06 cip-002-5.1 additional consideration - 10 13 15

CIPUG CIP-002-5.1 Additional Considerations

San Diego, CA October 13, 2015

Bryan Carr PMP, CISA, PSP Sr. Compliance Auditor, Cyber Security

Western Electricity Coordinating Council

Speaker Intro: Bryan Carr • Joined WECC in August 2012 • a.k.a Dr. TFE (Emeritus) • Former CIP Program Manager • Project manager • 3:37 Marathoner – BQ 3:10 • Donut enthusiast


2

Agenda

• 2015 Audit Recap & Observations • Q&A • Distribution Providers


3

2015 Audit Recap Slide 4


• 21 Onsite audits completed – 11 v3 audits – 10 v5 transition audits

2015 Audit Recap - Observations • Many hesitant to leverage NERC v5 transition

guidance. • Implementation delays due to interpretations,

waiting on Lessons Learned & FAQ. • Entities who regularly reach out to audit team

and attend outreach were better prepared.


5

CIP-002-5.1 Entity Q&A • Sources include email, audit, ERO-wide auditor

workshops/distribution lists, etc. • Q&A sanitized to protect the innocent. • All entities appearing in this presentation are

fictitious. Any resemblance to real entities, living or dead, is purely coincidental.


6

Q1

• We plan to associate BCAs (including SPS/RAS) with the operating voltage of the high side of the transformer, as well as any BCA associated with both the high and low side of the transformer (e.g. bank differential relays). Is this a valid approach?


7

A1

• Protect BCS associated with SPS/RAS at the highest applicable impact rating.

• IRC 2.9 may bring in some BCS that would normally be Low into scope as Medium BCS.

• Each SPS/RAS BCS should be evaluated independently as you apply the IRC.


8

Q2

• In counting the number of lines coming into a substation, should a bus bar with a tie-circuit breaker be considered a line?


9

A2

• Normally a tie bus would not be considered a transmission "line" as it does not typically cross substation boundaries.

• If, however, the tie bus in question crosses substation boundaries, a strict interpretation of IRC2.5 would indicate that would qualify as a "line" coming in and/or out of the substation.


10

Q3

• For jointly owned locations – is documentation required for who is performing the compliance obligations?

Slide 11


A3 • Yes, if a single entity is responsible for performing the

compliance obligations at a jointly owned Facility, that should be clarified in the operating agreement, through a memorandum, or other binding document in which these obligations are clearly defined and assigned to a single party.

• Without a binding document defining compliance responsibility, WECC will look to the owner of each applicable BCS to fulfill the compliance obligations.

Slide 12


Q4


13

• We will have only Low Impact BCS under CIP v5, therefore we have nothing to do (no compliance obligations) until April 1, 2017. Is this correct?

A4

• Not quite. CIP-002-5.1 R1 & R2 and CIP-003-6 R3 & R4 must be complete (documented and approved) by April 1, 2016 for ALL applicable entities, including those with only Low Impact BCS.

• Low Impact requirements in CIP-003-6 R1.2, R2, Attachment 1 – Sections 1 & 4 must be complete by April 1, 2017.

• Low Impact requirements in CIP-003-6 R2 Attachment 3 & 4 must be complete by September 1, 2018.

Slide 14


Q5

• Should meters be considered BCA?

15


A5

• Certain meters may be considered BCA. For example, tie-line (aka interchange) meters providing data for ACE calculations are required to have an update interval of no greater than 6 seconds (BAL-005-0.2b R8), those Cyber Assets come into scope as real-time Cyber Assets that support one or more BROS and should be identified as BCA, grouped into one or more appropriate BCS, and afforded the full protections of the CIPv5 Standards, as applicable, based on the impact rating of their host Facilities.

Slide 16


Q6

• We were just notified by PEAK that we’re now part of an IROL, which will raise the the impact rating of a couple of our facilities from Low to Medium. The implementation plan allows for 12-24 months, but when does that clock start ticking?

Slide 17


A6

• The IRC 2.3 and 2.6 Lesson Learned document recently posted on NERC’s website adds an implementation period for Medium BCS identified prior to April 1, 2016, and extends CIP compliance for newly identified BCS under these two IRC by 12-24 months.

• The clock starts ticking upon completion of the R1 Assessment following an IRC 2.3 or 2.6 notification, not the date of notification itself. Should such notification occur between now and April 1, 2016, WECC expects re-evaluation of R1 be completed on or before April 1, 2016, at which point the implementation period would begin.

Slide 18


Q7

• Our low impact substation has a backup EMS server which is part of our High Impact Control Center. The EMS server and Low BCS (protection equipment) are physically located in the same building, but are logically separate. Does this mean the entire facility must be treated as High Impact, or can we separate the two somehow?

Slide 19


A7

• The impact rating of the facility could remain Low under certain conditions, however the High Impact BCS would need to be afforded all the physical and logical protections specified in the CIP Standards.

• Options to consider: 1. Create a separate PSP around just the High

Impact BCS. 2. Treat the entire building as a High PSP.

Slide 20


I’m a DP, is CIP v5 Applicable to Me? • All DPs should implement a CIP-002-5.1 process to

evaluate their system to rule out anything that might be applicable under the Impact Rating Criteria [IRC] and Section 4.2.1.

• If the DP can demonstrate that NONE of its system are applicable under this section, then they should document the evaluation and its results.

• Under an abundance of caution, a best practice would be to document a null list for R1.1, R1.2, and R1.3, then apply its process at least every 15 calendar months to ensure that no systems changed to the extent that they came into scope under Section 4.2.1.

Slide 21


What if I have a UFLS/UVLS?

• If you have an applicable UFLS/UVLS under section 4.2.1 (NERC, 2012 Nov 22, CIP-002-5.1, p. 1), these BCS should be evaluated as Low-impact under IRC 3.6 and, therefore, the Facilities containing them should be listed as Low-impact BES [R1.3].

• Any specific DP UFLS/UVLS has to meet both conditions of Section 4.2.1.1 to come into scope as Low-impact.

Slide 22


What About Blackstart Units? • Black-start resources and their associated cranking paths

can come into scope under CIPv5 as Low-impact BES Assets under two conditions: – IRC 3.4: Systems and facilities critical to system restoration,

including Blackstart Resources and Cranking Paths and initial switching requirements (CIP-002-5.1, p. 16), or

– Section 4.1.2.4: Each Cranking Path and group of Elements meeting the initial switching requirements from a Blackstart Resource up to and including the first interconnection point of the starting station service of the next generation unit(s) to be started (CIP-002-5.1, p. 1).

• You may have a small non-BES Generation unit and/or cranking path facility that are included in a Restoration plan. Talk to your RC and TOP to make sure that you do not.

Slide 23


Evaluation Results

• A prudent DP will evaluate its systems, at a minimum, against IRC 3.4, 3.6, and Section 4.2.1 and document that it either has no applicable systems or it has provided the appropriate protections to its applicable systems.

• A DP with applicable systems that come into scope under CIPv5 will generally have approved null R1.1 and R1.2 lists, and a relatively short R1.3 list.

• A DP that does not have applicable systems should have null lists for all three categories.

Slide 24


Summary

• A DP should not just assume it has no applicable systems, implement the R1 process anyway.

• This approach is effectively no different from the LSE or other Registered Entity that applied its RBAM every year under CIPv3 to ensure its null lists of CAs and CCAs were still valid.

• WECC’s compliance monitoring approach for DPs will seek evidence that the DP implemented the process required by CIP-002-5.1 and documented the results of the evaluation of its systems to demonstrate compliance with the CIPv5 Standards.

Slide 25


Speaker Contact Information

Bryan Carr [email protected] 801-819-7691

Slide 26


mailto:[email protected]

06 cip-002-5.1 additional consideration - 10 13 15

Documents