why that same population needs access to a device within the substation that provides electronic access controls

Daniel Gacek, Exelon, 1, 12/5/2016

- 0 - 0

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Roger Dufresne, 12/5/2016

- 0 - 0

Wesley Maurer, 12/5/2016

- 0 - 0

FMPA, Segment(s) , 12/5/2016

- 0 - 0

We recommend rearranging the Electronic Access Controls (currently Section 3) so that it should become Section 2 and the Physical Electronic Access Controls (currently Section 2) should become Section 3. Section 2 refers to Section 3.1 in both Attachment 1 and the Guidelines and Technical Basis and therefore it would be easier to read if the Electronic Access Controls section appeared first.

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Alexander Vedvik, On Behalf of: Alexander Vedvik, , Segments 9

- 0 - 0

Ronnie Frizzell, 12/5/2016

- 0 - 0

David Rivera, New York Power Authority, 3, 12/5/2016

- 0 - 0

PSEG, Segment(s) 5, 6, 3, 1, 12/2/2016

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

David Greyerbiehl, CMS Energy - Consumers Energy Company, 5, 12/5/2016

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

Barry Lawson, National Rural Electric Cooperative Association, 4, 12/5/2016

- 0 - 0

This section needs to be modified to be congruent with a LERC definition which is allows for the exception of traffic not destined for a local BES cyber system.

Laura Nelson, IDACORP - Idaho Power Company, 1, 12/5/2016

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 12/5/2016

- 0 - 0

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 12/5/2016

- 0 - 0

Paul Malozewski, Hydro One Networks, Inc., 3, 12/5/2016

- 0 - 0

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 12/5/2016

- 0 - 0

David Gordon, 12/5/2016

- 0 - 0

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

Sarah Gasienica, 12/5/2016

- 0 - 0

- 0 - 0

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Please see Texas RE’s response to #1. 

Rachel Coyne, Texas Reliability Entity, Inc., 10, 12/5/2016

- 0 - 0

- 0 - 0

RSC no Dominion, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 12/5/2016

- 0 - 0

Michael DeLoach, 12/5/2016

- 0 - 0

Joe Tarantino, On Behalf of: Sacramento Municipal Utility District - WECC - Segments 1, 3, 4, 5, 6

- 0 - 0

Patricia Lynch, 12/5/2016

- 0 - 0

adopt PSEG comments

Tim Kucey, PSEG - PSEG Fossil LLC, 5, 12/5/2016

- 0 - 0

1)       {C}We would like the SDT to clarify what the non-defined term “electronic access controls” means.  The former definition of LEAP provided a specific definition for the controls that a low impact entity had to implement.  This change introduces ambiguity into the requirements.

 

2)       {C}We are assuming that the question refers to CIP-003-6, Attachment 1, Section 3 – rather than Section 2.

ACES Standards Collaborators, Segment(s) 1, 5, 3, 6, 4, 12/5/2016

- 0 - 0

Reclamation commends the SDT on this effort to simplify the standard. 

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, WECC, Segments 1, 5

- 0 - 0

- 0 - 0

We recommend rearranging the Electronic Access Controls (currently Section 3) so that it should become Section 2 and the Physical Electronic Access Controls (currently Section 2) should become Section 3. Section 2 refers to Section 3.1 in both Attachment 1 and the Guidelines and Technical Basis and therefore it would be easier to read if the Electronic Access Controls section appeared first.

Laurie Williams, PNM Resources - Public Service Company of New Mexico, 1, 12/5/2016

- 0 - 0

Southern Company joins EEI in recommending rearranging the Electronic Access Controls (currently Section 3) so that it should become Section 2, and the Physical Access Controls (currently Section 2) as Section 3. Section 2 refers to Section 3.1 in both Attachment 1 and the Guidelines and Technical Basis and therefore it would be easier to read if the Electronic Access Controls section appeared first.    

Southern Company, Segment(s) 1, 3, 5, 6, 8/3/2016

- 0 - 0

Hot Answers

The sentence that describes evidence that “provides rationale that communication is used for time-sensitive protection or control functions between intelligent electronic devices” is unclear under Attachment 2, Section 3, bullet 1.  It would be helpful if the SDT provided example rationales to clarify and prevent multiple interpretations.

Michael Mertz, 12/5/2016

- 0 - 0

In Section 3 of Attachment 2, we suggest changing the word “rationale” to “business justification.” 

SPP Standards Review Group, Segment(s) , 12/5/2016

- 0 - 0

Other Answers

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 11/10/2016

- 0 - 0

- 0 - 0

David Ramkalawan, 11/17/2016

- 0 - 0

faranak sarbaz, Los Angeles Department of Water and Power, 1, 11/18/2016

- 0 - 0

Mark Riley, Associated Electric Cooperative, Inc., 1, 11/22/2016

- 0 - 0

Jeff Johnson, On Behalf of: Sempra - San Diego Gas and Electric - WECC - Segments 4

- 0 - 0

Sean Bodkin, Dominion - Dominion Resources, Inc., 6, 11/30/2016

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 11/30/2016

- 0 - 0

During SDT meeting at MH, MH has raised a question regarding if an electronic boundary is allowable to protect low impact BCAs that are located at two BES assets such as a generation station and the switchyard, where the access points would be defined to protect this electronic boundary like a medium impact ESP.  In CIP-003-7_redline guidance Section, P38 states:  “When determining whether a routable protocol is entering or leaving the asset containing the low impact BES Cyber System(s), Responsible Entities have flexibility in identifying an approach o making this evaluation. One approach is for Responsible Entities to identify an “electronic boundary” associated with the asset containing low impact BES Cyber System(s).”, given to using “electronic boundary associated asset” rather than assets, it is not clear if it was intended to address MH’s comment allowing an electronic boundary cross two BES assets like a medium ESP. Please clarify SDT’s intention about the electronic boundary. If it is intended to only allow the electronic boundary to be defined within one BES asset, please explain why since the medium ESP is allowable to cross multiple sites.

Blair Mukanik, Manitoba Hydro , 6, 12/1/2016

- 0 - 0

During SDT meeting at MH, MH has raised a question regarding if an electronic boundary is allowable to protect low impact BCAs that are located at two BES assets such as a generation station and the switchyard, where the access points would be defined to protect this electronic boundary like a medium impact ESP.  In CIP-003-7_redline guidance Section, P38 states:  “When determining whether a routable protocol is entering or leaving the asset containing the low impact BES Cyber System(s), Responsible Entities have flexibility in identifying an approach o making this evaluation. One approach is for Responsible Entities to identify an “electronic boundary” associated with the asset containing low impact BES Cyber System(s).”, given to using “electronic boundary associated asset” rather than assets, it is not clear if it was intended to address MH’s comment allowing an electronic boundary cross two BES assets like a medium ESP. Please clarify SDT’s intention about the electronic boundary. If it is intended to only allow the electronic boundary to be defined within one BES asset, please explain why since the medium ESP is allowable to cross multiple sites.

Yuguang Xiao, Manitoba Hydro , 5, 12/1/2016

- 0 - 0

BPA supports the change to add complimentary language in Attachment 2 to further support the requirement language with examples that minimize interpretation and act as the foundation for more consistent application of the standard requirements.

Ryan Buss, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Maryclaire Yatsko, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

- 0 - 0

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 9/1/2016

- 0 - 0

Ginette Lacasse, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

Christopher Chavez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Philip Huff, 12/5/2016

- 0 - 0

Philip Huff, 12/5/2016

- 0 - 0

Andrew Pusztai, 12/5/2016

- 0 - 0

Section 2b. propose modified wording of:

b. The Cyber Asset specified by the Responsible Entity that provides electronic access controls implemented for Attachment 1, Section 3.1, if any.Section 3.1 - propose modified wording of:

1. Documentation such as: representative diagrams that illustrate control of inbound and outbound communications between the low impact BES Cyber Asset and the Cyber Asset outside the asset containing low impact BES Cyber Systems, or lists of implemented electronic access controls (e.g. access control lists, restricting IP addresses, ….

Daniel Gacek, Exelon, 1, 12/5/2016

- 0 - 0

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Roger Dufresne, 12/5/2016

- 0 - 0

Wesley Maurer, 12/5/2016

- 0 - 0

FMPA, Segment(s) , 12/5/2016

- 0 - 0

The sentence that describes evidence that “provides rationale that communication is used for time-sensitive protection or control functions between intelligent electronic devices” is unclear under Attachment 2, Section 3, bullet 1.  It would be helpful if the SDT provided example rationales to clarify and prevent multiple interpretations.      

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Alexander Vedvik, On Behalf of: Alexander Vedvik, , Segments 9

- 0 - 0

Ronnie Frizzell, 12/5/2016

- 0 - 0

David Rivera, New York Power Authority, 3, 12/5/2016

- 0 - 0

PSEG agrees with the EEI comments.

PSEG, Segment(s) 5, 6, 3, 1, 12/2/2016

- 0 - 0

Section 2, Item b: N&ST suggests changing “Cyber Asset” to “Cyber Asset(s)” to account for the possibility that more than one Cyber Asset is used to implement electronic access controls.

Section 3: N&ST recommends minor edits reflecting N&ST-recommended revised definition of LERC.

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

David Greyerbiehl, CMS Energy - Consumers Energy Company, 5, 12/5/2016

- 0 - 0

Section 2, Item b: N&ST suggests changing “Cyber Asset” to “Cyber Asset(s)” to account for the possibility that more than one Cyber Asset is used to implement electronic access controls.

Section 3: N&ST recommends minor edits reflecting N&ST-recommended revised definition of LERC.

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

Barry Lawson, National Rural Electric Cooperative Association, 4, 12/5/2016

- 0 - 0

This section needs to be modified to be congruent with a LERC definition which is allows for the exception of traffic not destined for a local BES cyber system.

IPC generally agrees with the language added to the actual CIP-003 standard and its associated attachments, but contends that the requirements in Attachment 1 of CIP-003 with the associated revision to LERC will in essence require a back door inventory of Low Impact BCS.  It is difficult for an entity to effectively comply with Section 2 and to a lesser degree Section 3 without an inventory of Low Impact BCS.  However, this directly conflicts with explicit language of CIP-002.   The SDT needs to strongly consider revising CIP-002 in order to fix the inherent problems that it causes and that then cascades through the rest of the CIP standards and then causes all SDTs to dance around these types of issues now and in the future.

Laura Nelson, IDACORP - Idaho Power Company, 1, 12/5/2016

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 12/5/2016

- 0 - 0

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 12/5/2016

- 0 - 0

Paul Malozewski, Hydro One Networks, Inc., 3, 12/5/2016

- 0 - 0

See comments from Question 7.

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 12/5/2016

- 0 - 0

David Gordon, 12/5/2016

- 0 - 0

See comments from Question 7.

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

Sarah Gasienica, 12/5/2016

- 0 - 0

- 0 - 0

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

We recommend the following language change to Attachment 2, Section 3:

“showing that at each asset or group of assets containing low impact BES Cyber Systems, bi directional routable communication between a low impactBES Cyber System(s) and a Cyber Asset(s) outside the asset is restricted byelectronic access controls to permit only inbound and outbound electronic access that the Responsible Entity deems necessary,”

The addition of the term “bi directional” is necessary based on our concerns outlined in question 1, and would promote consistency throughout the document.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Texas RE will review facts and circumstances during compliance and enforcement reviews.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 12/5/2016

- 0 - 0

- 0 - 0

RSC no Dominion, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 12/5/2016

- 0 - 0

Michael DeLoach, 12/5/2016

- 0 - 0

Since we do not agree with the language pertaining to Attachment 1 we cannot support the expamples of evidince identified in Attachment 2.

Joe Tarantino, On Behalf of: Sacramento Municipal Utility District - WECC - Segments 1, 3, 4, 5, 6

- 0 - 0

Patricia Lynch, 12/5/2016

- 0 - 0

adopt PSEG comments

Tim Kucey, PSEG - PSEG Fossil LLC, 5, 12/5/2016

- 0 - 0

1)      We have concerns that the evidence includes lists of controls that correspond to low impact assets (IP addresses, ports, gateways, etc.).  Lists of low impact BES Cyber Assets are explicitly out of scope, per CIP-002.

2)      If the SDT takes the approach of requiring a documented process for low impact controls, as long as the Responsible Entity is not expected to specifically diagram any low impact BES Cyber Assets, the evidence would be acceptable to allow an entity to speak to its documented electronic access control methodology.

ACES Standards Collaborators, Segment(s) 1, 5, 3, 6, 4, 12/5/2016

- 0 - 0

Reclamation recommends changing Section 3 to:

Electronic Access Controls: Examples of evidence for Section 3 may include, but are

not limited to:

  1. Documentation identifying required inbound and outbound traffic connections to Low Impact BES Cyber Systems (such as lists or representative diagrams.)

  2. Documentation identifying access controls where routable protocols (that the Responsible Entity deems necessary) are used for inbound and outbound traffic (such as restricting IP addresses, ports, or services; authenticating users; air‐gapping networks; terminating routable protocol sessions on a non‐BES Cyber Asset; implementing unidirectional gateways, etc.)

Documentation identifying methods used to authenticate Dial-up Connectivity (such as dial out only to a preprogrammed number to deliver data, dial‐back modems, modems that must be remotely controlled by the Control Center or control room, access control on the BES Cyber System, or other authentication methods.)

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, WECC, Segments 1, 5

- 0 - 0

- 0 - 0

The sentence that describes evidence that “provides rationale that communication is used for time-sensitive protection or control functions between intelligent electronic devices” is unclear under Attachment 2, Section 3, bullet 1.  It would be helpful if the SDT provided example rationales to clarify and prevent multiple interpretations.

Laurie Williams, PNM Resources - Public Service Company of New Mexico, 1, 12/5/2016

- 0 - 0

Southern Company agrees with EEI's comments noting that the sentence that describes evidence that “provides rationale that communication is used for time-sensitive protection or control functions between intelligent electronic devices” is unclear under Attachment 2, Section 3, bullet 1.  It would be helpful if the SDT provided example rationales to clarify and prevent multiple interpretations.    

Southern Company, Segment(s) 1, 3, 5, 6, 8/3/2016

- 0 - 0

Hot Answers

We believe that “the GTB provides support for the technical merit of the requirement [R2] and provides example diagrams that illustrate various electronic access controls at a conceptual level.” However, we are concerned with the impact that the recent Guidelines and Technical Basis Disclaimer (shared with the Standards Committee on 10/19/16) may have on the use of the GTB. In particular, the sentence that says “the ERO neither endorses nor approves the Supplemental Material as part of the Reliability Standards development process.” We also understand that at the November MRC meeting NERC Staff and the Standards Committee leadership agreed to work together on a way forward on the GTB that affords deference.  EEI encourages NERC and the Standards Committee leadership to work to provide GTB deference as soon as practicable.

Michael Mertz, 12/5/2016

- 0 - 0

The SPP Standards Review Group requests consideration of further refinement to the language of the GTB in Requirements R1 and R2.

Specific to Requirement 1, the language is not consistent with the GTB reference section to R1.

Specific to Requirement 2, it is unclear which document Attachment 1 is associated with (CIP-002 or CIP-003-7).

SPP Standards Review Group, Segment(s) , 12/5/2016

- 0 - 0

Other Answers

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 11/10/2016

- 0 - 0

The reference models should now show the demarcation point of the electronic access control like they once did for LEAP rather than just the firewall icon.

- 0 - 0

David Ramkalawan, 11/17/2016

- 0 - 0

faranak sarbaz, Los Angeles Department of Water and Power, 1, 11/18/2016

- 0 - 0

Mark Riley, Associated Electric Cooperative, Inc., 1, 11/22/2016

- 0 - 0

Jeff Johnson, On Behalf of: Sempra - San Diego Gas and Electric - WECC - Segments 4

- 0 - 0

In Reference model 10 (page 51 of 65), Dominion recommends changing the example from TDM and SONET to “protocol independent transport”. The use of generic terminology would allow for the inclusion of MPLS, TDM, SONET, T1, DSL, etc.

Sean Bodkin, Dominion - Dominion Resources, Inc., 6, 11/30/2016

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 11/30/2016

- 0 - 0

During SDT meeting at MH, MH has raised a question regarding if an electronic boundary is allowable to protect low impact BCAs that are located at two BES assets such as a generation station and the switchyard, where the access points would be defined to protect this electronic boundary like a medium impact ESP.  In  the guidance Section, P38 states:  “When determining whether a routable protocol is entering or leaving the asset containing the low impact BES Cyber System(s), Responsible Entities have flexibility in identifying an approach o making this evaluation. One approach is for Responsible Entities to identify an “electronic boundary” associated with the asset containing low impact BES Cyber System(s).”, given to using “electronic boundary associated asset” rather than assets, it is not clear if it was intended to address MH’s comment allowing an electronic boundary cross two BES assets like a medium ESP. Please clarify SDT’s intention about the electronic boundary. If it is intended to only allow the electronic boundary to be defined within one BES asset, please explain why since the medium ESP is allowable to cross multiple sites.

Blair Mukanik, Manitoba Hydro , 6, 12/1/2016

- 0 - 0

During SDT meeting at MH, MH has raised a question regarding if an electronic boundary is allowable to protect low impact BCAs that are located at two BES assets such as a generation station and the switchyard, where the access points would be defined to protect this electronic boundary like a medium impact ESP.  In  the guidance Section, P38 states:  “When determining whether a routable protocol is entering or leaving the asset containing the low impact BES Cyber System(s), Responsible Entities have flexibility in identifying an approach o making this evaluation. One approach is for Responsible Entities to identify an “electronic boundary” associated with the asset containing low impact BES Cyber System(s).”, given to using “electronic boundary associated asset” rather than assets, it is not clear if it was intended to address MH’s comment allowing an electronic boundary cross two BES assets like a medium ESP. Please clarify SDT’s intention about the electronic boundary. If it is intended to only allow the electronic boundary to be defined within one BES asset, please explain why since the medium ESP is allowable to cross multiple sites.

Yuguang Xiao, Manitoba Hydro , 5, 12/1/2016

- 0 - 0

BPA believes the technical diversity of the examples provide sufficient guidance for consistent interpretation and application of the standard.

Ryan Buss, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

While Seminole supports the technical merits and the Guidelines and Technical Basis changes,  Seminole refers the team to additional issues identified in question 7 that may best be addressed in the Guidelines and Technical Basis section of the standard.

Maryclaire Yatsko, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

- 0 - 0

AZPS agrees with the content, however recommends that the requirement language be reviewed against the diagrams provided to ensure that there is not ambiguity or confusion created between the two portions of the standard.   While we believe the current language is an improvement, AZPS may not be able to vote affirmatively on this requirement if the ambiguity is not addressed.

- 0 - 0

Comment 1:

Language provided in Reference Model 10 contains substantive impact on how entities identify traffic as routable: "In similar configurations, the Responsible Entity should closely evaluate the transport entering or leaving the asset  containing low impact BES Cyber System(s). If the communication entering or leaving the asset containing low impact BES Cyber System(s) was routable (such as serial encapsulated in TCP/IP or UDP/IP as depicted Reference Model 2 or Reference Model 5), then the criteria requiring electronic access controls would be met."

 Specifically, when utilizing communications circuits from a third party communications provider, an entity has no control or knowledge over the transport level technologies employed. From an entity's perspective, a 56K four-wire circuit is completely non-routable. However, the telecom provider may convert it to IP based communications in the telecom transport pathway prior to converting it back to a 56K four-wire circuit when entering a remote facility.

These transport-layer characteristics are transparent to the devices at each end of a communications link. The criteria specified in Reference Model 10 implies that potential encapsulations and conversions, outside of an entity's control (or even awareness), may qualify an otherwise non-routable communications link as routable.

 As written, to verify transport level characteristics as provided in Reference Model 10 would require auditing all transport layer equipment and configurations as employed by the telecom provider.

TVA suggests that specific technical criteria that qualifies traffic as routable be included in a NERC Glossary term instead of language contained in a "Supplemental Material" section of a standard.

Comment 2:

Language provided in the section headed “Insufficient Access Controls” contains substantive impact on communication options available for use by entities: “Some examples of situations that would lack sufficient access controls to meet the intent of this requirement include: […] A low impact BES Cyber System has a wireless card on a public carrier that allows the BES Cyber System to be reachable via a public IP address. In essence, low impact BES Cyber Systems should not be accessible from the Internet and search engines such as Shodan.”

 As written, the last sentence prevents the use of all internet based communications solutions that utilize a public IP address.  This includes any cellular, satellite, or ISP based service.  Many acceptable, and secure, internet based communications solutions exist where data can be appropriately secured.  Most of these solutions would utilize some form of VPN or SSL technology.  Access control is not contingent upon what IP addresses may or may not be used.

 TVA recommends striking this bullet completely or clarifying the language to accommodate secure internet based communication solutions.

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 9/1/2016

- 0 - 0

Seattle in particular appreciates the addition of Reference Model 10, to illustrate the common case of a SONET system carrying both routable and non-routable traffic.

Ginette Lacasse, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

SRP appreciates the use of example diagrams. Reference model 10 is particulary useful. However, MPLS is still not addressed within the diagrams. SRP requests the SDT create an example diagram to address MPLS as the transport network. Would only the out of band management network be considered as the electronic access or is it expected the MPLS transport connection must traverse an electronic access control such as a firewall?

Christopher Chavez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Philip Huff, 12/5/2016

- 0 - 0

Philip Huff, 12/5/2016

- 0 - 0

Andrew Pusztai, 12/5/2016

- 0 - 0

Under the draft, electronic access controls must be implemented for routable connections to low impact BES Cyber Systems such that only “necessary” traffic is permitted.  The determination of what is “necessary” remains in the hands of the Responsible Entity, but documentation to support why communications are “necessary” would likely be required because these determinations will need to be justified.  Documenting why the permitted traffic for each routable connection is “necessary” could be extremely burdensome.  The GTB should explicitly allow Responsible Entities to define the necessary communications generically, so that separate documentation need not be maintained for each routable communication at each site.  Propose that the GTB specifically state that the intent is not to require access control list or other line by line justifications.

Daniel Gacek, Exelon, 1, 12/5/2016

- 0 - 0

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

The previous version of CIP-003-7 presented examples of asset boundaries and explicitly allowed extended asset boundaries beyond the property line. In order to prevent the addition of communications control equipment without significant gain in security, we believe that the SDT should explicitly extend the asset limits provided that physical or electronic controls are in place.  The diagrams should reflect this option.

Roger Dufresne, 12/5/2016

- 0 - 0

Wesley Maurer, 12/5/2016

- 0 - 0

FMPA generally agrees with the Guidelines and Technical Basis section, but sees two items that need addressing.

While the SDT acknowledged there are concerns regarding shared facilities, FMPA does not believe the revised language completely addresses those concerns. Section 2 of Attachment 1 still states “[e]ach Responsible Entity shall control physical access.” This simply does not work at share facilities because more than one entity cannot have control at the same time. It is essential for entities with BES Cyber Systems in shared facilities to be able to enter into agreements that identify the Repsonsible Entity controlling physical access. FMPA supports Seminole Electric Cooperative, Inc.’s proposed language for addressing shared facilities.

Also, Reference Models 3 and 7 use the term “Non BES Cyber System” while others use the term “Non-BES Cyber Asset”. FMPA believes cyber assest more accurately reflects what these devices are and that all the models should use consistent language.

FMPA, Segment(s) , 12/5/2016

- 0 - 0

We believe that “the GTB provides support for the technical merit of the requirement [R2] and provides example diagrams that illustrate various electronic access controls at a conceptual level.” However, we are concerned with the impact that the recent Guidelines and Technical Basis Disclaimer (shared with the Standards Committee on 10/19/16) may have on the use of the GTB. In particular, the sentence that says “the ERO neither endorses nor approves the Supplemental Material as part of the Reliability Standards development process.” We also understand that at the November MRC meeting NERC Staff and the Standards Committee leadership agreed to work together on a way forward on the GTB that affords deference.  EEI encourages NERC and the Standards Committee leadership to work to provide GTB deference as soon as practicable.     

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 1 - 0

The PSCW abstains. However, we recommend NERC consider comments by registered entities impacted by this standard.

Alexander Vedvik, On Behalf of: Alexander Vedvik, , Segments 9

- 0 - 0

Ronnie Frizzell, 12/5/2016

- 0 - 0

The language of several Reference Models states “When permitting the inbound and outbound electronic access permissions, at a minimum, the permissions need to restrict source and destination addresses, or a range of addresses when necessary.” This language sounds like a Requirement. Recommend striking this sentence in all locations because the diagrams should be illustrative, allowing the Responsible Entity Flexiblity to implement appropriate security controls, as provided by the Requirements language. Also recommend striking the final sentence in Reference Models 1, 2 and 3. These security ocntrols are good suggestions and could be added as suggestions at the beginning of the Guidelines and Technical Basis.

David Rivera, New York Power Authority, 3, 12/5/2016

- 0 - 0

PSEG agrees with the EEI comments.

PSEG, Segment(s) 5, 6, 3, 1, 12/2/2016

- 0 - 0

N&ST recommends updating this section to reflect N&ST-recommended revised definition of LERC.

Comments on specific reference models:

N&ST believes Reference Model 6 (“Indirect Access”) is problematic in several regards. First of all, having attempted to respond to FERC’s directive to clarify what is meant by “direct” access by simply eliminating the word from CIP-003, the SDT reopens the debate by introducing the concept of “indirect access.” Second, N&ST believes the Reference Model’s assertion that the depicted “indirect access” “...meets the criteria of having communication between the low impact BES Cyber System and a Cyber Asset outside the asset...” is incorrect if the depicted non-BES Cyber Asset is terminating the routable protocol connection between the “external” Cyber Asset and itself. N&ST recommends either eliminating this example or revising it to indicate there is not communication between the low impact BES Cyber System and an “external” Cyber Asset if the non-BES Cyber Asset inside the asset is providing an application-layer protocol break. If N&ST's proposed revised definition of LERC was applied to this Reference Model, N&ST believes LERC would not be present in this case.

Reference Model 5 (“User Authentication”) has similar problems. Is the depicted non-BES Cyber Asset that is performing authentication continuing the same communications session from the external Cyber Asset to the low impact BES Cyber System by performing IP to serial protocol conversion, such as depicted in Reference Model 2? If so, N&ST agrees that there is communication between the low impact BES Cyber System and the external Cyber Asset. If, on the other hand, (1) the authenticating non-BES Cyber Asset is terminating the routable protocol connection from outside the asset and, (2) a user, once authenticated by that Cyber Asset, must initiate a new, serial communications session between the authenticating non-BES Cyber Asset and the low impact BES Cyber System, then N&ST believes the proposed electronic access control requirement would not be applicable. If N&ST's proposed revised definition of LERC was applied to this Reference Model, N&ST believes LERC would not be present in this case.

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

David Greyerbiehl, CMS Energy - Consumers Energy Company, 5, 12/5/2016

- 0 - 0

N&ST recommends updating this section to reflect N&ST-recommended revised definition of LERC.

Comments on specific reference models: N&ST believes Reference Model 6 (“Indirect Access”) is problematic in several regards. First of all, having attempted to respond to FERC’s directive to clarify what is meant by “direct” access by simply eliminating the word from CIP-003, the SDT reopens the debate by introducing the concept of “indirect access.” Second, N&ST believes the Reference Model’s assertion that the depicted “indirect access” “...meets the criteria of having communication between the low impact BES Cyber System and a Cyber Asset outside the asset...” is incorrect if the depicted non-BES Cyber Asset is terminating the routable protocol connection between the “external” Cyber Asset and itself. N&ST recommends either eliminating this example or revising it to indicate there is not communication between the low impact BES Cyber System and an “external” Cyber Asset if the non-BES Cyber Asset inside the asset is providing an application-layer protocol break. If N&ST's proposed revised definition of LERC was applied to this Reference Model, N&ST believes LERC would not be present in this case.

Reference Model 5 (“User Authentication”) has similar problems. Is the depicted non-BES Cyber Asset that is performing authentication continuing the same communications session from the external Cyber Asset to the low impact BES Cyber System by performing IP to serial protocol conversion, such as depicted in Reference Model 2? If so, N&ST agrees that there is communication between the low impact BES Cyber System and the external Cyber Asset. If, on the other hand, (1) the authenticating non-BES Cyber Asset is terminating the routable protocol connection from outside the asset and, (2) a user, once authenticated by that Cyber Asset, must initiate a new, serial communications session between the authenticating non-BES Cyber Asset and the low impact BES Cyber System, then N&ST believes the proposed electronic access control requirement would not be applicable. If N&ST's proposed revised definition of LERC was applied to this Reference Model, N&ST believes LERC would not be present in this case.

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

Barry Lawson, National Rural Electric Cooperative Association, 4, 12/5/2016

- 0 - 0

This section needs to be modified to be congruent with a LERC definition which is allows for the exception of traffic not destined for a local BES cyber system.  This section includes a diagrams which need modified as well.  None of the reference models depict traffic crossing the asset boundary but are destined for other sites and therein lies the problem with the definition being so all inclusive.

Laura Nelson, IDACORP - Idaho Power Company, 1, 12/5/2016

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 12/5/2016

- 0 - 0

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 12/5/2016

- 0 - 0

Paul Malozewski, Hydro One Networks, Inc., 3, 12/5/2016

- 0 - 0

We align with Edison Electric Institute’s (EEI) comments, stating:

We believe that “the GTB provides support for the technical merit of the requirement [R2] and provides example diagrams that illustrate various electronic access controls at a conceptual level.” However, we are concerned with the impact that the recent Guidelines and Technical Basis Disclaimer (shared with the Standards Committee on 10/19/16) may have on the use of the GTB. In particular, the sentence that says “the ERO neither endorses nor approves the Supplemental Material as part of the Reliability Standards development process.” We also understand that at the November MRC meeting NERC Staff and the Standards Committee leadership agreed to work together on a way forward on the GTB that affords deference.  EEI encourages NERC and the Standards Committee leadership to work to provide GTB deference as soon as practicable.       

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 12/5/2016

- 0 - 0

The language of Reference Models 1, 2 and 3 states “When permitting the inbound and outbound electronic access permissions, at a minimum, the permissions need to restrict source and destination addresses, or a range of addresses when necessary.” MMWEC recommends striking this sentence because it contradicts  Section 3 in Attachment 1 and Attachment 2,  which allow flexibility in how the Responsible Entity chooses to implement access controls.

David Gordon, 12/5/2016

- 0 - 0

We align with Edison Electric Institute’s (EEI) comments, stating:

We believe that “the GTB provides support for the technical merit of the requirement [R2] and provides example diagrams that illustrate various electronic access controls at a conceptual level.” However, we are concerned with the impact that the recent Guidelines and Technical Basis Disclaimer (shared with the Standards Committee on 10/19/16) may have on the use of the GTB. In particular, the sentence that says “the ERO neither endorses nor approves the Supplemental Material as part of the Reliability Standards development process.” We also understand that at the November MRC meeting NERC Staff and the Standards Committee leadership agreed to work together on a way forward on the GTB that affords deference.  EEI encourages NERC and the Standards Committee leadership to work to provide GTB deference as soon as practicable.       

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

The conceptual diagrams continue to appear confusing at best. We have concerns about how the GTB are factored into Compliance and Enforcement.  In some cases it appears that they create “requirements” that must be incorporated into your program; this is inconsistent with prior FERC precedent.  On the other hand, it is not clear whether or not you can rely on the GTB in developing your program and ensuring compliance.

Sarah Gasienica, 12/5/2016

- 0 - 0

- 0 - 0

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Tri-State appreciates the SDT’s work on the Reference Models; however, we recommend the SDT split up the three concepts displayed in Model 8. The current diagram is a bit confusing and may be misinterpreted as one combined concept, rather than three separate ones.

Tri-State would appreciate the inclusion of some examples of what equipment or configurations might qualify as a “Uni-directional Gateway”. There has been a lack of consistency among regions as to what devices would apply for this designation and we would like some clarity from the SDT on this. Specifically, we wonder whether the SDT considers a properly configured firewall to be included as a part of this designation?

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Please see Texas RE’s response to #1. 

Rachel Coyne, Texas Reliability Entity, Inc., 10, 12/5/2016

- 0 - 0

- 0 - 0

The language of several Reference Models states “When permitting the inbound and outbound electronic access permissions, at a minimum, the permissions need to restrict source and destination addresses, or a range of addresses when necessary.” This language sounds like a Requirement. Recommend striking this sentence in all locations because the diagrams should be illustrative, allowing the Responsible Entity Flexiblity to implement appropriate security controls, as provided by the Requirements language. Also recommend striking the final sentence in Reference Models 1, 2 and 3. These security ocntrols are good suggestions and could be added as suggestions at the beginning of the Guidelines and Technical Basis.

RSC no Dominion, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 12/5/2016

- 0 - 0

Michael DeLoach, 12/5/2016

- 0 - 0

We do not support the Guidelines nor Technical Basis as we do not support the language in this draft Standard.

Joe Tarantino, On Behalf of: Sacramento Municipal Utility District - WECC - Segments 1, 3, 4, 5, 6

- 0 - 0

Patricia Lynch, 12/5/2016

- 0 - 0

adopt PSEG comments

Tim Kucey, PSEG - PSEG Fossil LLC, 5, 12/5/2016

- 0 - 0

1)       {C}A Responsible Entity should be able to develop their own approach based on their unique electronic access control implementation methodology. 

2)       {C}The technical controls are helpful guidance, but the requirements should not require a list of low impact BES Cyber Assets.  

ACES Standards Collaborators, Segment(s) 1, 5, 3, 6, 4, 12/5/2016

- 0 - 0

Under the Dial-up Connectivity section, Reclamation recommends the first paragraph be changed to:

“Dial‐up Connectivity to a low impact BES Cyber System may be authenticated using one or more of the following access control methods:

  1. The modem allowing access to a low impact BES Cyber System is configured to dial out only (no auto‐answer) to a preprogrammed number to deliver data,

  2. The modem allowing access to a low impact BES Cyber System is configured as a dialback modem,

  3. The modem allowing access to a low impact BES Cyber System is enabled or powered up by on-site personnel only when needed, and disabled when not in use.

  4. The modem allowing access to a low impact BES Cyber System is enabled or powered up remotely from a Control Center or control room only when needed, and disabled when not in use.

  5. The modem allowing access to a low impact BES Cyber System is configured for auto-answer, but the communications are encrypted, protecting Cyber Assets from unauthorized control within the low impact BES Cyber System. 

  6. The low impact BES Cyber System is configured with access control when accessed using Dial-up Connectivity.”

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, WECC, Segments 1, 5

- 0 - 0

- 0 - 0

We believe that “the GTB provides support for the technical merit of the requirement [R2] and provides example diagrams that illustrate various electronic access controls at a conceptual level.” However, we are concerned with the impact that the recent Guidelines and Technical Basis Disclaimer (shared with the Standards Committee on 10/19/16) may have on the use of the GTB. In particular, the sentence that says “the ERO neither endorses nor approves the Supplemental Material as part of the Reliability Standards development process.” We also understand that at the November MRC meeting NERC Staff and the Standards Committee leadership agreed to work together on a way forward on the GTB that affords deference.  EEI encourages NERC and the Standards Committee leadership to work to provide GTB deference as soon as practicable.        

Laurie Williams, PNM Resources - Public Service Company of New Mexico, 1, 12/5/2016

- 0 - 0

Southern Company agrees that “the GTB provides support for the technical merit of the requirement [R2] and provides example diagrams that illustrate various electronic access controls at a conceptual level.” However, Southern Company joins EEI in expressing concern with the impact that the recent Guidelines and Technical Basis Disclaimer (shared with the Standards Committee on 10/19/16) may have on the use of the GTB. In particular, the sentence that says “the ERO neither endorses nor approves the Supplemental Material as part of the Reliability Standards development process.”  Southern Company joins EEI to encourage NERC and the Standards Committee leadership to work to provide GTB deference as soon as practicable.

 

Page 42 of 65, Reference Model 3: “The Responsible Entity may choose to utilize a security device at a centralized location that may or may not be another asset containing low impact BES Cyber System(s).”

SOCO Comment:  It appears this statement should read “… that may or may not be at another asset containing low impact BES Cyber System(s).”  The word “at” appears to be missing in this statement.

 

Page 42 of 65, Reference Model 3:  “Care should be taken that electronic access to or between each asset is through the electronic access controls at the centralized location.”

SOCO Comment: Consider the following edits to this statement: “Care should be taken that electronic access to or between each asset is through the Cyber Asset(s) determined by the Responsible Entity to be performing/providing electronic access controls at the centralized location.”

 

Page 43 of 65, Reference Model 4:  Was the term “bi-directional” intentionally struck from the requirement language?  This seems to cause issues in Reference Model 4 – Uni-directional Gateway.  As the modifications to the Standard are read now, inbound OR outbound communications to assets containing Low Impact BES Cyber Systems require protections; Section 3, 3.1 Part ii – “using a routable protocol when entering OR leaving the asset.”  Therefore, the uni-directional gateway allowing routable communications only to flow outside of the asset containing Lows would still require protections.

        

Southern Company, Segment(s) 1, 3, 5, 6, 8/3/2016

- 0 - 0

Hot Answers

The CIP-003-6 plan for Requirement R1, part 1.2 is due April 1, 2017, which depends on the use of LERC and LEAP, which the Commission has ordered NERC to modify.The CIP-003-7 modifications remove the use of LERC and LEAP terms. Although we agree with the modifications, we do not believe that these modifications can be made and approved by the Commission by this date, which will require Responsible Entities to comply with two versions of CIP-003 – first by April 1, 2017 for R1, part 1.2 and then a second, version 7, once the Commission approves the modifications. We urge that NERC and FERC consider this implementation impact on Requirement R1 and recommend that the SDT consider replacing the effective date of Requirement R1, part 1.2, subpart 1.2.3 with the effective date of CIP-003-7. 

Michael Mertz, 12/5/2016

- 0 - 0

The SPP Standards Review Group requests delaying the specification of an effective date until the SDT has resolved any issues within the standard.

SPP Standards Review Group, Segment(s) , 12/5/2016

- 0 - 0

Other Answers

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 11/10/2016

- 0 - 0

- 0 - 0

OPG is in the process of surveying all of its Low Impact Rating BES assets to determine where there is communication between the asset or a Low Impact BES Cyber Asset within the asset with an external Cyber Asset. If the communication is using a routable protocol then the appropriate electronic security controls are being selected and installed to permit only neccessary inbound and outbound electronic access. 

David Ramkalawan, 11/17/2016

- 0 - 0

faranak sarbaz, Los Angeles Department of Water and Power, 1, 11/18/2016

- 0 - 0

Mark Riley, Associated Electric Cooperative, Inc., 1, 11/22/2016

- 0 - 0

Jeff Johnson, On Behalf of: Sempra - San Diego Gas and Electric - WECC - Segments 4

- 0 - 0

For the implementation plan which is 12 months,  Dominion recommends an 18 month implementation period for the following reasons:

  • Time is needed for entities to assess and confirm indirect access as an acceptable access control. 

  • New environments may be in scope. 

  • While this revision approach is more consistent with the currently approved CIP version6 requirements, the revisions necessitate that entities conduct an impact assessment to determine what changes the revisions create and what is currently in place from the assesments performed for CIP version 6 implementation.

  • Revision iterations always require some time to assess and verify points of change.

Sean Bodkin, Dominion - Dominion Resources, Inc., 6, 11/30/2016

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 11/30/2016

- 0 - 0

Blair Mukanik, Manitoba Hydro , 6, 12/1/2016

- 0 - 0

Yuguang Xiao, Manitoba Hydro , 5, 12/1/2016

- 0 - 0

BPA supports this timeline. Site inventories and the work to develop scope for new programs to meet the standard requirements will require time to approve, develop and implement a sustainable compliance program.

Ryan Buss, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Maryclaire Yatsko, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 0 - 0

Procurement, design, installation, and configuration of electronic access controls.

- 0 - 0

- 0 - 0

Process development and implementation of Low BCS electronic access controls has been  significantly delayed and remains contingent upon requirements finalization.  Propose allowance of a minimum of 24 months from FERC approval date to compliance date for CIP-003-7 R2, Attachment 1 Sections 2 and 3.

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 9/1/2016

- 0 - 0

Ginette Lacasse, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

Christopher Chavez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Philip Huff, 12/5/2016

- 0 - 0

AECC supports the comments submitted by NRECA.

Philip Huff, 12/5/2016

- 0 - 0

Andrew Pusztai, 12/5/2016

- 0 - 0

None

Daniel Gacek, Exelon, 1, 12/5/2016

- 0 - 0

The CIP requirements for low impact BES Cyber Systems are currently in flux and entities will not have certainty regarding low impact requirements until they are approved by the Commission.  In addition, the sheer number of assets containing low impact BES Cyber Systems is substantial.  It will take entities time to implement proper physical and electronic access controls at all the various locations.  CenterPoint Energy believes it is reasonable to request additional time to implement the requirements given that the facilities are low risk to the reliability of the BES.  CenterPoint Energy recommends the effective date for CIP-003-7 revisions to be delayed 18 months after FERC approval.

Additionally, CenterPoint Energy agrees with EEI’s comments to align the implementation date of CIP-003-6 R1, Part 1.2.2 and 1.2.3 (cyber security policies) with the effective date of the LERC changes to Attachment 1, Section 2 and Section 3 (cyber security plans).  Although CenterPoint Energy supports the retirement of the LERC/LEAP terms  in CIP-003-7, the LERC/LEAP terms are still used in the currently approved CIP-003-6 requirements that are effective April 1, 2017.  Therefore, entities will need to comply with two versions of the CIP-003 standard between April 1, 2017 and the effective date of version 7.  This could cause entities substantial rework and resource constraints because what is being implemented is a moving target.   It will be more efficient and effective for entities to implement one version of the standard and align their cyber security policies with the cyber security plans for requirement CIP-003-7, Attachment 1, Section 2 and Section 3. 

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

Due to budget cycles and quantity of equipment that must be installed, we propose keeping the language included in the “General Consideration” section but extend the interval from 12 months to 18 months.

Roger Dufresne, 12/5/2016

- 0 - 0

Wesley Maurer, 12/5/2016

- 0 - 0

Did the SDT intend to modify the enforceability of CIP-003-6 via this Implementation Plan? If so, FMPA recommends the addition in bold to the language below.

“The Responsible Entity shall not be required to include in its cyber security plan(s) elements related to Sections 2 and 3 of CIP-003-6 Attachment 1 until the effective date of CIP-003-7.”

FMPA, Segment(s) , 12/5/2016

- 0 - 0

The CIP-003-6 plan for Requirement R1, part 1.2 is due April 1, 2017, which depends on the use of LERC and LEAP, which the Commission has ordered NERC to modify. The CIP-003-7 modifications remove the use of the LERC and LEAP terms.  Although we agree with the modifications, we do not believe that these modifications can be made and approved by the Commission by this date, which will require Responsible Entities to comply with two versions of CIP-003 – first by April 1, 2017 for R1, part 1.2 and then a second, version 7, once the Commission approves the modifications. We urge that NERC and FERC consider this implementation impact on Requirement R1 and recommend that the SDT consider replacing the effective date of Requirement R1, part 1.2, subpart 1.2.3 with the effective date of CIP-003-7.   

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

The PSCW abstains.

Alexander Vedvik, On Behalf of: Alexander Vedvik, , Segments 9

- 0 - 0

I agree with the comments from NRECA

Ronnie Frizzell, 12/5/2016

- 0 - 0

Due to budget cycles and quantity of equipment that must be installed, we propose keeping the language included in the “General Consideration” section but extend the interval from 12 months to 18 months.

David Rivera, New York Power Authority, 3, 12/5/2016

- 0 - 0

PSEG agrees with the EEI comments.

PSEG, Segment(s) 5, 6, 3, 1, 12/2/2016

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

David Greyerbiehl, CMS Energy - Consumers Energy Company, 5, 12/5/2016

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

NRECA appreciates the efforts of the SDT to address the comments from the previous draft.  However, we believe that 12 months is not an adequate amount of time to complete the implementation of these revised requirements.  Through the inclusion of indirect communications now being required to meet the security objective of implementing electronic access controls that permit only necessary inbound and outbound access, the SDT has substantially increased the evidentiary burden to document the controls implemented for this use case.  Given the large volume of assets at low impact, 12 months is not long enough to properly implement this revised control.  We understand that the SDT has extended its planned implementation plan for Transient Cyber Assets at low impact to 18 months and believe that the implementation timeline for the LERC requirements should also be adjusted to 18 months.  This will allow sufficient time for LERC implementation and allow for operational efficiencies to occur by implementing the LERC requirements and the TCA requirements concurrently.

Barry Lawson, National Rural Electric Cooperative Association, 4, 12/5/2016

- 0 - 0

Revising standards and then expecting the industry to change directions and then comply with the requirements in the same amount of time is not a feasible approach.  Although the depth of requirements associated with Low Impact BCS is less compared to the High and Medium BCS the breadth of what it will encompass is much greater.  Entities have had to halt or slow the progress on their approach considering the changes to LERC, which is a major component to CIP-003.  As these sections of CIP-003 had a later implementation due to their newness and scope and now there are major changes to how they will be approached there is no reason why the implementation schedule can’t be moved by at least 6 to 12 months which will be the amount of time from when the standards went into effect (7/1/2016) and when FERC will hopefully approves them (2nd or 3rd Qtr of 2017.)  I would propose the implementation date be the later of either April 1, 2019 or July 1 ,2019 or 12 months from the date of approval.

Laura Nelson, IDACORP - Idaho Power Company, 1, 12/5/2016

- 0 - 0

Brian Evans-Mongeon, Utility Services, Inc., 4, 12/5/2016

- 0 - 0

We suggest extending the proposed implementation time-period for electronic and physical access controls by revising the wording to: "later of April 1, 2019 or the first day of ......".   The transition to CIP Version 5/6 utilized significant entity resources during the past two years.  Given that Low Impact BES Cyber Systems pose a lower risk to system reliability (by definition), we submit that allowing additional time is reasonable and would allow entities time to better integrate this work with other priorities.   

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 12/5/2016

- 0 - 0

Paul Malozewski, Hydro One Networks, Inc., 3, 12/5/2016

- 0 - 0

Comments: We align with Edison Electric Institute’s (EEI) comments, stating:

The CIP-003-6 plan for Requirement R1, part 1.2 is due April 1, 2017, which depends on the use of LERC and LEAP, which the Commission has ordered NERC to modify. The CIP-003-7 modifications remove the use of LERC and LEAP terms.  Although we agree with the modifications, we do not believe that these modifications can be made and approved by the Commission by this date, which will require Responsible Entities to comply with two versions of CIP-003 – first by April 1, 2017 for R1, part 1.2 and then a second, version 7, once the Commission approves the modifications. We urge that NERC and FERC consider this implementation impact on Requirement R1 and recommend that the SDT consider replacing the effective date of Requirement R1, part 1.2, subpart 1.2.3 with the effective date of CIP-003-7.  

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

See EEI comments

Thomas Breene, WEC Energy Group, Inc., 3, 12/5/2016

- 0 - 0

David Gordon, 12/5/2016

- 0 - 0

We align with Edison Electric Institute’s (EEI) comments, stating:

The CIP-003-6 plan for Requirement R1, part 1.2 is due April 1, 2017, which depends on the use of LERC and LEAP, which the Commission has ordered NERC to modify. The CIP-003-7 modifications remove the use of LERC and LEAP terms.  Although we agree with the modifications, we do not believe that these modifications can be made and approved by the Commission by this date, which will require Responsible Entities to comply with two versions of CIP-003 – first by April 1, 2017 for R1, part 1.2 and then a second, version 7, once the Commission approves the modifications. We urge that NERC and FERC consider this implementation impact on Requirement R1 and recommend that the SDT consider replacing the effective date of Requirement R1, part 1.2, subpart 1.2.3 with the effective date of CIP-003-7.  

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

Sarah Gasienica, 12/5/2016

- 0 - 0

While we appreciate the increase of over 9 months included in the original posting, we believe that 12 months is insufficient for the successful implementation of these requirements.  Through the inclusion of indirect communications now being required to meet the security objective of implementing electronic access controls that permit only necessary inbound and outbound access, the SDT has substantially increased the evidentiary burden to document the controls implemented for this use case.  Given the large volume of assets at low impact, 12 months is not long enough to properly implement this revised control. 

We understand that the SDT has extended its planned implementation plan for Transient Cyber Assets at low impact to 18 months and believe that the implementation timeline for the LERC requirements should also be adjusted to 18 months.  This will allow sufficient time for LERC implementation and allow for operational efficiencies to occur by implementing the LERC requirements and the TCA requirements concurrently.

- 0 - 0

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Duke Energy does not disagree with the proposed Implementation Plan. The changes proposed will prompt entities to go back and review their planning and implementation for CIP-003-6, and revise accordingly. The extra time to review and potentially change operating processes and plans is necessary.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Texas RE respectfully requests the SDT provide a basis for its decision to adopt a 12-month compliance window, including any data it considered in determining that this was an appropriate window for affected entities to meet their compliance obligations under the revised Standards. 

 

Texas RE requests the revised implementation plan clarify Section 4, 4.5; the testing the Cyber Security Incident response plan(s). There is confusion amongst the Industry on whether the plan must be tested on or before April 1, 2017, or 36 calendar months after the effective date.

Rachel Coyne, Texas Reliability Entity, Inc., 10, 12/5/2016

- 0 - 0

  1. The implementation plan should not occur until 2019.  We do not support the proposed target date of September 1, 2018, because there are several other requirements that already will go into effect on this date.  The burden of compliance with this proposal would add significant resources and costs with implementing these low impact security measures, especially for smaller entities. 

  2. The implementation plan should allow for an additional budgeting cycle to ensure industry has time to implement such controls.

- 0 - 0

Due to budget cycles and quantity of equipment that must be installed, we propose keeping the language included in the “General Consideration” section but extend the interval from 12 months to 18 months.

RSC no Dominion, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 12/5/2016

- 0 - 0

Twelve months is insufficient time to react to the extremely large number of assets containing low impact BES Cyber Systems.  AEP has almost 2000.  This is only the first of several potential revisions to CIP-003 necessary to completely address FERC Order 829??.  Two years is probably needed to fully comply with this the first of several revisions CIP-003.  The hope is that twelve months will accommodate all the revisions of CIP-003 resulting from the Order.  This is consistant with the original allowance in the CIP-003-5 implementation plan that was approved.  Lets do it once.

Michael DeLoach, 12/5/2016

- 0 - 0

Joe Tarantino, On Behalf of: Sacramento Municipal Utility District - WECC - Segments 1, 3, 4, 5, 6

- 0 - 0

Patricia Lynch, 12/5/2016

- 0 - 0

adopt PSEG comments

Tim Kucey, PSEG - PSEG Fossil LLC, 5, 12/5/2016

- 0 - 0

1)      The implementation plan should not occur until 2019.  We do not support the proposed target date of September 1, 2018, because there are several other requirements that already will go into effect on this date.  The burden of compliance with this proposal would add significant resources and costs with implementing these low impact security measures, especially for smaller entities. 

2)      The implementation plan should allow for an additional budgeting cycle to ensure industry has time to implement such controls.

ACES Standards Collaborators, Segment(s) 1, 5, 3, 6, 4, 12/5/2016

- 0 - 0

Reclamation recommends a more achievable implementation plan of 24 months from the date of FERC approval.

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, WECC, Segments 1, 5

- 0 - 0

The CIP-003-6 plan for Requirement R1, part 1.2 is due April 1, 2017, which depends on the use of LERC and LEAP, which the Commission has ordered NERC to modify. The CIP-003-7 modifications remove the use of LERC and LEAP terms.  Although we agree with the modifications, we do not believe that these modifications can be made and approved by the Commission by this date, which will require Responsible Entities to comply with two versions of CIP-003 – first by April 1, 2017 for R1, part 1.2 and then a second, version 7, once the Commission approves the modifications. We urge that NERC and FERC consider this implementation impact on Requirement R1 and recommend that the SDT consider replacing the effective date of Requirement R1, part 1.2, subpart 1.2.3 with the effective date of CIP-003-7.

- 0 - 0

The CIP-003-6 plan for Requirement R1, part 1.2 is due April 1, 2017, which depends on the use of LERC and LEAP, which the Commission has ordered NERC to modify. The CIP-003-7 modifications remove the use of LERC and LEAP terms.  Although we agree with the modifications, we do not believe that these modifications can be made and approved by the Commission by this date, which will require Responsible Entities to comply with two versions of CIP-003 – first by April 1, 2017 for R1, part 1.2 and then a second, version 7, once the Commission approves the modifications. We urge that NERC and FERC consider this implementation impact on Requirement R1 and recommend that the SDT consider replacing the effective date of Requirement R1, part 1.2, subpart 1.2.3 with the effective date of CIP-003-7.  

Laurie Williams, PNM Resources - Public Service Company of New Mexico, 1, 12/5/2016

- 0 - 0

Although Southern Company agrees with the proposed modifications, as noted by EEI, Southern Company does not find that these modifications can be made and approved by the Commission by the required date, which will require Responsible Entities to comply with two versions of CIP-003 – first by April 1, 2017 for R1, part 1.2 and then a second, version 7, once the Commission approves the modifications. Southern Company joins EEI in urging that NERC and FERC consider this implementation impact on Requirement R1 and recommends that the SDT consider replacing the effective date of Requirement R1, part 1.2, subpart 1.2.3 with the effective date of CIP-003-7.      

Southern Company, Segment(s) 1, 3, 5, 6, 8/3/2016

- 0 - 0

Hot Answers

Michael Mertz, 12/5/2016

- 0 - 0

SPP Standards Review Group, Segment(s) , 12/5/2016

- 0 - 0

Other Answers

Thank you for retiring this definition.

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 11/10/2016

- 0 - 0

ITC Holdings does not agree with changing the ‘Guidelines and Technical Basis’ (GTB) document to ‘Supplemental Material’. Changing the name of the document does not solve any of the issues regarding whether or not regions will uphold it – it only causes more confusion. The ballot body approves the GTB as part of the standard and it should be agreed to by all regions to ensure there is consistency in how the GTB is treated.

- 0 - 0

David Ramkalawan, 11/17/2016

- 0 - 0

faranak sarbaz, Los Angeles Department of Water and Power, 1, 11/18/2016

- 0 - 0

Mark Riley, Associated Electric Cooperative, Inc., 1, 11/22/2016

- 0 - 0

No comments at this time.

Jeff Johnson, On Behalf of: Sempra - San Diego Gas and Electric - WECC - Segments 4

- 0 - 0

Dominion requests that NERC petition FERC to delay and/or cancel CIP-003-6 (in a similar manner to version 4) until the currently approved CIP version is superseded by CIP version 7.  Requiring Registered Entities to identify and document LERCs and LEAPs only to remove those requirements is an unreasonable burden and does not contribute to the reliable operation of the BES.

Sean Bodkin, Dominion - Dominion Resources, Inc., 6, 11/30/2016

- 0 - 0

Steven Rueckert, Western Electricity Coordinating Council, 10, 11/30/2016

- 0 - 0

Blair Mukanik, Manitoba Hydro , 6, 12/1/2016

- 0 - 0

Yuguang Xiao, Manitoba Hydro , 5, 12/1/2016

- 0 - 0

Ryan Buss, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Seminole appreciates the Standard Development Team’s work on this requirement, especially the efforts to make this a non-prescriptive risk based security standard.   While Seminole currently supports the Guidelines and Technical Basis section related to the diagrams, there are additional issues to address and, therefore, Seminole is voting no on the current ballot.

The term asset is an undefined term.  This term is a core component of the requirement.  Without a definition or guidance within the document clarifying the intent of the term asset, it is likely that in certain cases audit teams and entities will interpret this term differently.  Elimination of the phrase asset boundary reduces but does not eliminate this concern.  The term asset should be addressed with a section in the Guidelines and Technical Basis.  For example, It should be clarified whether the term asset refers to the entire location, the components within the location that contains a BES Cyber System, or to Cyber Assets and other Facilities, systems, and equipment within that location “owned by each Responsible Entity in Section 4.1” (CIP-003 section 4.2- Applicability).   However, any changes should be carefully considered with respect to CIP-002-5.1.

Seminole continues to have concerns that assets with multiple entities having Cyber Assets in a single location is not adequately addressed.  This is a particularly important topic in the FRCC region due to the high number of Transmission Operators that are interconnected in a small region.  It is common that shared facilities such as substations with interconnections and substations owned by Distribution Providers to have multiple entities with Cyber Assets within a single control house.  While the currently recommended approach is a Memorandum of Understanding, this approach leaves multiple entities at risk of a violation if the asset owner fails to provide appropriate physical security.   Seminole recommends language similar to the following be placed in the Guidelines and Technical Basis section of the Standard to clarify the role of the Memorandum of Understanding:

“In cases where multiple entities have a Cyber Asset located that are protected in a common location and the security  is provided by one entity, a signed and dated agreement such as a Memorandum of Understanding between the Cyber Asset(s) owner and the entity providing physical security sufficiently documents the specific party responsible for meeting physical security requirements.”

Maryclaire Yatsko, On Behalf of: Seminole Electric Cooperative, Inc., FRCC, Segments 1, 3, 4, 5, 6

- 1 - 0

- 0 - 0

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 9/1/2016

- 0 - 0

Seattle has one additional concern, that the approach to routable connectivity expressed in the present draft does not address the issue of mixed communications paths involving both routable and non-routable communications. As written, it appears that so long as a non-routable communications segment crosses the border of the BES asset containing the Low impact BES Cyber System, the entire system is judged to communicate non-routably. Although this is a simple and clear approach, it seems to conflict with the more nuanced approaches urged over the years since 2009 by FERC and regional regulators regarding the differentiation between external routable communications and non-routable communications. Seattle understands that another group from the CIP v7 Drafting Team is developing a revised approach to External Routable Connectivity that considers the nuances of mixed communications modes. As such, Seattle is concerned that when that effort is complete, CIP-003-7 R2 Attachment 1 Item 3.1 will require revision (again) to reflect that change—and it will come after entities have implemented their communications controls for their Low assets. Seattle urges that the two efforts be aligned to minimize the chance of such a change and the attendant additional effort and expense that may be required to change, again, compliance programs, documentation, and actual field communication installations.

Ginette Lacasse, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

Christopher Chavez, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

Philip Huff, 12/5/2016

- 0 - 0

Philip Huff, 12/5/2016

- 0 - 0

Andrew Pusztai, 12/5/2016

- 0 - 0

Reference Model 8: The term “air gap” may not be universally understood and goes undefined in the standard.  A pure reading of air gap is that there is no connectivity at all to the device.  However, in a substation it is common to have contact oriented connected, while not serial or Ethernet, there is still a cable connected and therefore not a pure “air gap.”  Exelon recommends replacing the use of “air gap” with “physical isolation from routable protocol” or using a red circle to depict no communication as in Reference Model 3 to be consistent with title and text of Reference Model 8.

Daniel Gacek, Exelon, 1, 12/5/2016

- 0 - 0

CenterPoint Energy is in favor of filing the TCA modifications and implementation plan with the LERC modifications, if possible. 

Lan Nguyen, On Behalf of: CenterPoint Energy Houston Electric, LLC, Texas RE, Segments 1

- 0 - 0

None.

 

Roger Dufresne, 12/5/2016

- 0 - 0

Wesley Maurer, 12/5/2016

- 0 - 0

FMPA, Segment(s) , 12/5/2016

- 0 - 0

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Alexander Vedvik, On Behalf of: Alexander Vedvik, , Segments 9

- 0 - 0

Ronnie Frizzell, 12/5/2016

- 0 - 0

None.

David Rivera, New York Power Authority, 3, 12/5/2016

- 0 - 0

PSEG, Segment(s) 5, 6, 3, 1, 12/2/2016

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

David Greyerbiehl, CMS Energy - Consumers Energy Company, 5, 12/5/2016

- 0 - 0

Nicholas Lauriat, Network and Security Technologies, 1, 12/5/2016

- 0 - 0

Barry Lawson, National Rural Electric Cooperative Association, 4, 12/5/2016

- 0 - 0

Based on our understanding from reading the requirements.  Removing the terms LERC and LEAP doesn't remove the efforts required to implement and maintain low impact systems.

Laura Nelson, IDACORP - Idaho Power Company, 1, 12/5/2016

- 0 - 0

CIP Exceptional Circumstances has not been included within CIP-003-7 as drafted. CIP exceptional circumstances should be included as a provision for Low Impact Entities and therefore considered in this standard.

Brian Evans-Mongeon, Utility Services, Inc., 4, 12/5/2016

- 0 - 0

Payam Farahbakhsh, Hydro One Networks, Inc., 1, 12/5/2016

- 0 - 0

Paul Malozewski, Hydro One Networks, Inc., 3, 12/5/2016

- 0 - 0

The intent of these revisions are understood and are an improvement for cyber security around BES Cyber Assets. Minnesota Power has concerns surrounding the lack of clarity as to how Registered Entities will comply with the Standard. The CIP Standards family has become more prescriptive over time (specifically the auditing approach by the Regional Entities), this Standard seems to be moving in a different direction, becoming less prescriptive and open. Though this approach is appreciated, NERC must provide clear guidance to the regional entities for auditing, in a consistent manner, to the Standard’s intentions.

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

Thomas Breene, WEC Energy Group, Inc., 3, 12/5/2016

- 0 - 0

David Gordon, 12/5/2016

- 0 - 0

The intent of these revisions are understood and are an improvement for cyber security around BES Cyber Assets. Minnesota Power has concerns surrounding the lack of clarity as to how Registered Entities will comply with the Standard. The CIP Standards family has become more prescriptive over time (specifically the auditing approach by the Regional Entities), this Standard seems to be moving in a different direction, becoming less prescriptive and open. Though this approach is appreciated, NERC must provide clear guidance to the regional entities for auditing, in a consistent manner, to the Standard’s intentions.

Jamie Monette, Allete - Minnesota Power, Inc., 1, 12/5/2016

- 0 - 0

Sarah Gasienica, 12/5/2016

- 0 - 0

None at this time.

- 0 - 0

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Sergio Banuelos, On Behalf of: Tri-State G and T Association, Inc., MRO, WECC, Segments 1, 3, 5

- 0 - 0

Rachel Coyne, Texas Reliability Entity, Inc., 10, 12/5/2016

- 0 - 0

We urge the SDT to stagger its posting schedule so different drafts of the CIP standards do not have overlapping deadlines to submit comments.  Industry is currently focused on implementing the existing CIP V5 standards, while also paying attention to the development of these revisions.  There should not be multiple deadlines assigned to this project, as this creates a strain on CIP subject matter experts to review and provide feedback on the proposed changes.

- 0 - 0

None.

RSC no Dominion, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 12/5/2016

- 0 - 0

Michael DeLoach, 12/5/2016

- 0 - 0

Joe Tarantino, On Behalf of: Sacramento Municipal Utility District - WECC - Segments 1, 3, 4, 5, 6

- 0 - 0

no comments

Patricia Lynch, 12/5/2016

- 0 - 0

adopt PSEG comments

Tim Kucey, PSEG - PSEG Fossil LLC, 5, 12/5/2016

- 0 - 0

We urge the SDT to stagger its posting schedule so different drafts of the CIP standards do not have overlapping deadlines to submit comments.  Industry is currently focused on implementing the existing CIP V5 standards, while also paying attention to the development of these revisions.  There should not be multiple deadlines assigned to this project, as this creates a strain on CIP subject matter experts to review and provide feedback on the proposed changes.

We thank you for this opportunity to comment.

ACES Standards Collaborators, Segment(s) 1, 5, 3, 6, 4, 12/5/2016

- 0 - 0

Due to the existing order to enforce CIP-003-6 with the LERC and LEAP definitions, Reclamation recommends to skip the CIP-003-6 enforcement and combine the changes to CIP-003-7 and CIP-003-TCA into CIP-003-7.

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, WECC, Segments 1, 5

- 0 - 0

- 0 - 0

None

Laurie Williams, PNM Resources - Public Service Company of New Mexico, 1, 12/5/2016

- 0 - 0

Southern Company, Segment(s) 1, 3, 5, 6, 8/3/2016

- 0 - 0