In anticipation of FERC’s approval of the NERC CIP-002-6 Reliability Standard, several of the NERC regions issued “exemption letters” allowing entities to maintain their Transmission Owner (TO) Control Centers as CIP Low Impact BES Cyber Systems (BCS), instead of Medium Impact BCS.
Is your organization in receipt of this exemption letter? If so, you need to be aware of some new developments that have occurred.
Recently, several Entities have reported that NERC has been issuing letters to rescind those exemptions and is giving entities with Low Impact Control Centers until October 1, 2023 to bring their control centers up to a CIP Medium Impact level.
Background
The currently effective NERC CIP-002 Standard contains a Medium Impact Criterion (2.12) that requires each Control Center or backup Control Center used to perform the functional obligations of the Transmission Operator, not included in the High Impact rating, to be classified at a Medium Impact level. CIP-002-6 was written to clarify which Control Centers were performing the “obligations of the Transmission Operator”, and therefore which entities had Control Centers that could qualify at a Low Impact level due to their ownership of a lessor number of transmission lines. The industry drafted and approved CIP-002-6 which was approved by the NERC Board of Trustees last summer and submitted to FERC for approval.
In February 2021 NERC withdrew the CIP-002-6 approval request in large part due to a recent string of public cybersecurity events. A new NERC Project, 2021-03, CIP-002 Transmission Owner Control Centers (TOCC), was launched a few months ago to address the issue, but likely won’t make its way through the approval process and become effective for several years.
Preparing & Updating Your CIP Program for this Change
Responsible Entities should not underestimate the amount of effort, time and funding required to design and implement a CIP Medium Impact Control Center or backup Control Center and should begin budgeting and planning immediately. Proven Compliance Solutions Inc. (PCS) has assisted multiple clients with upgrading their NERC CIP Mandatory Compliance Programs from Low Impact to Medium Impact and can typically assist a client with completely upgrading their program and controls within 9-12 months. Please reach out to us for a free initial consultation to assist you with planning for this change.
