The North American Electric Reliability Corporation (NERC) has submitted to the Federal Energy Regulatory Commission (FERC) proposed reliability standards CIP-004-7 and CIP-011-3. These recommended reliability standards, sent in a petition seeking the Commission’s approval, address the reliability of the Bulk Electric System (BES) by clarifying the protections required regarding the use of third-party solutions for BES Cyber System Information (BCSI).
Given the importance of BCSI, responsible entities must control access to this information, NERC wrote in its petition to FERC seeking approval of the proposed reliability standards addressing the BES cyber system information access management. BCSI may include but are not limited to, security procedures or security information about BES Cyber Systems, physical access control systems (PACS), and electronic access control or monitoring systems (EACMS) that is not publicly available and could be used to allow unauthorized access or unauthorized distribution; collections of network addresses; and network topology of the BES Cyber System.
The CIP-004-7 deals with cybersecurity personnel and training, to minimize the risk against compromise from individuals accessing BES cyber systems that could lead to misoperation or instability in the BES, by requiring an appropriate level of personnel risk assessment, training, security awareness, and access management in support of protecting BES cyber systems.
The CIP-011-3 covers cybersecurity information protection that aims to prevent unauthorized access to BCSI by specifying information protection requirements in support of protecting BES cyber systems against compromise that could lead to misoperation or instability in the BES.
NERC also requests that the Commission approve the proposed Reliability Standards “as just, reasonable, not unduly discriminatory, or preferential, and in the public interest.” The agency also sought approval of the associated implementation plan, related violation risk factors (VRFs), and violation severity levels (VSLs), in addition to the retirement of currently effective reliability standards CIP-004-6 and CIP-011-2.
Proposed changes to NERC Reliability Standards CIP-004-7 and CIP-011-3 suggest an increased reliance on cloud-based services for asset owners and cybersecurity stakeholders within the North American power and substation sector. The suggested amendments clarify the requirements expected when using third-party solutions such as cloud services when storing BCSI.
“In currently effective Reliability Standards CIP004-6 and CIP-011-2, Responsible Entities do this by managing access to the ‘designated storage location’ of BCSI, such as an electronic document or physical file room. However, as technology has evolved, third-party services, such as cloud services, have become a viable and safe option for storing BCSI,” NERC said in its petition.
As security stakeholders access data in the cloud, increased focus and guidance must be placed on protections within stakeholder control over third-party data storage and analysis systems, Jaime L. Bussin, director of compliance at DeNexus, wrote in a company blog post.
“The proposed Reliability Standards maintain the security objectives supported in previous versions while expanding more flexibility for responsible entities to leverage third-party data storage and analysis systems. This expansion aims to enhance reliability by providing increased options for power and energy entities to leverage third-party data storage and analysis systems in a secure manner,” she added.
“The protections available for Responsible Entities to secure information in the cloud, for example, depend less on the actual storage location of the information and more on file-level rights and permissions. As a result, the revisions in proposed Reliability Standards CIP-004-7 and CIP-011-3 would allow Responsible Entities to leverage these protections within their control for third-party data storage and analysis systems,” the petition added.
The proposed reliability standard CIP-004-7 includes certain modifications that remove references to ‘designated storage locations’ of BCSI, adds Requirement R6 regarding an access management program to authorize, verify, and revoke provisioned access to BCSI, and other minor clarifications to update the standard. These changes apply to high-impact BES cyber systems, medium-impact BES cyber systems with external routable connectivity; and EACMS and PACS associated with these high and medium BES cyber systems.
Proposed reliability standard CIP-011-3, which pertains to information protection, includes the following modifications that define requirements regarding protecting and securely handling BCSI, and other minor clarifications to update the standard. The proposed reliability standards maintain the security objectives supported in previous versions while providing flexibility for responsible entities to leverage third-party data storage and analysis systems.
The proposed ‘Implementation Plan’ provides that the proposed reliability standards shall become effective on the first day of the first calendar quarter that is 24 calendar months after the effective date of the Commission’s order approving the proposed reliability standards, NERC said.
The 24-month period provides responsible entities with time to come into compliance with new and revised requirements, including taking steps to implement electronic technical mechanisms to mitigate the risk of unauthorized access to BCSI when responsible entities elect to use vendor services, establish and/or modify vendor relationships to ensure compliance with the updated CIP-004 and CIP-011, and provide administrative overhead to review their program.
In July, NERC and the Commission published a joint white paper focusing on the need for continued vigilance around supply chain compromises and incidents affecting the North American electricity industry. The agencies highlighted the lessons learned from recent supply chain compromises and recommended a series of specific cybersecurity mitigation actions to better ensure the security of the BPS.