CIP-003: The New Stuff - Part 1

CIP-003
Written By Jim Sheldon

(Originally posted on October 20, 2018)

Happy New Year!!!

The last blog post covered the CIP-003 requirements that are currently enforceable. This post (and possibly future posts) will cover version 7 requirements that are enforceable on January 1, 2020.

Let’s get this party started!

First off NERC made changes to requirements R1.2 and R2 and got rid of the terms LERC (Low Impact External Routeable Connectivity) and LEAP (Low Impact Electronic Access Point).

Does this mean that LERC and LEAP can now be forgotten forever?

Maybe…depending on your architecture, you might be able to meet future requirements without changing these terms.

What about requirements R1.2 and R2? Didn’t you cover R1.2 in the last post?

Yes, but only parts of it…

CIP-003-7 R1.2 — Documented Cyber Security Policies — Effective January 1, 2020

NERC added 2 new mini-requirements, 1.2.5 and 1.2.6, to R1.2 as shown in the verbiage below.

·         R1 Each Responsible Entity shall review and obtain CIP Senior Manager approval at least

once every 15 calendar months for one or more documented cyber security policies

that collectively address the following topics:

o    1.2 For its assets identified in CIP-002 containing low impact BES Cyber Systems, if any:

§  1.2.1. Cyber security awareness; (previously covered)

§  1.2.2. Physical security controls;

§  1.2.3. Electronic access controls; (*Notice LERC and LEAP are missing*)

§  1.2.4. Cyber Security Incident response; (previously covered)

§  1.2.5 Transient Cyber Assets and Removable Media malicious code risk mitigation; and

§  1.2.6 Declaring and responding to CIP Exceptional Circumstances .

Wait? Are you saying I now have 6 things to deal with for R1.2? Or is it 8?

Yes. But you were given a time extension. You have until January 1, 2020 until they become enforceable.

(This date is coming quickly, so prepare now).

Similar to the topics we talked about in the last blog post, these new topics include security policy, review the policy every 15 months, and ensure the CIP senior manager approves the review.

Jim Sheldon
Previous

CIP-003: The New Stuff - Part 2
Next

CIP-003: Meat and Potatoes