1 / 20

Brent Castagnetto CBRM , CBRA, MABR Manager, Cyber Security Audits & Investigations

Brent Castagnetto CBRM , CBRA, MABR Manager, Cyber Security Audits & Investigations . CIP Version 5 Transition Guidance September 2013 Open-Webinar September 19 th 2013 . Mandatory and Enforceable = V3 .

iram
Download Presentation

Brent Castagnetto CBRM , CBRA, MABR Manager, Cyber Security Audits & Investigations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Brent CastagnettoCBRM, CBRA, MABR Manager, Cyber Security Audits & Investigations CIP Version 5 Transition Guidance September 2013 Open-Webinar September 19th 2013

  2. Mandatory and Enforceable = V3 • The WECC Cyber Security Audit Team will audit to Version 3 of the CIP Standards until such time as: • Version 4 becomes mandatory & enforceable (10/1/14) • FERC provides remand of V4, or approves V5 • NERC provides implementation plan guidance on V3 – V5 transition • There will be opportunity to begin preparing for V5

  3. NERC Version 5 Transition Guidance • On April 18th 2013 FERC issued a NOPR proposing to approve CIP V5 • Some changes were requested & NERC has responded • On September 5th 2013 NERC provided revised guidance related to CIP Version 5 • Transition Period is from 9/5/2013 to V5 mandatory and enforceable date (still unknown)

  4. Version 4 / 5 Update • On 7/18/2013, the “Trade Associations” filed a motion to delay the deadline for complying with V4. • FERC granted a six month extension on V4 to 10/1/2014. • http://elibrary.ferc.gov/idmws/file_list.asp?accession_num=20130812-3014 • http://bit.ly/13ZFLWx

  5. CIP Version 5 Transition Guidance • “Prior to the date of mandatory enforcement of CIP Version 5, a Responsible Entity must continue to comply with the CIP Version 3 Standards (CIP-003-3 through CIP-009-3) during the Transition Period” • An entity may continue to maintain and apply its CIP-002-3 RBAM during the transition period or it may choose one of two options to identify and document Critical Assets in lieu of maintaining a RBAM (R1) and applying (R2) itsCIP-002-3 RBAM.

  6. CIP Version 5 Transition Guidance • On or after April 11th 2013, Registered Entities may choose: • Option 1. Utilize the CIP Version 4 bright-line criteria in its entirety, with the exception of criterion 1.4 (Blackstart Resources) and criterion 1.5 (Cranking Paths),to identify assets subject to the controls in CIP-003-3 through CIP-009-3, or

  7. CIP Version 5 Transition Guidance • On or after September 5th 2013, Registered Entities may choose: • Option 2. Utilize the CIP Version 5 “High” and “Medium” Impact Ratings (see CIP-002-5 -Attachment 1: IRC, pp. 14-16) to identify assets subject to the controls in CIP-003-3 through CIP-009-3

  8. CIP Version 5 Transition Guidance • Things to consider: • Entities choosing option 1 or 2 as a validCritical Asset Identification [CAID] methodology may decide to remove Critical Assets previously identified under a CIP-002-3 RBAM. • CIP Versions 4 and 5 contain requirements for asset identification that permit certain third parties to designate an asset as critical (Reliability Coordinators, Transmission Planners, Planning Coordinators, or Planning Authorities)

  9. CIP Version 5 Transition Guidance • Things to consider: • If option 1 (V4) is selected, be aware of Bright-Line Criteria 1.3, 1.8, 1.9, and 1.10 • If option 2 (V5) is selected, be aware of Impact Rating Criteria 2.3, 2.6 and 2.8

  10. CIP-002-3 R3 • After the application of one of the two options to identify and document a list of Critical Assets, the entity must use the list of Critical Assets and apply its current CIP-002-3 R3 Critical Cyber Asset Identification methodology [CCAID] to document a list of Critical Cyber Assets [CCAs] that are essential to the operation of the Critical Asset and meet one of the qualifying connectivity attributes (R3.1-R3.3). • No change from the current CIP-002-3 R3 process

  11. CIP-002-3 R4 • The CIP Senior Manager must also review and approve the list of Critical Assets and the list of Critical Cyber Assets, even if such lists are null, at least annually (R4). • The only change to R4 is annual review and approval of the RBAM will not be required if the entity has chosen option 1 or 2.

  12. CIP-003-3 through CIP-009-3 • Based on the resultsof the application of the chosen CAID methodology, and subsequent application of the CCAID methodology to the list of Critical Assets, if the entity identifies a list of CCAs, the entity must continue to comply with all of CIP-003-3 through CIP-009-3. • If the list of CCAs is null, the entity must continue to comply with CIP-002-3 R1-R4 (with the changes identified above) and CIP-003-3 R2.

  13. CIP Version 5 Transition Guidance • A Responsible Entity must identify the approach it is using for asset identification as part of its response to a pre-Compliance Audit Survey, a pre-Spot Check data request, or as otherwise requested pursuant to the Compliance Monitoring and Enforcement Program • WECC will request information surrounding your approach in the audit / spot check notices in 2014 • A good practice to meet this data request is to have the CIP Senior Manager sign and date a statement declaring the entity’s choice of CAID methodology.

  14. CIP Version 5 Transition Guidance • Within the Transition Guidance Document there is reference to the CIP Version 5 Study • The study will collect and evaluate data from selected entities regarding implementation of CIP V5 • These results will be shared with industry upon completion of the study

  15. CIP Version 5 Transition Guidance • What is the purpose of Transition Implementation Study? • Determine compliance and enforcement expectations for the Industry during the transition from v3 to v5 • Determine technical challenges or compliance issues that limit the effective compliance to the CIP standards • Improve consistency, transparency and awareness of the newly approved CIP standards

  16. CIP Version 5 Transition Timeline

  17. How will WECC Prepare for V5? • WECC will provide significant outreach beginning at the September CIP-101 and throughout 2014 on the CIP Version 5 audit approach. • Two Day outreach events will be held in various locations around the western interconnection to facilitate in person attendance. • February 5-6 & March 19-20 2014 • Open webinar and CIPUG events will be used to advise WECC entities

  18. References • References used in this presentation • FERC Notice of Proposed Rulemaking (NOPR) on CIP Version 5 • http://www.ferc.gov/whats-new/comm-meet/2013/041813/E-7.pdf • Trade Associations Request • http://bit.ly/13ZFLWx • FERC Notice Granting Extension Of Time • http://elibrary.ferc.gov/idmws/file_list.asp?accession_num=20130812-3014 • NERC V5 Transition Guidance • http://www.nerc.com/pa/comp/Resources/ResourcesDL/Cyber%20Security%20Standards%20Transition%20Guidance%20(Revised).pdf

  19. WECC CIP-002 Subject Matter Experts Dr. Joe Baugh jbaugh@wecc.biz (M) 520.331.6351 (O) 360.567.4061 Bryan Carr bcarr@wecc.biz (O)  801-819-7691 (M)  801-837-8425

  20. Brent Castagnetto CBRM, CBRA, MABR Manager, Cyber Security Audits & Investigations O: 801.819.7627 M: 801.597.7957 bcastagnetto@wecc.biz Questions?

More Related