Standard CIP-003 exists as part of a suite of Critical Infrastructure Protection (CIP) Standards related to cybersecurity that require the initial identification and categorization of BES Cyber Systems and require organizational, operational, and procedural controls to mitigate risk to BES Cyber Systems. The purpose of the standard is to specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to maloperation or instability in the Bulk Electric System (BES).

When the CIP-010-2 requirements became effective for High and Medium impact assets, requiring controls for Transient Cyber Assets (TCA) and Removable Media (RM), a significant portion of the electric transmission and generation footprint was not included as part of the required controls. CIP-003-7 has begun rectifying this deficiency, as the effective date for implementation was on January 1, 2020.

It is important to review how companies can align their security procedures and internal compliance program with the requirements of the standard for both the long-standing CIP-010 and new CIP-003 requirements.

Applicability and Requirements Overview

Responsible Entities with facilities that are subject to the standard must implement common controls that meet requirements for high-, medium-, and low-impact BES Cyber Systems. This greatly expands the scope of these requirements that had previously only been applicable to high- and medium-impact BES assets.

The CIP-003-7 requirements impact the implementation of physical and electronic access controls for low-impact BES cyber assets. These controls specifically cover policy statements for the following:

  1. Cyber Security Awareness: Each Responsible Entity shall reinforce cybersecurity practices, which may include associated physical security practices.
  2. Physical Security Controls: Each Responsible Entity shall control physical access on a need basis.
  3. Electronic Access Controls: The Responsible Entity shall implement electronic access controls to permit only necessary inbound and outbound electronic access.
  4. (Read more...)