Revised Reliability Standard clarifies obligations for electronic access controls at less critical assets and places more focus on risks posed by certain portable electronic devices.

The Federal Energy Regulatory Commission (the Commission) issued a final rule (Order No. 843) on April 19, approving proposed reliability standard CIP-003-7. The currently-effective version of the standard, CIP-003-6, contains the cybersecurity requirements applicable to low impact BES Cyber Systems. The low impact category covers the BES Cyber Systems associated with less critical substations, generators, and other BES facilities. The final rule adopts NERC’s proposed reliability standard CIP-003-7, which revises the existing standard by clarifying a utility’s obligations for implementing electronic access controls for low impact BES Cyber Systems, introduces security requirements for certain portable devices, and requires utilities to have a policy for reliability-related emergencies known as CIP Exceptional Circumstances that involve low impact BES Cyber Systems.

Changes Under CIP-003-7

Once effective, the new standard will require utilities to implement electronic access controls to permit only necessary inbound and outbound access to low impact BES Cyber Systems for certain communications using routable protocols. This change resolves one of the Commission’s prior directives to address the ambiguity surrounding the term “direct” in the definition of Low Impact External Routable Connectivity (LERC). Specifically, the new standard’s requirement that electronic access controls allow only necessary inbound and outbound access for routable communications with low impact BES Cyber Systems, whether direct or indirect, obviates both the need to specify the existence of LERC and the need to implement a Low-Impact BES Cyber System Electronic Access Point (LEAP) for the control of communications into the asset. Accordingly, the final rule adopts NERC’s proposal to retire LERC and LEAP from the NERC Glossary.

The Commission had mulled the idea of directing NERC to modify the standard to provide more objective criteria for assessing compliance with the electronic access controls requirements, but ultimately decided against doing so. Instead, the Commission directed NERC to complete a study to assess the adequacy of the controls implemented by utilities under the new standard.

The new standard also requires utilities to implement plans to protect transient electronic devices. This change is intended to mitigate the risk of malicious code being introduced to low impact BES Cyber Systems by certain portable devices, such as laptops used to perform maintenance activities. Although the transient electronic device plans implemented by utilities must differentiate between assets managed by the utility and those managed by third parties, such as vendors and contractors, the Commission expressed concern that the new standard does not go far enough to mitigate the risks posed by third party devices. The Commission’s main concern is over the lack of an explicit obligation for a utility to mitigate the risk of malicious code that could result from the use of third party transient electronic devices. To address this issue, the final rule directs NERC to modify the standard by including an explicit provision addressing the perceived gap.

The final rule also approved NERC’s proposal to require utilities to implement policies for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. CIP Exceptional Circumstances are a category of emergency situations that involve, for example, a risk of injury or death; a natural disaster; civil unrest; imminent or existing hardware, software, or equipment failures; and cybersecurity incidents requiring emergency assistance. By properly declaring a CIP Exceptional Circumstance in response to such an emergency, utilities are allowed to temporarily waive certain (but not all) CIP reliability standard obligations.

Effective Date and Implementation

The new standard will likely become effective on January 1, 2020, providing utilities with additional time to adopt the physical and electronic access control requirements for low impact BES Cyber Systems.

NERC proposed an 18-month implementation period for CIP-003-7 to allow utilities sufficient time to revise their cybersecurity plans for low impact BES Cyber Systems. But under the existing implementation plan for CIP-003-6, the requirements for physical security controls and electronic access controls for assets containing low impact BES Cyber Systems are scheduled to become enforceable on September 1, 2018. The CIP-003-7 implementation plan delays this obligation. Under that plan, the compliance dates for Sections 2 and 3 of Attachment 1 to CIP-003 (containing the electronic and physical access control requirements) are pushed back until the effective date of the new standard. Thus, the physical and electronic access control requirements for low impact BES Cyber Systems under CIP-003 will not become effective until January 1, 2020.

Note, however, that the implementation date for these requirements may slip even later if there is a significant delay in publishing Order No. 843 in the Federal Register, as that publication sets the basis for the effective date of the standard.