Amidst all the pandemic doom and gloom, we finally have something positive come from the chaos: NERC filed a motion recently (April 6, 2020) to defer three Critical Infrastructure Protection (CIP) Reliability Standards (as well as 1 PER, and 3 PRC standards) for three months due to the national emergency declared on March 13th by President Trump. As the original implementation date was July 1, 2020, this means that should FERC approve the motion, the new implementation date would be October 1, 2020.  You can find the announcement here and the filing here, but rather than read through that material, I have some proposals on how to better spend your time!

“So, what should I be working on now,” you ask? Well, if your implementation of any of the deferred requirements has been lagging, this is a great opportunity to spruce them up in-between other spring cleaning tasks. The three CIP requirements included in the deferral include the following (the text in italics is my summarization and key takeaways of the new components within this revision of the requirements):

CIP-005-5 and CIP-010-2 were modified as part of an initiative called “Project 2016-03 Cyber Security Supply Chain Risk Management” – Think of them as the technical components that were added to supplement CIP-013-1 for supply chain risk management.

  • CIP-005-6 – Cyber Security – Electronic Security Perimeter(s)
    • R2 Part 2.4 – This new requirement part introduces the need to have at least one method for determining active vendor remote access sessions. Tripwire solutions that help satisfy this requirement include Tripwire Log Center to log access and alerts on vendor remote sessions as well as monitor activity, Tripwire Enterprise to track all change performed by vendor accounts during their remote access sessions, and Tripwire Industrial Visibility to alert on (Read more...)