WECC CIP Low Impact Workshop – July 7-8, 2015

Below are Encari’s key takeaways from the WECC CIP Low Impact Workshop in San Ramon, CA on July 7-8, 2015.

• While CIP-003-5 has been approved by NERC, discussions in this meeting were focused on on CIP-003-6 version which has been submitted for approval.
  • Since CIP-003 R1 is not auditable until April 1, 2017, gaining approval and implementing CIP-003-6 prior to that date is not anticipated to be an issue.
  • To eliminate any confusion, CIP-003-7 was created for tracking purposes only, but language is the same as CIP-003-6. CIP-003-6 has officially been filed, therefore eliminating CIP-003-7.

• Cyber Security Plans for Low Impact Facilities
  • If your entity has been determined as a medium or high facility, you may utilize the same controls, plans and/or documents for your low impact facilities by specifying in your medium or high Cyber Security Plan that your low impact facilities are utilizing the same plan. A separate Cyber Security Plan is not required for your low impact facilities.
  • In the creation of a Cyber Security Plan for your low impact facilities, only one plan is needed for all low impact facilities combined. A separate Cyber Security is not needed for each individual facility.
  • While official training isn’t a requirement for your low impact facilities, Entities do need to ensure that those requiring access to low impact systems are aware of your Cyber Security Program, as auditors will require evidence as to how you are reinforcing your program.

• Physical Access Controls for Low Impact Facilities
  • Basic physical controls for your low impact facilities are to be based on need.
    • Physical control perimeters for low impact facilities will not be required, nor will the same level of detail be required for your low impact facilities, as is for your medium or high impact facilities.
      • Entities will be interviewed by auditors to gain an understanding as to how you made the determination of what physical security controls are needed at your low impact facilities.
      • Some examples of potential effective physical controls for low impact facilities include fences, key locks, doors, monitored cameras, etc.
      • Use common sense when determining your physical controls.
        • Example: As indicated in CIP-006, if utilizing monitoring as a control for a low impact facility that is 200 +/- miles away, you should also have a lock on your facility as well in the event that something is detected.
      • Auditors will specifically be looking to see that there is an EFFECTIVE control addressing WHO NEEDS to have access for your low impact facilities
        • It was suggested that a narrative be created addressing who, at a higher group/role level, needs to have access. There is no need to have a list of specific people requiring access for your low impact facilities.
        • Auditors will be looking for proof that you have given thought to who should be able to access your low impact facilities. It will not be sufficient to indicate that all employees and vendors can have access.  You will need to specify the groups of employees and types of vendors that are allowed access.
        • Do not overthink the physical security controls regarding access for your low impact facilities.
          • Example: If you have a low impact facility with a fence-line, with warehouse workers requiring access inside the fence-line, but don’t require access to your low impact systems, the fence-line is still a sufficient physical control.  While the warehouse workers don’t require access the systems inside the fence-line, their job/role does require access inside the fence-line.  Therefore, the fence-line is an adequate control, and you should indicate in your narrative that warehouse workers require access to your low impact facility.
        • There is no need to include who DOES NOT require access to your low impact facilities in your narrative.

• Electronic Access Controls for Low Impact Facilities
  • LERC before you LEAP
    • The defined terms LERC and LEAP are used for low impact to avoid confusion with the similar terms used for high and medium impact BES Cyber System. The technology is the same, but there are two different terms based on level of impact. (e.g., LERC = External Routable Connectivity (ERC) / LEAP = Electronic Access Point (EAP)).
    • LERC – Low Impact External Routable Connectivity (direct user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection.)
      • You do not need to establish LERC communication or a LEAP if there is no bi-directional routable protocol communication or Dialup Connectivity present.
      • If you have LERC, then you need to address LEAP
    • LEAP – Low Impact BES Cyber System Electronic Access Point
      • For any LERC, auditors will want to see configuration files for LEAP

• Compliance assessment memos (CAMs) have officially been rescinded and all information has been handed back to the drafting teams.

• No TFEs will be allowed for low impact facilities.

• The term SPS (Special Protection System) will be replaced by RAS (Remedial Action Scheme)

• There is an initial 24 month implementation period for those that don’t have a CIP program in place, but a 12 month implementation period if your initial (good faith) evaluation was determined to be a low impact facility but determination was made by a third party that you should be a medium impact facility (i.e., 24 month implementation for no CIP program in place / 12 month if CIP program is in place but determined that it should be higher impact).

• WECC is pushing for a Low Impact Pilot Program with NERC, within the next 1 ½ years, to work out the nuances for low impact facilities
  • Reach out to WECC if you, as an entity, would like to participate in the program
  • They may include some mixed impact entities in the Low Impact Pilot Program as well.

The post WECC CIP Low Impact Workshop – July 7-8, 2015 appeared first on Encari LLC.