On July 19, 2018, the Federal Energy Regulatory Commission (FERC) issued Order No. 848 which directed the North American Reliability Corporation (NERC) “to develop and submit modifications to the NERC Reliability Standards to augment the mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the BES.” In its Final Rule, FERC included four elements associated with this directive. They are as follows:
1. Responsible entities must report Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s ESP or associated EACMS.
2. Required information in Cyber Security Incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information.
3. Filing deadlines for Cyber Security Incident reports should be established once a compromise or disruption to reliable BES operation, or an attempted compromise or disruption, is identified by a responsible entity.
4. Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Further, NERC must file an annual, public, and anonymized summary of the reports with the Commission.
NERC’S RESPONSE
In response FERC’s Final Rule, NERC assembled a Standards Drafting Team and initiated Project 2018-02 CIP-008 Modifications to Cyber Security Incident Reporting. Those efforts resulted in FERC’s approval of NERC Reliability Standard CIP-008-6 – Cyber Security – Incident Reporting and Response Planning on June 20, 2019, with an effective date of January 1, 2021.
REVISED DEFINITIONS
The effort also resulted in revisions to the terms “Cyber Security Incident” and “Reportable Cyber Security Incident”. The revised definitions can be found in the NERC Glossary of Terms (currently located on the Pending Enforcement page of the glossary), and are also listed below. The changes/additions to each definition are noted in italics.
Cyber Security Incident:
A malicious act or suspicious event that:
For a high or medium impact BES Cyber System, compromises, or attempts to compromise (1) an Electronic Security Perimeter, (2) a Physical Security Perimeter, or (3) an Electronic Access Control or Monitoring System; or
Disrupts or attempts to disrupt the operation of a BES Cyber System.
Reportable Cyber Security Incident:
A Cyber Security Incident that has compromised or disrupted:
A BES Cyber System that performs one or more reliability tasks of a functional entity;
An Electronic Security Perimeter of a high or medium impact BES Cyber System; or
An Electronic Access Control or Monitoring System of a high or medium impact BES Cyber System.
APPLICABLE SYSTEMS
The Applicable Systems noted in each Requirement Part were updated to include Electronic Access Control or Monitoring Systems (EACMS). The Applicable Systems are now written in the Standard as follows:
High Impact BES Cyber Systems and their associated:
EACMS
Medium Impact BES Cyber Systems and their associated:
EACMS
SUMMARY OF REVISIONS
A summary of the significant revisions to the Standard Requirements are noted below.
Main Focus of the Revisions
The focal points of the revision to the Standard are the addition of criteria associated with an “attempt to compromise” an Applicable System and the notification and reporting protocols.
Requirement R1
Part 1.2.1 New verbiage regarding processes that include criteria to evaluate and define attempts to compromise an Applicable System.
Part 1.2.2 New verbiage regarding determination of an attempt to compromise per criteria from Part 1.2.1.
Part 1.2.3 New verbiage to provide notification per Requirement R4.
Requirement R2
Part 2.2 Verbiage added regarding use of Cyber Security Incidence response plan(s) when responding to a Cyber Security Incidents that attempted to compromise an Applicable System.
Part 2.3 Verbiage added regarding retention of records associated with Cyber Security Incidents that attempted to compromise an Applicable System.
Requirement R4
All Parts New Requirement provides specific details regarding notification and reporting protocols.
IMPLEMENTATION GUIDANCE
NERC has drafted Implementation Guidance that is pending submittal for ERO Enterprise Endorsement. The guidance document contains several tools, examples, and suggested processes for making the proper determinations and accomplishing the tasks set forth in the Requirements.
Proven Compliance Solutions Inc. (PCS) provides a full range of NERC Reliability Standards compliance consulting services. If you need assistance updating your CIP program or processes to reflect the new version of CIP-008 or have any other NERC Reliability Standards compliance needs, please contact Dale Zahn at dzahn@provencompliance.com or at (262) 436-4116. To learn more about PCS and the services we offer, visit our website at www.provencompliance.com.
