NERC Standards Development in Action

As we’ve noted in a previous post, the NERC standards development process includes all interested parties and is incredibly transparent. Great examples of the openness of the development process are found in the current Project 2020-03 Supply Chain Low Impact Revisions to standard CIP-003. In this document, a need for a revision of the current standard is widely supported, but details of certain requirements are potentially problematic. In the past it was not uncommon for standards to make it through the development and approval process only to contain ambiguities and questions about implementation.

Subject matter experts who are putting in the time and effort to review and comment on these standards under development are becoming quite adept at highlighting issues that when resolved will assure the quality of the final approved standard.
CIP-003-X is currently under development. The points made by the commenters on the latest draft posting are excellent examples of the types of issues that can be highlighted through the open development process.
Attachment 1 Section 6.2 – while the bulk of the draft standard elicits no objections from the commenters, this Attachment 1 Section 6 has drawn significant feedback. It reads as follows:
“R2. Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.
Section 6 - Vendor remote access: For assets containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement a process to mitigate risks associated with vendor remote access (including interactive and system-to-system access) to low impact BES Cyber Systems that includes:
6.1 Having one or more method(s) for determining vendor remote access sessions;
6.2 Having one or more method(s) for detecting known or suspected malicious communications for both inbound and outbound communications; and
6.3 Having one or more method(s) for disabling vendor remote access.”
The industry has astutely captured the following observations and recommendations:
Imprecise terms – “…method(s) for detecting known or suspected malicious communications for both inbound and outbound communications.” Issues include the lack of a definition of “malicious communications” and whether “detection” without mitigation is of much value. Some have suggested that communication from entities not included on a whitelist of correspondents would be one way of designating something potentially malicious.
Adding the term “Vendor” to the NERC glossary.
Defining “system-to-system access.”
Inconsistency with the Standards Authorization Request (SAR) scope
Accommodation of legacy system capabilities – Inserting the phase “If technically feasible,” into the Section 6.2 language
More stringent requirements:
Section 6.2 introduces a higher compliance bar for Low impact sites than for Medium and High
It’s early in the posting phases of this revision and as provided in the standards development process, all of these comments will be addressed by the drafting team. It’s encouraging to find so many industry professionals applying their expertise to the devil in the details of this and other standards under development. The process works and is open to all users of the Bulk Electric System.