NERC Regulations changes regarding low impact BES facilities
What is a Low Impact BES?
A simple definition of a facility rated as Low Impact to the Bulk Electric System Systems (BES) is a system that is not categorized as being High or Medium Impact. At a high level, the Bulk Electric System is:
- The electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, generally operated at voltages of 100 kV or higher. Radial transmission facilities serving only load with one transmission source are generally not included in this definition.
If your facility is not classified as Medium or High BES facility, based on the standards set by CIP-002, then you are by default classified as a Low Impact BES facility.
A BES Cyber Asset is a Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impacts one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.
The new NERC Low Impact requirements that are a part of CIP-003-6 take effect April 1, 2017. The new requirements include sections associated with the four subject matter areas as directed in FERC order 791
- Cyber security awareness
- Physical security controls
- Electronic Access Controls
- Cyber Security Incident Response
Attachment 1 of the Standard provides guidance for these Requirements, while Attachment 2 provides examples of required evidence. The implementation of CIP-003-6 is shown in the table below.
- R1: Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics:
- Cyber security awareness;
- Physical security controls;
- Electronic access controls for Low Impact External Routable Connectivity (LERC) and Dial-up Connectivity; and
- Cyber Security Incident response
- R2: Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.
- R3: Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30 calendar days of the change.
- R4: The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used. Where allowed by the CIP Standards, the CIP Senior Manager may delegate authority for specific actions to a delegate or delegates. These delegations shall be documented, including the name or title of the delegate, the specific actions delegated, and the date of the delegation; approved by the CIP Senior Manager; and updated within 30 days of any change to the delegation. Delegation changes do not need to be reinstated with a change to the delegator.
CIP-003-6 R2 – Attachment 1 – Item 1 – Cyber Security Awareness
This section calls for cyber security practices to be reinforced and trained on at least every 15 months. This training may also include physical security practices. Examples of evidence for this training are:
- Direct Communication (email, memos, training)
- Indirect communication (posters, intranet, brochures)
- Management support and reinforcement (presentations/meetings)
CIP-003-6 R2 – Attachment 1 – Item 2 – Physical Security Controls
This section states that each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity to:
- the asset or the locations of the low impact BES Cyber Systems within the asset
- the Low Impact BES Cyber System Electronic Access Points (LEAPs), if any
Examples of Evidence of Physical Security Controls include the documentation of:
- Selected access controls (card key, locks, perimeter controls, etc.)
- Monitoring controls (alarm systems, human observation, etc.)
- Or other operational, procedural or technical physical security controls
CIP-003-6 R2 – Attachment 1 – Item 3 – Electronic Access Controls
This section addresses the access and flow of data on the BES Cyber Assets. For Low Impact External Routable Connectivity (LERC), if any, you must implement a LEAP (Low Impact Electronic Access Point) to permit only necessary inbound and outbound bi-directional routable protocol access. Also, you are to implement authentication for all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Asset capability. Also, asset capability exception must be well documented.
- LERC definition:
- Direct user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection. Point-to-point communications between intelligent electronic devices that use routable communication protocols for time-sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).
- LEAP definition:
- A Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems.
- From recently approved “Definition of Terms Used in Standards.“
CIP-003-6 R2 – Attachment 1 – Item 4 – Cyber Security Incident Response
This section addresses Reportable Cyber Security Incident. A Cyber Security Incident is anything that has compromised or disrupted one or more reliability tasks of a functional entity such as a malicious act or suspicious event that compromises, or was an attempt to compromise the Electronic Security Perimeter or Physical Security Perimeter; or disrupts, or was an attempt to disrupt the operation of a BES Cyber System.
The Responsible Entity shall have Cyber Security Incident response plan(s), either by group or assets, which includes:
- Identification, classification, and response to Cyber Security Incidents
- Determination of whether an identified Incident is a Reportable Cyber Security Incident and subsequent notification to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), unless prohibited by law
- Identification of the roles and responsibilities for Cyber Security Incident response by groups or individuals (e.g., initiating, documenting, monitoring, reporting, etc.)
- Incident handling for Cyber Security Incidents (e.g., containment, eradication, or recovery/incident resolution)
- Testing plans ever at least every 36 months.
- Updating the plans, if needed, within 180 days after completion of the test or actual Reportable Cyber Security Incident
What is the big concern about Low Impact facilities and the new Regulations?
The biggest issue with Low Impact facilities is the fact that many of them were built several years ago when we were not concerned with cyber or physical security. Back then all the industry was worried about was making sure no one could take a pot shot at a transformer or do some other sort of malicious damage. Now we need to be concerned about Unmanned Arial Vehicles (UAV’s) delivering explosives to a transformer or even being used to bridge the wireless network in place at a substation. With the proper planning, any low impact facility can be brought up to match the new regulations, you just need to employ a team of experienced NERC CIP Consultants.