In some instances, there may be a need to provide entities additional time beyond the reliability standards effective date to. Nominations for the standard drafting team sdt for project 201404 physical security. The intent is to make it increasingly difficult for attackers to take advantage of vendor patch and software. Utilities look to get started with nerc cip0141 physical. Three newly approved cip reliability standards for. Unfortunately, this also seems to have happened with cip 014, which faced a threemonth deadline. Industrys progress in implementation of cip 014 02. Cip0141 physical security page 2 of 36 transmission planner as critical to the derivation of interconnection reliability operating limits irols and their associated contingencies. The cons are a shortened patent term and also your prior arguments and statements made in the parent applicationpatent can and will be used against you to narrowly interpret the claim language in a patent maturing from the subsequent continuationinpart application.
Shooting for over 19 minutes, the attackers destroyed, damaged. The ieso recommends a phased implementation with defined milestones similar to cip 014. A major transmission substation in central california was attacked on april 16, 20. Perhaps subtle, it represents a significant shift to focus on an outcome rather than specific and defined measures. But utilities are learning it could do more to enhance substation physical security.
Nercs cip 014 standards have been promulgated recently, and bulk power asset owners have largely begun enhancing physical security under the standard over the last two years. Cip 014 2 purpose 4 w e s t e r n e l e c t r i c i t y c o o r d i n a t i n g c o u n c i l its about physical security. A timeline for executing the physical security enhancements and modifications specified in the physical security plan. Evaluate the requirements of cip 014 2 in relation to substation security systems 3. For one thing, we dont know the cip 014 timeline since ferc hasnt approved it yet. Ill elaborate this more in a post soon on cip 014, as well as in my next post on cip 0. Timelines nerc cip standards subject to future enforcement overview. The date, following the effective date of the reliability standard, upon which implementation of a specific requirement or part is first required, as specified in the implementation plan for the reliability standard. Visit our site to request a demo of our nerc cip compliance software. Better understand what the cip 014 2 regulations are, why theyre happening, and their impending impact on u. The pro for filing a continuationinpart application is lower downstream costs.
Scope of security plans security measures and response timeline for implementation of security measures. Nerc critical infrastructure protection cip boot camp. Critical infrastructure protection cip standards subject to future enforcement cip standards filed and pending. In addition to the reliability standard, there is an applicable implementation plan available on the nerc web site. In october, i wrote a post pointing out that, even though the likely implementation date for cip 0, the new supply chain security management standard, was more than two years away, there were good reasons to at. Cip 014 3 physical security new version related to updates to fac and prc standards.
Securewatch for cip 014 assessment process to meet every single requirement under r4 generates evidence reports with the list of threats and vulnerabilities identified. More importantly, cip 014 isnt part of the cip cyber security standards just like the old cip 001, which addressed sabotage reporting. These standards are numbered cip 002 through cip 014. Cip0142 physical security standard development timeline this section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Unlike most cip standards, cip 014 2 is objective based, rather than prescriptive in nature. Cip 010cybersecurityconfiguration change management and vulnerability assessments make it mandatory for an entity to verify where its software originates as well as the integrity of the software it has obtained from its source. Subsequent risk assessments shall be performed according to the timelines specified in cip 014 2, requirement r1. Cip 014 2 v physical security page 6 of 36 developed within 120 calendar days following the completion of requirement r2 and executed according to the timeline specified in the physical security plans.
Natf cyber security supply chain criteria application guide. Each transmission owner that owns or operates a transmission station, transmission substation, or primary control center identified in requirement r1 and verified according to requirement r2, and each transmission operator notified by a transmission owner according to requirement r3 that the transmission operators primary control. Nerc cip and osha compliance software for the enterprise. There are currently thirteen cip standards either in effect, awaiting approval by ferc, or under development. The course addresses the role of the federal energy regulatory commission ferc, north american electric reliability corporation nerc, and regional entities, provides multiple.
The full text of cip014 2 may be found on the nerc web site. The critical infrastructure protection cip standard for physical security measures cip0141 from the north american electric reliability corporation nerc has been approved by the federal energy regulatory commission ferc and became effective on jan. This committee, along with its partners, develops and revises cip standards. The nerc cip014 standard is the regulatory result of a significant physical security attack that happened a few years ago. Essentials for nerc critical infrastructure protection empowers students with knowledge of the what and the how of the version 567 standards. This fiveday boot camp provides a detailed overview of and teaches how to comply with the north american electric reliability corporation critical infrastructure protection nerc cip standards. The purpose of reliability standard cip 014 is to protect transmission stations and transmission substations, and their associated primary control centers that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or cascading within.
Cip 014 was intended to protect critical electric substations. The result is that both standards are in some way unauditable. Here at ontraxsys we believe that the greatest challenge with cip 014 is the broad scope that requires expertise outside of the realm of even most experienced transmission operators normal scope of responsibilities. What data and security plan information will be requested. Implementing a new standard will always pose some level of operational tumult, and cip 014 will be no exception. The critical infrastructure protection committee cipc nerc formed the critical infrastructure protection committee cipc to act as an advisory panel to its board of trustees, cipc subcommittees, and the electricity information sharing and analysis center eisac. Summary of cip 014 standard requirements requirement one the first requirement under the cip 014 standard is for utilities to identify transmission stations, substations and control centers that if rendered inoperable or severely damaged could result in widespread instability, uncontrolled separation or cascading failures within an interconnection. Nerc cip 14 threat assessment allan wick riskwatch youtube. Carl herron, principal cip physical security advisor nerc 2. For creation of the plan, 12 months should be allowed to 1 conduct an impact assessments, 2 identify the approach to be included in the plan, 3 implementation milestones, and 4 implementation schedule. Nerc cip014 r5 implementation requirements part 6 of.
Natf bes monitoring and control an overview of backup capabilities. Cip0141 physical security standard development timeline this section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Reliability standard cip 014 1 is available on the commissions elibrary document. Provisions to evaluate evolving physical threats, and their corresponding security measures, to the transmission stations, transmission substations, or primary control centers. Pros and cons of filing a continuationinpart application. The initial performance of cip 014 2, requirements r2 through r6, must be completed according to the. Includes instruction in discrete mathematics, probability and statistics, computer science, managerial science. Cip 0103 is designed to ensure that software being installed in the bes cyber system is not modified without awareness of software suppliers and is not counterfeit. Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by. A revised sar was approved by the standards committee on december 9, 2014 to. One of the criteria for what should be covered in the plan in cip 014 is that there should be a timeline for executing the physical security enhancements and modifications specified in the physical security plan. The initial risk assessment required by cip 014 2, requirement r1, must be completed on or before the effective date of the standard.
First lesson i have recently been wondering how cip 0 will be enforced, since this is a nonprescriptive, objectivesbased standard. Preparing for physical security requirements of cip014. But there is a big difference between cip 014 and cip 0 in this regard. Essentials for nerc critical infrastructure protection. Timelines for implementing security and resiliency measures. Provisions to evaluate evolving physical threats, and their corresponding security measures, to the transmission stations, transmission substations, or primary control center s. Learn how to meet the many compliance demands of cip 014 2 with integrated security systems. Compliance based solutions for the bulk electric power industry. Critical infrastructure protection committee cipc operating committee oc personnel certification governance committee pcgc planning committee pc reliability issues steering committee risc reliability and security technical committee rstc standards committee sc other. Defining characteristics of assets identified as critical.
335 1437 390 1380 772 792 1088 1040 732 1665 597 1607 1278 995 1550 963 351 459 441 1131 892 1238 63 566 684 1052 1428 1505 249 497 1116 973 531 1183 1212 577 1221 738 276 533 172 657 951