Attacks and Vulnerabilities
Critical infrastructure
Industries
NERC-CIP
News
Regulation, Standards and Compliance
Utilities: Energy & Power, Water, Waste

NERC seeks approval for proposed reliability standards CIP-004-7, CIP-011-3

September 20, 2021
reliability standards

The North American Electric Reliability Corporation (NERC) has submitted to the Federal Energy Regulatory Commission (FERC) proposed reliability standards CIP-004-7 and CIP-011-3. These recommended reliability standards, sent in a petition seeking the Commission’s approval, address the reliability of the Bulk Electric System (BES) by clarifying the protections required regarding the use of third-party solutions for BES Cyber System Information (BCSI).

Given the importance of BCSI, responsible entities must control access to this information, NERC wrote in its petition to FERC seeking approval of the proposed reliability standards addressing the BES cyber system information access management. BCSI may include but are not limited to, security procedures or security information about BES Cyber Systems, physical access control systems (PACS), and electronic access control or monitoring systems (EACMS) that is not publicly available and could be used to allow unauthorized access or unauthorized distribution; collections of network addresses; and network topology of the BES Cyber System.

The CIP-004-7 deals with cybersecurity personnel and training, to minimize the risk against compromise from individuals accessing BES cyber systems that could lead to misoperation or instability in the BES, by requiring an appropriate level of personnel risk assessment, training, security awareness, and access management in support of protecting BES cyber systems. 

The CIP-011-3 covers cybersecurity information protection that aims to prevent unauthorized access to BCSI by specifying information protection requirements in support of protecting BES cyber systems against compromise that could lead to misoperation or instability in the BES.

NERC also requests that the Commission approve the proposed Reliability Standards “as just, reasonable, not unduly discriminatory, or preferential, and in the public interest.” The agency also sought approval of the associated implementation plan, related violation risk factors (VRFs), and violation severity levels (VSLs), in addition to the retirement of currently effective reliability standards CIP-004-6 and CIP-011-2.

Proposed changes to NERC Reliability Standards CIP-004-7 and CIP-011-3 suggest an increased reliance on cloud-based services for asset owners and cybersecurity stakeholders within the North American power and substation sector. The suggested amendments clarify the requirements expected when using third-party solutions such as cloud services when storing BCSI.

“In currently effective Reliability Standards CIP004-6 and CIP-011-2, Responsible Entities do this by managing access to the ‘designated storage location’ of BCSI, such as an electronic document or physical file room. However, as technology has evolved, third-party services, such as cloud services, have become a viable and safe option for storing BCSI,” NERC said in its petition.

As security stakeholders access data in the cloud, increased focus and guidance must be placed on protections within stakeholder control over third-party data storage and analysis systems, Jaime L. Bussin, director of compliance at DeNexus, wrote in a company blog post

“The proposed Reliability Standards maintain the security objectives supported in previous versions while expanding more flexibility for responsible entities to leverage third-party data storage and analysis systems. This expansion aims to enhance reliability by providing increased options for power and energy entities to leverage third-party data storage and analysis systems in a secure manner,” she added. 

“The protections available for Responsible Entities to secure information in the cloud, for example, depend less on the actual storage location of the information and more on file-level rights and permissions. As a result, the revisions in proposed Reliability Standards CIP-004-7 and CIP-011-3 would allow Responsible Entities to leverage these protections within their control for third-party data storage and analysis systems,” the petition added.

The proposed reliability standard CIP-004-7 includes certain modifications that remove references to ‘designated storage locations’ of BCSI, adds Requirement R6 regarding an access management program to authorize, verify, and revoke provisioned access to BCSI, and other minor clarifications to update the standard. These changes apply to high-impact BES cyber systems, medium-impact BES cyber systems with external routable connectivity; and EACMS and PACS associated with these high and medium BES cyber systems.

Proposed reliability standard CIP-011-3, which pertains to information protection, includes the following modifications that define requirements regarding protecting and securely handling BCSI, and other minor clarifications to update the standard. The proposed reliability standards maintain the security objectives supported in previous versions while providing flexibility for responsible entities to leverage third-party data storage and analysis systems. 

The proposed ‘Implementation Plan’ provides that the proposed reliability standards shall become effective on the first day of the first calendar quarter that is 24 calendar months after the effective date of the Commission’s order approving the proposed reliability standards, NERC said. 

The 24-month period provides responsible entities with time to come into compliance with new and revised requirements, including taking steps to implement electronic technical mechanisms to mitigate the risk of unauthorized access to BCSI when responsible entities elect to use vendor services, establish and/or modify vendor relationships to ensure compliance with the updated CIP-004 and CIP-011, and provide administrative overhead to review their program. 

In July, NERC and the Commission published a joint white paper focusing on the need for continued vigilance around supply chain compromises and incidents affecting the North American electricity industry. The agencies highlighted the lessons learned from recent supply chain compromises and recommended a series of specific cybersecurity mitigation actions to better ensure the security of the BPS.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Building a Culture of Cyber Resilience in Manufacturing (WEF)
WEF playbook addresses cyber resilience in manufacturing and supply chains, provides three guiding principles
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience
DOE, EPA support NSM-22 focused on critical infrastructure security and resilience
White House releases National Security Memorandum on critical infrastructure security and resilience
White House releases National Security Memorandum on critical infrastructure security and resilience
US DHS delivers safety and security guidelines to secure critical infrastructure from AI-related threats
US DHS delivers safety and security guidelines to secure critical infrastructure from AI-related threats
Xage’s Zero Trust Session Collaboration tool delivers remote access, collaboration across industrial frameworks
Xage announces AI-powered analytics and insight capabilities to boost zero trust access and protection
US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
AI for Energy - Opportunities for a Modern Grid and Clean Energy Economy (DoE)
US DOE rolls out initial assessment report on AI benefits and risks for critical energy infrastructure
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs