consideration of comments on 1st draft of sar to revise cyber … · 2010. 11. 30. ·...

116-390 Village Blvd. Princeton, NJ 08540

609.452.8060 | www.nerc.com

Consideration of Comments on Cyber Security Order 706 Phase II — Draft CIP-002-4 Project 2008-06

The Cyber Security Order 706 Drafting Team thanks all commenters who submitted comments on the proposed CIP-002-4. These standards were posted for a 45-day public comment period from September 20, 2010 through November 3, 2010. The stakeholders were asked to provide feedback on the standards through a special Electronic Comment Form. There were 101 sets of comments, including comments from more than 200 different people from approximately 125 companies representing 9 of the 10 Industry Segments as shown in the table on the following pages.

Based on the comments received, a few changes were made to CIP-002-4. The Applicability section was modified to include an exemption for nuclear facilities regulated by the Canadian Nuclear Safety Commission, and Cyber Assets associated with Cyber Security Plans submitted to and verified by the U. S. Nuclear Regulatory Commission pursuant to 10 C.F.R. Section 73.54. In addition, the effective date was changes to eight quarters after regulatory approval, so that entities are not required to maintain two sets of approved Critical Asset lists and Critical Cyber Asset lists during the implementation plan. Requirements R1 and R2 were modified slightly to clarify that each list must be updated on an ongoing basis, but the review and approval need only occur annually. Conforming changes were made to the compliance section. Finally, changes were made to Attachment 1. A brief summary of each change can be found in the summary response to question 2 on page 33.

The modified CIP-002-4 will be posted for a ten day concurrent ballot and comment period. The SDT will review the comments and determine any necessary changes to CIP-002-4 based on the ballot. In addition, NERC staff will conduct a webinar on the changes during the comment and ballot period.

A complete record of this project, including clean and redline versions of the revised standard that commenters reviewed, is posted on the project page on the NERC website at http://www.nerc.com/filez/standards/Project_2008-06_Cyber_Security_PhaseII_Standards.html

If you feel that your comment has been overlooked, please let us know immediately. Our goal is to give every comment serious consideration in this process! If you feel there has been an error or omission, you can contact the Vice President and Director of Standards, Herb Schrayshuen, at 609-452-8060 or at [email protected]. In addition, there is a NERC Reliability Standards Appeals Process.1

1 The appeals process is in the Reliability Standards Development Procedures: http://www.nerc.com/standards/newstandardsprocess.html.

http://www.nerc.com/filez/standards/Project_2008-06_Cyber_Security_PhaseII_Standards.html�


mailto:[email protected]�

Consideration of Comments on Cyber Security Order 706 Phase II — Project 2008-06

November 30, 2010 2

Index to Questions, Comments, and Responses

1. When reviewing the mapping document posted with the proposed CIP-002-4 standard, do you believe that the proposed standard will lead to an improvement in reliability when compared to the standard it proposes to replace? ............................................................................... 15

2. CIP-002-4 Attachment 1 contains criteria that define elements that must be classified as Critical Assets. Do you have any suggestions that would improve the proposed criteria? If so, please explain and provide specific suggestions for improvement................................................. 35

3. Requirement R1 of draft CIP-002-4 states, “Critical Asset Identification — Each Responsible Entity shall develop a list of its identified Critical Assets determined through an annual application of the criteria contained in CIP-002-4 Attachment 1 – Critical Asset Criteria. The Responsible Entity shall review this list at least annually, and update it as necessary.” Do you agree with the proposed Requirement R1? If not, please explain why and provide specific suggestions for improvement. . 166

4. Requirement R2 of draft CIP-002-4 states, “Using the list of Critical Assets developed pursuant to Requirement R1, each Responsible Entity shall develop a list of associated Critical Cyber Assets performing a function essential to the operation of the Critical Asset. For each group of generating units (including nuclear generation) at a single plant location identified in Attachment 1, criterion 1.1, the only Cyber Assets that must be considered are those shared Cyber Assets that could adversely impact the reliable operation of any combination of units that in aggregate exceed Attachment 1, criterion 1.1 within 15 minutes. Each Responsible Entity shall review this list at least annually, and update it as necessary. For the purpose of Standard CIP-002-4, Critical Cyber Assets are further qualified to be those having at least one of the following characteristics”. The requirement then lists characteristics using the same text that is contained in the existing CIP-002-3 R3. Do you agree with the proposed Requirement R2? If not, please explain why and provide specific suggestions for improvement. .................................................................................................... 179

5. Do you agree with the proposed implementation plan for the Version 4 standards? If not, please explain and provide specific suggestions for improvement............................................... 199

6. Do you agree with the proposed revisions to the implementation plan for newly identified CCAs and Responsible Entities? If not, please explain and provide specific suggestions for improvement. . 223


November 30, 2010 3

The Industry Segments are:

1 — Transmission Owners 2 — RTOs, ISOs 3 — Load-serving Entities 4 — Transmission-dependent Utilities 5 — Electric Generators 6 — Electricity Brokers, Aggregators, and Marketers 7 — Large Electricity End Users 8 — Small Electricity End Users 9 — Federal, State, Provincial Regulatory or other Government Entities 10 — Regional Reliability Organizations, Regional Entities

Group/Individual Commenter Organization Registered Ballot Body Segment

1 2 3 4 5 6 7 8 9 10

1. Group Guy Zito Northeast Power Coordinating Council X

Additional Member Additional Organization Region Segment Selection 1. Alan Adamson New York State Reliability Council, LLC NPCC 10 2. Gregory Campoli New York Independent System Operator NPCC 2 3. Kurtis Chong Independent Electricity System Operator NPCC 2 4. Sylvain Clermont Hydro-Quebec TransEnergie NPCC 1 5. Michael Schiavone National Grid NPCC 1 6. Gerry Dunbar Northeast Power Coordinating Council NPCC 10 7. Dean Ellis Dynegy Generation NPCC 5 8. Saurabh Saksena National Grid NPCC 1 9. Si Truc Phan Hydro-Quebec TransEnergie NPCC 1 10. Brian L. Gooder Ontario Power Generation Incorporated NPCC 5 11. Kathleen Goodman ISO - New England NPCC 2 12. Chantel Haswell FPL Group, Inc. NPCC 5 13. David Kiguel Hydro One Networks Inc. NPCC 1 14. Michael R. Lombardi Northeast Utilities NPCC 1


November 30, 2010 4


1 2 3 4 5 6 7 8 9 10

15. Randy MacDonald New Brunswick System Operator NPCC 2 16. Bruce Metruck New York Power Authority NPCC 6 17. Lee Pedowicz Northeast Power Coordinating Council NPCC 10 18. Robert Pellegrini The United Illuminating Company NPCC 1

2. Group David Grubbs City of Garland X

Additional Member Additional Organization Region Segment Selection 1. Fred Sherman ERCOT 1 2. Billy Lee ERCOT 1 3. Ronnie Hoeinghaus ERCOT 1 4. William Whitney ERCOT 1 5. Heather Siemens ERCOT 1

3. Group Patricia Lynch NRG Energy Inc. X

Additional Member Additional Organization Region Segment Selection 1. Rick Keetch NRG Energy Power Marketing Inc NA - Not Applicable 3 2. Richard Comeaux Louisiana Generating LLC SERC 4 3. Alan Johnson NRG Energy Inc. NA - Not Applicable 6

4. Group Nathan Mitchell APPA CIP-002-4 Task Force X X X X X

Additional Member Additional Organization Region Segment Selection 1. Allen Mosher APPA NA - Not Applicable 4 2. Nathan Mitchell APPA NA - Not Applicable 3 3. Doug Bantam LES MRO 1 4. Bruce Merrill LES MRO 3 5. Dennis Florom LES MRO 5 6. Eric Ruskamp LES MRO 6 7. Brian Evens-Mongeon Utility Services NA - Not Applicable 8 8. Steve Alexanderson Central Lincoln WECC 3, 4


November 30, 2010 5


1 2 3 4 5 6 7 8 9 10

9. Mike Stanley MEAG SERC 1 10. Danny Dees MEAG SERC 3 11. Scott Miller MEAG SERC 5

5. Group Ben Li IRC Standards Review Committee X

Additional Member Additional Organization Region Segment Selection 1. Patrick Brown PJM RFC 2 2. Matthew Goldberg ISO NE NPCC 2 3. Greg Campoli NY ISO NPCC 2 4. Mark Thompson AESO WECC 2 5. Charles Yeung SPP SPP 2 6. Steve Myers ERCOT ERCOT 2 7. Greg Van Pelt CA ISO WECC 2 8. Bill Phillips MISO RFC 2 9. Matt Morias ERCOT ERCOT 2 10. Kathleen Goodman ISO NE NPCC 2 11. Jason Marshall MISO RFC 2 12. Albert DiCaprio PJM RFC 2

6. Group Denise Koehn Bonneville Power Administration X X X X

Additional Member

Additional Organization Region Segment Selection

1. Dick Winters BPA, Transmission, Substation Operations WECC 1

2. Curt Wilkins BPA, Transmission, Control Cntr HW Design & Maint WECC 1

7. Group Kenneth D. Brown PSEG Companies X X X X

Additional Member Additional Organization Region Segment Selection

1. Jeff Mueller PSE&G RFC 1, 3


November 30, 2010 6


1 2 3 4 5 6 7 8 9 10

2. Jerzy Slusarz PSEG Fossil RFC 5, 6 3. Jim Hebson PSEG ER&T NPCC 5, 6 4. Dom Grasso Odessa Ector LP ERCOT 5, 6

8. Group Richard J. Kafka Pepco Holdings, Inc - Affiliates X X X X

Additional Member Additional Organization Region Segment Selection 1. Mark Godfrey Delmarva Power & Light RFC 1 2. Mark Yerger Delmarva Power & Light RFC 1 3. Dave Throne Potomac Electric Power Company RFC 1

9. Group Carol Gerou

MRO's NERC Standards Review Subcommittee X


1. Mahmood Safi Omaha Public Utility District MRO 1, 3, 5, 6 2. Chuck Lawrence American Transmission Company MRO 1 3. Tom Webb WPS Corporation MRO 3, 4, 5, 6 4. Jason Marshall Midwest ISO Inc. MRO 2 5. Jodi Jenson Western Area Power Administration MRO 1, 6 6. Ken Goldsmith Alliant Energy MRO 4 7. Alice Murdock Xcel Energy MRO 1, 3, 5, 6 8. Dave Rudolph Basin Electric Power Cooperative MRO 1, 3, 5, 6 9. Eric Ruskamp Lincoln Electric System MRO 1, 3, 5, 6 10. Joseph Knight Great River Energy MRO 1, 3, 5, 6 11. Joe DePoorter Madison Gas & Electric MRO 3, 4, 5, 6 12. Scott Nickels Rochester Public Utilties MRO 4 13. Terry Harbour MidAmerican Energy Company MRO 1, 3, 5, 6

10. Group Terry L. Blackwell Santee Cooper X X X X



November 30, 2010 7


1 2 3 4 5 6 7 8 9 10

1. S. Tom Abrams Santee Cooper SERC 1, 3, 5, 6 2. Rene' Free Santee Cooper SERC 1, 3, 5, 6 3. Glenn Stephens Santee Cooper SERC 1, 3, 5, 6 4. Jim Peterson Santee Cooper SERC 1, 3, 5, 6 5. Wayne Ahl Santee Cooper SERC 1, 3, 5, 6 6. Vicky Budreau Santee Cooper SERC 1, 3, 5, 6

11. Group Louis Slade Dominion X X X X

Additional Member Additional Organization Region Segment Selection 1. Mike Garton Electric Market Policy MRO 5, 6 2. Carl Eng Electric Transmission SERC 1, 3 3. Jeff Heffleman F&H generation SERC 5 4. Jeff Bailey Nuclear 5 5. Bruce Bingham IT Risk Mgt. NA 6. John Calder Electric Transmission Compliance SERC 1, 3 7. Marc Gaudette IT Risk Mgt. NA 8. John Mitchell ELECTRIC TRANSMISSION SERC 1, 3 9. Don Robinson IT GENERATION NA

12. Group John P. Falsey Edison Mission Marketing and Trading X


1. Ellen L. Oswald NA - Not Applicable 5 2. Brenda J. Frazer RFC 5 3. James W. Thompson WECC 5

13. Group Frank Gaffney Florida Municipal Power Agency X X X X X X

Additional Member Additional Organization Region Segment Selection 1. Timothy Beyrle Utilities Commission, City of New Smyrna Beach FRCC 4


November 30, 2010 8


1 2 3 4 5 6 7 8 9 10

2. Greg Woessner Kissimmee Utility Authority FRCC 3 3. Jim Howard Lakeland Electric FRCC 3 4. Lynne Mila City of Clewiston FRCC 3 5. Joe Stonecipher Beaches Energy Services FRCC 1 6. Cairo Vanegas Fort Pierce Utility Authority FRCC 4 7. Randy Hahn Ocala Electric Utility FRCC 3

14. Group Ron Sporseen PNGC Power X X X

Additional Member Additional Organization Region Segment Selection 1. Bud Tracy Blachly-Lane Electric Cooperative WECC 3, 8 2. Dave Markham Central Electric Cooperative WECC 3, 8 3. Dave Hagen Clearwater WECC 3, 8 4. Roman Gillen Consumer's Power WECC 1, 3, 8 5. Roger Meader Coos-Curry Electric Cooperative 3, 8 6. Dave Sabala Douglas Electric Cooperative 8 7. Bryan Case Fall River Electric Cooperative 3, 8 8. Rick Crinklaw Lane Electric Cooperative 3, 8 9. Michael Henry Lincoln Electric Cooperative 8 10. Richard Reynolds Lost River 8 11. Jon Shelby Northern Lights 3, 8 12. Ray Ellis Okanogan 8 13. Heber Carpenter Raft River 3, 8 14. Ken Dizes Salmon River Electric Coop 1, 3, 8 15. Steve Eldrige Umatilla Electric Coop 1, 3, 8 16. Marc Farmer West Oregon Electric Coop 8

15. Individual Steve Rueckert WECC X

16. Individual JT Wood Southern Company X X


November 30, 2010 9


1 2 3 4 5 6 7 8 9 10

17. Individual Steven Hamburg Encari, LLC X

18. Individual Janet Smith Arizona Public Service X X X X

19. Individual David Batz Edison Electric Institute

20. Individual James W. Sample Tennessee Valley Authority (TVA) X X X X

21. Individual Sandra Shaffer PacifiCorp X X X X

22. Individual Larry Saxon OGE X X X

23. Individual J. Randall McCamish FMPA X X

24. Individual RoLynda Shumpert South Carolina Electric and Gas X X X X

25. Individual Kelsi Oswald Pinellas County Resource Recovery Facility X

26. Individual Steve Alexanderson Central Lincoln X

27. Individual John Falsey Edison Mission Marketing and Trading X

28. Individual James Stanton SPS Consulting Group Inc. X

29. Individual Scott Amsden Tacoma Power X X X X X

30. Individual Greg Froehling Green Country Energy X

31. Individual Bob Thomas Illinois Municipal Electric Agency X

32. Individual Richard Burt Minnkota Power Cooperative X


November 30, 2010 10


1 2 3 4 5 6 7 8 9 10

33. Individual J. Brent Hebert Horizon Wind Energy X

34. Individual Larry Rodriguez Union Power Partners LP X

35. Individual Todd Williams MidAmerican Energy Company X X X X

36. Individual Gary Ofner North Carolina Membership Corporation X X X X

37. Individual Sasa Maljukan Hydro One Networks Inc. X

38. Individual Dan Roethemeyer Dynegy Inc. X

39. Individual Donovan Tindill Matrikon Inc. N/A

40. Individual Michael Lombardi Northeast Utilities X X X

41. Individual John Brockhan CenterPoint Energy X X

42. Individual Edward Nagy LCEC X X

43. Individual Jon Kapitz Xcel Energy X X X X

44. Individual Joe Knight Great River Energy X X X X

45. Individual Michael Moltane ITC Holdings X

46. Individual Jack Stamper Public Utility District No. 1 of Clark County X

47. Individual Jian Zhang TransAlta X X X

48. Individual John Bee Exelon X X X




1 2 3 4 5 6 7 8 9 10

49. Individual John Bussman AECI X X X X

50. Individual Mark Ramsey N.W. Electric Power Cooperative, Inc. X X

51. Individual Michael Bax Central Electric Power Cooperative X X

52. Individual Ralph Schulte Central Electric Power Cooperative X X

53. Individual Stephen Pogue M & A Electric Power Cooperative X

54. Individual Martyn Turner LCRA Transmission Services Corporation X

55. Individual Denise Stevens Sho-Me Power Electric Cooperative X

56. Individual Ted Hilmes KAMO Power X

57. Individual Jonathan Appelbaum United Illumiinating X

58. Individual Brenda Powell Constellation Energy Commodities Group X

59. Individual Brian Ackermann Associated Electric Cooperative, Inc. X

60. Individual Walter Kenyon KAMO Electric Cooperative X X

61. Individual Kevin White

Northeast Missouri Electric Power Cooperative X

62. Individual David McDowell NW Electric Power Cooperative, Inc. X X

63. Individual Rich Salgo Sierra Pacific Power d/b/a NV Energy X




1 2 3 4 5 6 7 8 9 10

64. Individual Jeff Neas Sho-Me Power Electric Cooperative X

65. Individual Matt Brewer SDG&E X X X

66. Individual Steve Alexanderson Central Lincoln X X

67. Individual Skyler Wiegmann

Northeast Missouri Electric Power Cooperative X

68. Individual Barry Lawson

National Rural Electric Cooperative Association (NRECA) X X

69. Individual Art Baum Tampa Electric X X X

70. Individual William Price M&A Electric Power Cooperative X

71. Individual Scott Miller MEAG Power X X X

72. Individual Chris Bolick Associated Electric Cooperative, Inc. X X X X

73. Individual Brad Haralson Associated Electric Cooperative, Inc. X X X X

74. Individual Doug Hohlbaugh FirstEnergy Corp X X X X X

75. Individual Randi Woodward Minnesota Power X X X X

76. Individual Joe Petaski Manitoba Hydro X X X X

77. Individual Andrew Z. Pusztai American Transmission Company X




1 2 3 4 5 6 7 8 9 10

78. Individual Kirit Shah Ameren X X X X

79. Individual Bill Keagle BGE X

80. Individual J. S. Stonecipher, PE

Beaches Energy Services (of City of Jacksonville Beach, FL) X X

81. Individual Jim Keller We Energies X X X

82. Individual John Allen City Utilities of Springfield, MO X

83. Individual Saurabh Saksena National Grid X X

84. Individual Eric Ruskamp Lincoln Electric System X X X X

85. Individual Kevin B. Perry Southwest Power Pool Regional Entity X X

86. Individual Jerry Hohn Indianapolis Power & Light X

87. Individual Amir Hammad Constellation Power Generation X

88. Individual Dan Rochester Independent Electricity System Operator X

89. Individual Thad Ness American Electric Power (AEP) X X X X

90. Individual Richard Kinas Orlando Utilities Commission X X X X

91. Individual Scott McGough Oglethorpe Power Corporation X

92. Individual Tony Kroskey Brazos Electric Power Cooperative, Inc. X X X




1 2 3 4 5 6 7 8 9 10

93. Individual Jason Marshall Midwest ISO X

94. Individual Greg Rowland Duke Energy X X X X

95. Individual Steven Wallace Seminole Electric Cooperative, Inc. X X X X

96. Individual Peter Brown Progress Energy X X X X

97. Individual Brad Chase Orlando Utilities Commission X X X X

98. Individual Gregory Campoli New York Independent System Operator X

99. Individual Russell A. Noble Cowlitz County PUD X X X

100. Individual Richard Kinas Orlando Utilities Commission X X X X

101. Individual Michael Gammon Kansas City Power & Light X X X X



1.

When reviewing the mapping document posted with the proposed CIP-002-4 standard, do you believe that the proposed standard will lead to an improvement in reliability when compared to the standard it proposes to replace?

Summary Consideration: Many of those that voted “No” contended their current risk-based methodology provided a more accurate list of Critical Assets and therefore the proposed criteria in Attachment 1 would not lead to an improvement in reliability. Often, those who commented this way also felt the criteria did not have rigorous system studies as a reliability basis.

The SDT appreciates these comments but believes that although some companies may have a very rigorous risk-based assessment, the implementation of Attachment 1 criteria will overall increase the consistency of Critical Asset identification. The Attachment 1 criteria were developed in response to an external oversight directive in the FERC Order 706. In consideration of this directive, the SDT decided there did not exist across all regions an appropriate third party to provide this type of oversight. Also, external review and oversight carries with it the compliance overhead and arbitration processes analogous to the TFE process. The “bright-line” criteria approach removes the variability of entity-defined methodologies that would prompt the need for external review.

Regarding the need for additional engineering studies, the SDT and volunteer industry participants have expended considerable effort to develop consistent Critical Asset Identification approaches. The team endeavored to include work already required by other standards, and provide some constraints for an entity’s assessment. These approaches, in their various iterations, have been presented to industry for review and comment. The industry provided significant feedback for the need to simplify the Critical Asset identification approach. The Attachment 1 criteria were under development for CIP-010 when the team was asked to use the criteria for the basis of a new CIP Version 4 set of standards. NERC issued a data request in August of 2010 to assist the SDT in developing a consistent approach to Critical Asset identification. The results of this request were used to assist the team in developing the criteria in Attachment 1.

A few commenters expressed concern that changes to these Standards do not address other significant issues. The SDT agrees that other changes ultimately need to be made to the body of CIP cyber security standards, and expects to resume working on those in early 2011. The scope of the changes to the interim CIP-002-4 was deliberately limited to minimize the impact on the industry while addressing the identified consistency issues with the Critical Asset identification method.



Organization Yes or No Question 1 Comment

Northeast Power Coordinating Council

No The proposed Standard improves implementation consistency which may improve reliability, and it will lead to an improvement in reliability for entities that are either newly registered, or envision new assets coming under their CIP purview. Improved reliability overall however, is not guaranteed. The proposed standard can lead to an improvement in reliability by being entirely prescriptive and allowing for no flexibility for the Responsible Entity in determining critical assets. A risk-based methodology for identifying critical assets is similar to the bright-line criteria proposed in the revision for CIP-002, and it makes an asset list very inclusive. The proposed standard will not lead to a significant improvement in reliability because it will not result in a significant increase in the number of assets identified as critical. Replacing the risk-based assessment methodology with a list of criteria will ultimately result in the inclusion of facilities on the Critical Assets list that are non-impactive to the BES. Per paragraph 236 of FERC Order 706, the proposed standard does provide guidance regarding the risk-based assessment methodology and scope of critical assets. However, the proposed standard does not address guidance on external review of critical assets identification. This may be implied by the prescriptive nature of the assets listed in Attachment 1. External review was specifically called for in the FERC Order.Per paragraph 253, the Commission stresses “the need for flexibility and the need to take account of the individual circumstances of a responsible entity”. This is not accomplished under prescriptive approach to the proposed standard. The proposed revision replaces the existing risk-based methodology with the new bright-line criteria. The reference to risk-based methodology in R3 should be deleted.The updated Applicability section (4.2.1) removed the U.S. and Canadian nuclear exclusion to CIP-002-4. Order 706B removed the U.S. nuclear exclusion. The Canadian nuclear (facilities regulated by the Canadian Nuclear Safety Commission) exclusion should remain or those assets may be regulated by two different authorities.

Response: Thank you for your comments. Regarding the directives for external review and guidance in the FERC Order, the SDT believes the criteria in Attachment 1 are in response to FERC Order 706 paragraph 329. In consideration of this directive, the SDT decided there did not exist across all regions an appropriate third party to provide this type of oversight. Also, external review and oversight carries with it the compliance overhead and arbitration processes analogous to the TFE process. This “bright-line” approach removes the variability of entity defined methodologies that would prompt the need for external review.

City of Garland No No way to confirm that the criteria in attachment 1 will improve reliability over the risk based assessment methodologies developed by Responsible Entities.

Response: Thank you for your comments. The SDT believes that the implementation of Attachment 1 criteria will improve reliability through greater consistency of Critical Asset identification over the existing entity defined risk-based methodology.

NRG Energy Inc. No No we do not believe this will improve reliability significantly. It might provide improvement in what is defined as critical assets.





APPA CIP-002-4 Task Force No APPA Comments: APPA is concerned that designating all Blackstart Resources as critical will divert limited resources to protect blackstart facilities that are only used to restore localized load. We believe it is the intent of the drafting team to identify the truly critical blackstart units (taking from the CIP-010-1 draft; only high impact facilities). APPA understands that criteria 1.4 uniformly identify all Blackstart Resources listed in the Transmission Operator’s restoration plan as being Critical Assets with regards to the Bulk Electric System. Currently, many utilities include multiple Blackstart resources in the restoration plans provided to the Transmission Operator. Including numerous resources makes the plan much more robust and reliable as it provides additional well documented restoration options should unforeseen problems occur. As currently written, Item 1.4 inadvertently incentivizes utilities to remove blackstart resources from the restoration plan if these resources are not critical to an effective regional restoration plan, reducing the plan’s overall effectiveness. Therefore, we believe there should be a threshold for Blackstart Resources, similar to nearly all other elements being considered in Attachment 1. This would allow utilities the freedom to include numerous resources in the Transmission Operators restoration plan without being swept into being identified as a critical asset.To implement this approach, we believe it is imperative to consider the Blackstart Resource’s actual role in the restoration plan, not just its simple inclusion. For example, a 10 MW Blackstart Resource that directly supports restoration of a critical generating facility is much more important to the Bulk Electric System than a 10 MW Blackstart Resource that simply supplies local load during an outage. Therefore, APPA would propose judging the criticality of a Blackstart Resource by the relative importance of the generating unit(s) it directly supports.We would recommend rewording item 1.4 as follows, leveraging the existing language of criteria 1.15 and the capacity bright-line of criteria 1.13:1.4 Each Blackstart Resource identified in the Transmission Operator’s restoration plan, which meet either of the following criteria:1.4.1 Used to directly start generation identified as a Critical Asset in criteria 1.1 or 1.3, 1.4.2 Used to directly start generation greater than an aggregate of 300 MW.We believe this approach should provide a better measure of a Blackstart Resource’s potential impact on the Bulk Electric System, resulting in Critical Assets that adequately address system reliability in a practical manner. It also mitigates the likelihood that registered entities may decide to retire certain small blackstart units, thereby removing valuable but not critical blackstart resources from the Transmission Operator’s restoration plan.

Response: Thank you for your comments. Please refer to the response to your comments on Question 2.

IRC Standards Review Committee

No The assets that should be subject to protection under the NERC CIP Standards should not be driven by the physical assets that are implicated in maintaining physical system reliability from an operations and planning perspective. There is not a direct relationship between assets that are subject to protection under the CIP




standards and assets that form the basis for the current NERC understanding of planning and operating reliability. Nor should the scope of cyber assets be determined by the identification of physical asset by third parties. Under the current and proposed CIP Standards, the scope of jurisdictional cyber assets is driven by an entity’s Critical Assets, which are physical assets that impact system reliability from an operations/planning perspective (i.e. Critical Assets are defined as: Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.). In addition, the proposed standards include third party identification of critical assets. The Standards Drafting Team should take this opportunity to eliminate all of these inappropriate relationships. As an initial matter, the SDT should remove the term “Critical Assets” from the standard. This term should be replaced with a general term, such as “Assets Subject to Cyber Security Protection”. This change will eliminate the inappropriate cause and effect relationship between physical system reliability - i.e. operations and planning - and cyber security. Instead, the general term directly links the driver of asset identification to cyber security. The next step should focus on the explicit identification of assets that fall within this category. The identification should be based on an objective list of assets. This mitigates the problems that arise from the application of a subjective identification methodology. Attached to these comments is a proposed list, which is intended to be used as a starting point (see proposed Attachment 1 below). The SRC believes this list includes asset types that should be subject to the CIP standards. However, at this point, the list is illustrative and is not intended to be exhaustive. This approach enables the identification of assets that are subject to cyber security protection irrespective of their relationship to the definition of “Critical Asset”. By decoupling the assets subject to cyber protection from the subjective “Critical Asset” terminology, the proposed approach actually expands the number of assets that are subject to the CIP standards. This approach is a relative improvement because it provides certainty to the regulated community and the regulators by removing the subjectivity associated with the use of terms such as “critical” or “reliability”. In addition to the above recommendations, the SDT should also revise Attachment 1 to explicitly clarify which functional entities are responsible for the relevant asset types. A revised version of Attachment 1 that reflects the above recommendations is provided below. ************************************CIP-002-4 - Attachment 1 Assets Subject to Cyber Security ProtectionThe following are assets subject to Cyber Security Protection: 1. By the Generation Owner (GO):1.1. Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW. 1.2. Each resource asset that the GO’s Planning Coordinator identifies that if that asset is destroyed, degraded, misused or otherwise rendered unavailable, will violate one or more Interconnection Reliability Operating Limits (IROLs). 1.3. Each Blackstart Resource identified in the GO’s Transmission Operator's restoration plan.1.4. Each control center, control system, backup control center, or backup control system used to control generation greater than an aggregate of 1500 MWs in a single Interconnection.1.5. Each GO’s Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).2. By the




Transmission Owner (TO):2.1. Transmission Facilities operated at 500 kV or higher. 2.2. Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations.2.3. Each reactive resource or group of resources at a single location (excluding generation Facilities) having aggregate net Reactive Power nameplate rating of 1000 MVARs or greater.2.4. The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist. 2.5. Each resource asset that the TO’s Planning Coordinator identifies that if that asset is destroyed, degraded, misused or otherwise rendered unavailable, will violate one or more Interconnection Reliability Operating Limits (IROLs). 2.6. Common control system(s) capable of performing automatic load shedding of 300 MW or more within 15 minutes. 2.7. Each TO’s Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).2.8. Transmission Facilities identified by a nuclear asset owner as essential to meeting Nuclear Plant Interface Requirements.2.9. Transmission Facilities providing the generation interconnection required to directly connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets described in Attachment 1, criterion 1.1 or 1.4. 2.10. Flexible AC Transmission Systems (FACTS) at a single station location, that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs). 3. By the Reliability Coordinator3.1. Each control center, control system, backup control center, or backup control system used to perform the RC functional obligations4. By the Transmission Operator4.1. Each control center, control system, backup control center, or backup control system used to perform the TOP functional obligations4.2. Each TOP’s Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).5. Balancing Authority5.1. Each control center, control system, backup control center, or backup control system used to perform the BA functional obligations

Response: Thank you for your comments. Please refer to the response to your comments on Question 2.

Bonneville Power Administration No The individual utility’s development and implementation of their risk-based methodology instills ownership in their process and is a positive result of the current CIP versions. For BPA, application of the bright-line assessment criteria for Critical Asset identification in the recent NERC data request resulted in fewer assets being classified in the high impact categorization. However, we see that if a utility’s implementation of the criteria resulted in more Critical Assets being identified with the corresponding implementation of security controls at those assets, then an improvement in reliability would occur.

Response: Thank you for your comments. While some entities may have a few assets fall off of its Critical Asset list, it is expected that overall more BES assets




in North America will be classified as Critical Assets.

PSEG Companies Yes

Pepco Holdings, Inc - Affiliates Yes

MRO's NERC Standards Review Subcommittee

No If Responsible Entities perform risk based assessments based on Engineering studies, as outlined in the version 3 Identifying Critical Assets reference document, we believe this would provide a more accurate listing of the truly critical assets as opposed to the new bright line approach of version 4. However, if the bright line approach is maintained going forward, we have included suggested improvements to the criteria under question #2.

Response: Thank you for your comments. The SDT believes that the implementation of Attachment 1 criteria will improve reliability through greater consistency of Critical Asset identification over the existing entity defined risk-based methodology. Please refer to the response to comments for Question 2.

Santee Cooper No We have put forth a best faith effort in producing a Vulnerability/Risk Assessment methodology that was thorough and fair. Our methodology produced critical assets that went beyond our control centers. It is our belief that the proposed standard will divert resources from maintaining system reliability to efforts which have little or no benefit. Our concern lies in a new process that will require us to submit large amounts of paperwork for new processes that will hinder rather than enhance system reliability. Many more assets will be arbitrarily added, resulting in large expenditures and personnel time. We would hate for BES reliability to suffer because of a focus shift to certain paperwork for assets which clearly do not impact or marginally impact overall Grid Reliability.


Dominion Yes Dominion believes that its Risk Based Methodology is sound in identifying Critical Assets, however we agree the new standard will provide more consistency across the interconnection.

Response: Thank you for your comments.

Edison Mission Marketing and Trading

No




Florida Municipal Power Agency Yes However, significant improvements can be made to Attachment 1 as described in the response to Question 2.

Response: Thank you for your comments. Please refer to the response to comments for Question 2.

PNGC Power Yes

WECC Agree with the approach of a bright line. However, stakeholders have indicated that the current criteria may lead to the identification of fewer Critical Assets. Need to make certain that the bright line criteria is "in the right place" to ensure the appropriate Critical Assets.

Response: Thank you for your comments. While some entities may have a few assets fall off of its Critical Asset list, it is expected that overall more BES assets in North America will be classified as Critical Assets.

Southern Company No As currently drafted, Southern believes that several of the proposed requirements could lead to a decrease in reliability of the bulk electric system.


Encari, LLC Yes

Arizona Public Service Yes

Edison Electric Institute Yes EEI believes that the adoption of a uniform and consistent methodology for the selection of Critical Assets will enhance the reliability of the bulk power system.


Tennessee Valley Authority (TVA)

Yes None.

PacifiCorp Yes PacifiCorp commends the Standards Drafting Team for the current version of proposed CIP-002-4, which is a marked improvement to the standard that is currently effective. The current risk-based assessment methodology allows for inconsistent interpretations of which assets are considered “critical.” Employing the same bright-line Critical Asset criteria for all responsible entities will result in greater consistency and




accuracy in the identification of such assets, and thus necessarily an improvement in reliability.


OGE No These changes benefit in reducing the compliance effort but do not improve reliability of the BES.


FMPA Yes However, significant improvements can be made to Attachment 1 as described in the response to Question 2.

Response: Thank you for your comments. Please refer to the response to comments for Question 2.

South Carolina Electric and Gas Yes

Pinellas County Resource Recovery Facility

No I don't think that the changes to the standard will decrease or increase reliability, but they do provide much needed clarity to the identification process.


Central Lincoln Yes


Yes

SPS Consulting Group Inc. No There is not enough data on historic or potential cyber threats to assess whether the proposed standard will have any affect on reliability.

Response: Thank you for your comment. The SDT believes that the implementation of Attachment 1 criteria will improve reliability through greater consistency of Critical Asset identification over the existing entity defined risk-based methodology.

Tacoma Power Yes Tacoma Power commends the SDT for its efforts in revising CIP-002-4. Tacoma Power agrees that the proposed standard will lead to an improvement in reliability when compared to the previous version. The inclusion of Attachment 1 will achieve the result of better defining systems as Critical Assets.





Green Country Energy No However it makes determining critical status much easier on the small generator


Illinois Municipal Electric Agency Yes

Minnkota Power Cooperative Yes

Horizon Wind Energy Yes

Union Power Partners LP Yes Somewhat. However, since the objective from day one has been protecting the BES from malicious manipulation from outside intruders, the wording in R2 should incorporate "Cyber assets accessible from outside the plant" that could - - - .

Response: Thank you for your comments. The set of CIP cyber security standards (CIP-002 to CIP-009) is a holistic approach to cyber security protection that applies to both internal and external threats.

MidAmerican Energy Company Yes CIP-002-4 is a step forward in achieving a uniform and consistent methodology of selecting Critical Assets within the industry.


North Carolina Membership Corporation

In the new Requirement R3, there is a reference to the “risk-based assessment methodology.” Under the revised standard there is no longer such a methodology and this language should be removed from the new R3.

Response: Thank you for your comments. Prior to the next ballot, this reference will be removed.

Hydro One Networks Inc. No We do not believe the standard will result in an improvement in reliability since the revisions merely replace the risk-based assessment methodology with a list of criteria that will ultimately result in inclusion of facilities on the Critical Assets list that are non-impactive on the BES. We do not agree with the removal of the exclusion that applies to facilities regulated by the Canadian Nuclear Safety Commission from the




Applicability Section, This explicit statement makes it clear that CIP standards do not apply to those facilities which would not be the case if it were removed.

Response: Thank you for your comments. The SDT believes that the implementation of Attachment 1 criteria will improve reliability through greater consistency of Critical Asset identification over the existing entity defined risk-based methodology. The SDT is aware that the removal of the nuclear plant exclusion in response to a FERC order brought Canadian nuclear plants into the CIP standards. That was unintentional and will be corrected in the revised standards next posted for ballot.

Dynegy Inc. No I think proposed CIP-002-4 can lead to improved reliability but various clarifications need to be made as further discussed below.

Response: Thank you for your comment. Please refer to the response to comments for Question 2.

Matrikon Inc. Yes

Northeast Utilities Yes

CenterPoint Energy No Whereas CenterPoint Energy does not believe the proposed revisions will lead to improved reliability, CenterPoint Energy is not necessarily opposed to revising CIP-002 to be a “bright line” criteria. However, CenterPoint Energy is concerned that ever-changing requirements represented by four versions of CIP-002 will add to the confusion of entities making good faith efforts to understand and comply with all the requirements embodied in the various CIP standards.


LCEC No NERC distributed a questionnaire to responsible entities to gauge the impact of the proposed changes to CIP-002-4. The bright line criteria has changed since this assessment was performed and will result in the inclusion of additional assets being categorized as Critical Assets. Existing studies prove that many of these assets are not Critical Assets and do not impact the reliability of the BES. The existing CIP3 - CIP9 standards are not being modified with the version four release even though there are many opportunities to improve these standards. A good example can be seen with the Technical Feasibility Exception (TFE) process. Why are entities and regulatory agencies being forced to spend a significant amount of time processing TFE’s because requirements don’t make sense? A good example is the common TFE for routers and switches that do not and cannot run antivirus software. Expanding the scope of these labor intensive and non-value added processes will only deter entities from implementing effective security measures and best practices. A prudent




approach would be to adjust the bright line criteria to ensure that the assets being included in the scope of the version four standards are truly Critical Assets. Once the security control standards are improved, the scope can be expanded to include medium and low impact cyber systems.

Response: Thank you for your comments. The SDT believes that the implementation of Attachment 1 criteria will improve reliability through greater consistency of Critical Asset identification over the existing entity defined risk-based methodology. The SDT agrees that other changes ultimately need to be made to the body of CIP cyber security standards, and expects to post them next year. The scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method. The team deliberately limited the scope of changes in this interim standard to minimize the impact on the industry while addressing the identified consistency issues.

Xcel Energy Yes We believe it has the potential to improve reliability by promoting consistency in the designation of critical assets.


Great River Energy No The Bright Line criteria will likely lead to the declaration of more critical assets. There is no way to judge whether this will lead to an improvement in reliability.


ITC Holdings Yes It will bring consistency.


Public Utility District No. 1 of Clark County

Yes The proposed CIP-002-4 standard adequately takes a major point of confusion out of the determination of Critical Assets by eliminating the reference to a risk-based methodology.


TransAlta

Exelon Yes

AECI Yes




N.W. Electric Power Cooperative, Inc.

Yes

Central Electric Power Cooperative

Yes


Yes

M & A Electric Power Cooperative

Yes

LCRA Transmission Services Corporation

Yes

Sho-Me Power Electric Cooperative

Yes

KAMO Power Yes

United Illumiinating Yes We support the brightline approach


Constellation Energy Commodities Group

Yes The attempt at additional clarity should assist in the identification of critical assets and is in support of FERC Order 706 paragraph 236.


Associated Electric Cooperative, Inc.

Yes

KAMO Electric Cooperative Yes




Northeast Missouri Electric Power Cooperative

Yes

NW Electric Power Cooperative, Inc.

Yes

Sierra Pacific Power d/b/a NV Energy

No While the new proposed CIP-002-4 will provide more clarity to responsible entities about which Assets are deemed “Critical”, this will not necessarily lead to any improvement in reliability. It sweeps in facilities that would, under most reasonable RBAM applications, be deemed non-Critical, and imposes security requirements that may be of little or no value. For example, there are numerous 345kV stations whose destruction would result in no material reliability consequence to the surrounding BES, yet under this proposal, these stations are Critical by prescription.



Yes

SDG&E Yes Comments: SDG&E generally agrees with the above statement to the extent that new assets may be identified that were not previously and to the extent the added comments submitted are considered.

Central Lincoln No As presently written, it may unintentionally bring in low/no impact equipment, thereby degrading reliability by spreading resources too thinly. We believe the SDT is on the right track, though.



Yes

National Rural Electric Cooperative Association (NRECA)

The mapping document is not an important part of the draft CIP-002-4 standard and does not have an impact on NRECA's view of the standard.




Response: Thank you for your comment.

Tampa Electric Yes

M&A Electric Power Cooperative Yes

MEAG Power No There are system reliability projects with greater priority that will improve reliability more than a project implementing the proposed CIP-002-4 standard. If funding is taken away from the projects, BES reliability will be worse.



Yes


Yes

FirstEnergy Corp Yes FE believes the increased consistency offered through Attachment 1 will likely provide greater coverage of BES transmission assets. Whether or not there is a reliability improvement gain for the bulk electric system will depend on whether or not there are cyber devices as the Critical Assets now included by the bright-line methodology.


Minnesota Power Yes Minnesota Power believes that the adoption of a uniform and consistent methodology for the selection of Critical Assets will enhance the reliability of the bulk power system. However, as posted, the revised CIP-002-4 R3 makes two references to the “risk-based assessment methodology”. A risk-based assessment methodology is no longer applicable under the other requirements of CIP-002-4; therefore these references in CIP-002-4 R3 should be removed.

Response: Thank you for your comments. Prior to the next ballot, this reference will be removed.

Manitoba Hydro No The question is difficult to answer in such a broad context. The improvement in reliability due to a change in




Critical Asset identification is unknown.


American Transmission Company

Yes ATC believes the adoption of a uniform and consistent methodology for the selection of Critical Assets will enhance the reliability of the BES.


Ameren No We believe that the proposed bright line criteria would provide uniformity and consistency in determining the critical assets by the registered entities. However, we do not believe that it will lead to an improvement in reliability for the following reasons: (1) The proposed bright line criteria are not based on any studies or performance testing. (2) The proposed bright line criteria do not address proximity to load centers or the impact to system flows or voltages in those load centers. Further, the bright line criteria will include many more facilities as critical assets with minimal to no improvement to reliability and would require significant resource commitment to meet in the proposed implementation plan time line.

Response: Thank you for your comments. (1) The SDT and volunteer industry participants have expended considerable effort to develop consistent Critical Asset Identification approaches. The team endeavored to include work already required by other standards, and provide some constraints for an entity’s assessment. These approaches, in their various iterations, have been presented to industry for review and comment. Significant feedback from the industry was the need to simplify the Critical Asset identification approach. We welcome your suggestions for improvement to the criteria. The Attachment 1 criteria were under development for CIP-010 when the team was asked to use the criteria for the basis of a new CIP Version 4 set of standards. The results of the recent NERC data request were used to assist the team in developing the criteria in Attachment 1. (2) Bright line criteria by its very nature may overreach in some areas and under reach in others, with the end result being a more protected system on average.

BGE Yes Procedure is now clarified and will identify more critical assets that should improve system reliability.


Beaches Energy Services (of City of Jacksonville Beach, FL)

Yes However, significant improvements can be made to Attachment 1, as described in my response to Question 2.

Response: Thank you for your comment. Please refer to response to comments in Question 2.




We Energies Yes We understand that the errata, which removes discussion of the “risk-based assessment methodology” from the proposed CIP-002-4 standard, would also apply to the mapping document. We appreciate the bright-line clarification to ensure consistent identification of Critical Assets throughout the industry.


City Utilities of Springfield, MO Yes City Utilities of Springfield, Missouri (SPRM) appreciates the work of the drafting team and welcomes the change to a standard that will state what the Critical Assets are and take away the ongoing debate. SPRM likes the idea of bright line criteria. It is a much simpler method to apply. SPRM believes this will potentially “lead to an improvement in reliability compared to the standard it proposes to replace.” It does appear that the standard will increase the number of Critical Assets by arbitrarily declaring that all assets of a certain type are Critical Assets e.g., 1.4., 1.5., 1.6., 1.7., 1.11., 1.13. and 1.14. But does that mean that BES reliability has really improved or have we just created more administrative tasks that are unnecessarily burdensome to both Regional Entities and Registered Entities? We continue to support the suggestions offered by the APPA Task Force and others during previous comment periods that a risk assessment based on engineering studies would provide a more accurate listing of the truly critical assets. It appears that some of the criteria in Attachment 1 have the potential to meet that objective e.g., 1.3., 1.8., 1.9., 1.10., 1.12. Therefore, SPRM has decided to vote negative on this ballot and hopes the drafting team will consider our comments.

Response: Thank you for your comments. Please refer to the comments in Question 2.

National Grid Yes First, the proposed standard will lead to an improvement in reliability for entities that are either newly registered or envision new assets coming under their CIP purview. However, based on a preliminary assessment, National Grid anticipates minimal impact of the proposed revisions for National Grid’s registered entities. Because National Grid’s current risk-based methodology for identifying critical assets is similar to the bright-line criteria proposed in the revision for CIP-002, National Grid’s current critical asset list is very inclusive Hence, from National Gird’s perspective, the proposed standard will not lead to a significant improvement in reliability with regard to National Grid’s facilities because it will not result in a significant increase in the number of assets identified as critical. Second, the proposed revision to the standard aims to replace the existing risk-based methodology with the new bright-line criteria. However, R3 of the proposed standard (reproduced below) still refers to the risk-based methodology. National Grid proposes to delete the reference to the risk-based methodology in R3 for consistency and to reduce the possibility of confusion on the part of senior managers attempting to comply with R3.

Response: Thank you for your comments. Prior to the ballot, the reference to risk-based methodology in R3 will be removed.




Lincoln Electric System No LES supports the comments submitted by the MRO NERC Standards Review Subcommittee (MRO NSRS). In addition, LES believes determining critical assets without the use of engineering studies severely limits the effectiveness of the exercise, especially when you consider this is an industry built substantially on engineering studies. A bright line approach may make it easier to identify critical assets, but that should not be confused with an improvement in accuracy. We believe an engineering study based assessment can result in the most accurate list of critical assets, in turn allowing us to truly improve system reliability by focusing the bulk of our efforts on protecting the assets that are truly critical.

Response: Thank you for your comments. Please refer to our response to MRO NERC Standards Review Subcommittee. The SDT believes that the implementation of Attachment 1 criteria will improve reliability through greater consistency of Critical Asset identification over the existing entity defined risk-based methodology.

Southwest Power Pool Regional Entity

Yes The addition of the Bright Line, while not perfect, gives certainty and uniformity to the identification of Critical Assets. The ambiguity and inconsistency brought by the entity-devised risk-based assessment methodology has been removed.


Indianapolis Power & Light Yes

Constellation Power Generation Yes Since no space was offered to accept comments on the applicability section, we offer some additional remarks in this section. There is no recognition within CIP2-004 of FERC’s conclusion that only equipment not regulated by the U.S. Nuclear Regulatory Commission (“NRC”) is subject to compliance with the CIP Reliability Standards. See Order 706-B, P. 1 and P. 7. In Order 706-B, FERC stated that “the Commission finds that the CIP Reliability Standards are applicable to all equipment within a nuclear power plant located in the United States that will not be subject to NRC’s cyber security regulations.” P. 7. In order to clarify the applicability of CIP2-004, Constellation Power Generation suggest adding the following language to the exemption section of the standard:4.2.2 Cyber Assets associated with Cyber Security Plans submitted to the U. S. Nuclear Regulatory Commission pursuant to 10CFR73.54.Cyber security regulations applicable to nuclear power plants are set forth in 10CFR73.74, as was noted by FERC. Order 706-B at fn. 6. These regulations are final and currently effective. This exemption language should be added to CIP-003 thru -009 as well.

Response: Thank you for your comments. The Applicability section has been revised to address nuclear plants.




Independent Electricity System Operator

No We do not believe the standard will result in an improvement in reliability since the revisions merely replace the risk-based assessment methodology with a list of criteria that will ultimately result in inclusion of facilities on the Critical Assets list that are non-impactive on the BES.


American Electric Power (AEP) No See comments for the questions below. Furthermore, This standard does not address the in process brightline jurisdictional work between the NRC and NERC as part of 706b. We suggest to the SDT that some consideration be made to referencing those activities.

Response: Thank you for your comment. The Applicability section has been revised to address nuclear plants.

Orlando Utilities Commission Yes

Oglethorpe Power Corporation No CIP versions 1-3 allow each entity to follow their own Risk Based Assessment Methodology, which could lead to an inconsistent application of the standards across the continent. CIP version 4 seeks to avoid this potentially inconsistent application by providing so-called “bright line” criteria which must be used by all Registered Entities to define their Critical Assets. While this version certainly succeeds in a uniform application of the standards across all Registered Entities, it is impossible to say whether this will result in a more reliable system for the following reasons:1. It is unknown whether the new criteria will lead to the inclusion of additional Assets or the exclusion of existing Assets in the Critical Asset list and more importantly,2. It is also unclear whether the new list of Critical Assets will include additional assets that affect the reliability of the system in a material way or whether some Assets which do affect the grid may now be excluded.3. It is still unclear how great a threat to reliability cyber threats really are and4. It is unknown how well the remaining CIP standards mitigate that threat.

Response: Thank you for your comments. 1.: The SDT believes that the implementation of Attachment 1 criteria will not only result in a more uniform identification of assets but will also result in a larger number of Critical Assets being identified in North America. 2.: Bright line criteria by its very nature may overreach in some areas and under reach in others, with the end result being a more protected system on average. 3. The utility industry has been addressing reliability from a contingency perspective for many years and has a good understanding of this analysis. Cyber security protection must consider possible malicious compromise of multiple assets (not just loss), where expected outcomes can have significantly more impact than single contingency outages. 4. The CIP standards provide a set of well known good security practices that are considered a minimum level of protection against potential cyber threats.

Brazos Electric Power No The proposed standard will improve clarity for documentation and audit purposes but it does not necessarily




Cooperative, Inc. leads to improvement in reliability.


Midwest ISO No While changing this standard to bright line criteria does make it easier to understand when an asset is critical and makes the standard easier to enforce, it is unlikely to result in an improvement in reliability. Protecting the electric industry’s portion of the national infrastructure is a complicated and challenging problem that requires a complex solution. While applying bright line criteria may represent an easily understandable solution, it does not represent the complex solution that this problem requires. Thus, the criteria will likely result in assets being selected as Critical Assets when they are not truly critical and assets that are truly critical not being selected as Critical Assets. It is even possible that it could result in a net decrease in assets covered. Even if there is a net increase in assets covered, the assets are in all likelihood already protected against cyber threats for business reasons.

Response: Thank you for your comments. The SDT believes that the implementation of Attachment 1 criteria will improve reliability through greater consistency of Critical Asset identification over the existing entity defined risk-based methodology. Bright line criteria by its very nature may overreach in some areas and under reach in others, with the end result being a more protected system on average. While some entities may have a few assets fall off of its Critical Asset list, it is expected that overall more BES assets in North America will be classified as Critical Assets.

Duke Energy Yes However, CIP-003 through CIP-009 need modifications other than just changing the revision numbers, as evidenced by numerous interpretation requests and general confusion in the industry. While we understand that the plan is to complete those modifications in 2011, industry will be adding numerous Critical Assets and Critical Cyber Assets due to these revisions to CIP-002. Applying the current versions of CIP-003 through CIP-009 to numerous additional Critical Cyber Assets compounds the difficulty of maintaining compliance without more clear direction.

Response: Thank you for your comments. The SDT agrees that other changes ultimately need to be made to the body of CIP standards, and expects to post them next year.

Seminole Electric Cooperative, Inc.

No

Progress Energy Yes





New York Independent System Operator

Cowlitz County PUD Yes However, as written it is too inclusive. Cowlitz believes the attachment to the standard will draw in more than just the High Impact categories. Facilities categorized as Critical Assets in CIP-002-4 should not later be categorized as Medium or Low Impact after implementation of CIP-010 and CIP-011. Please refer to APPA comments; suggested changes to the attachment: 1.3 Each generation Facility that the Planning Coordinator or Transmission Planner designates as required to avoid BES Adverse Reliability Impacts for 1 year or longer.; 1.4 Each Blackstart Resource identified in the Transmission Operator’s restoration plan, which meet either of the following criteria: 1.4.1 Used to directly start generation identified as a Critical Asset in criteria 1.1 or 1.3, 1.4.2 Used to directly start generation greater than an aggregate of 300 MW; 1.7. Each Transmission Facility operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher where the TPL peak load studies of the Planning Coordinator or Transmission Planner identifies the sum of the incoming power flows or the sum of the outgoing power flows to exceed 1500 MW; 1.8. Transmission Facilities at a single station or substation that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs) as determined by the Reliability Coordinator; 1.13 Common control system(s) configured to perform automatic load shedding of 300 MW or more within 15 minutes; 1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator with a minimum of 1500 MW of resources under its control; 1.15 Each control center or backup control center used to control multiple generation units identified as Critical Assets designated under criterion 1.3 or used to control generation greater than an aggregate of 1500 MWs in a single Interconnection.

Response: Thank you for your comments. Please refer to the comments in Question 2.


Kansas City Power & Light No Absent engineering analysis and study, the proposed changes and bright line established in this Standard does not ensure an improvement to system reliability. It is possible this proposed Standard will impose additional obligations to protect assets that do not contribute to ensuring the reliability of the bulk electric system taking resources of time and money to support compliance efforts to meet these proposed requirements and taking those resources away from other efforts that could have a positive impact on improving bulk electric system reliability.

Response: Thank you for your comment. Bright line criteria by its very nature may overreach in some areas and under reach in others, with the end result being a more protected system on average.



2.

CIP-002-4 Attachment 1 contains criteria that define elements that must be classified as Critical Assets. Do you have any suggestions that would improve the proposed criteria? If so, please explain and provide specific suggestions for improvement.

Summary Consideration: In response to question 2, most commenters had suggestions for improvement to the criteria for critical assets listed in Attachment 1. The SDT appreciates these comments and incorporated many of them to improve clarity and consistency. Some of the comments reflected a misunderstanding of a specific criterion, and in those instances the SDT provided additional guidance in the response to comments and modified the associated guidance document for identifying Critical Assets. The SDT believes that the implementation of Attachment 1 criteria will increase the overall consistency of Critical Asset identification. Specific summary analysis of each criterion follows, along with a summary of responses.

Criterion 1.1 defines as Critical Assets “Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW.” Commenters requested clarification on “single plant location.” Clarity on this issue was provided in the posted guidance document. Single plant location refers to a group of generating units occupying a defined physical footprint and designated as an individual “plant” using commonly accepted generating facility terminology. The units do not necessarily have to be connected to the BES at the same substation or interconnection point in order to be considered a single plant. Other commenters questioned why we no longer used Contingency Reserve in the criteria, and how the SDT arrived at the value of 1500 MW. In prior postings of CIP-002-4 and CIP-010-1 there was wording about reserve sharing for the threshold. The SDT received feedback that that wording was confusing, that the amount referred to in the reserve sharing was not a specific amount, and that the amounts changed daily. The SDT performed an informal survey of the regions and identified what the megawatt value of the reserve sharing would be for various groups. The SDT used 1500 MW as a number derived from the most significant Contingency Reserves operated in various Balancing Authorities in all regions. Some commenters suggested the use of capacity factor in the criterion. The SDT debated whether to include capacity factor in this criterion. The reason the SDT ultimately chose not to include capacity factor is twofold. There is no consistent method to select an appropriate capacity factor, and low capacity factor units may be critical to the system at peak load conditions. There was also a concern that some units might fall below the line during major outage periods, taking them off the Critical Asset list one year and putting them back on the list the next year. After considering all of the comments, the SDT chose not change the wording of criterion 1.1.

Criterion 1.2 defines as Critical Assets “Each reactive resource or group of resources at a single location (excluding generation Facilities) having aggregate net Reactive Power nameplate rating of 1000 MVARs or greater.” Some commenters questioned how the value of 1000 MVARs was derived. The value of 1000 MVARs used in this criterion was deemed reasonable for the purpose of determining criticality. Some commenters suggested combining criterion 1.2 with criterion 1.9. FACTS devices in 1.9 are specifically related to IROLs, whereas the reactive resources in 1.2 are not limited to IROL applications. Some commenters suggested that the limit should be set by each Regional Reliability Organization. The issue with using different MVAR values in each region is that it does not meet the objective of uniform application of Critical Asset identification across all entities. After considering all of the comments, the SDT chose not change the wording of criterion 1.2.

Criterion 1.3 defines as Critical Assets “Each generation Facility that the Planning Coordinator or Transmission Planner designates as required for reliability purposes.” Many commenters felt that this criterion places the responsibility for identifying



the asset with the wrong entity (not the asset owner). Other commenters noted that the use of the NERC Glossary term “Adverse Reliability Impacts” would help clarify which units should be in this category. Others expressed concern that the criterion should mandate the coordination and approval process between the Transmission Planner and entity that have been designated critical by the Transmission Planner. Still others stated that this criterion is open for auditors to interpret. The SDT responded that the burden for identifying Critical Assets is with the Responsible Entity that is the asset owner. There is no burden or obligation placed on the Planning Coordinator or Transmission Planner to designate any unit as needed for reliability. Based on the comments received, this criterion has been reworded to “Each generation Facility that the Planning Coordinator or Transmission Planner designates and informs the Generator Owner or Generator Operator as necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon.”

Criterion 1.4 defines as Critical Assets “Each Blackstart Resource identified in the Transmission Operator's restoration plan.” Many commenters expressed concern that designating all Blackstart Resources as critical will divert limited resources to protect blackstart facilities that are only used to restore localized load. Others stated that blackstart units deemed critical should be only those identified by the TOP as specified to meet the minimum critical blackstart requirement. Some expressed concern that criterion 1.4 inadvertently provides incentive to utilities to remove resources from the restoration plan, reducing the plan’s overall effectiveness. The SDT specifically chose the NERC Glossary term “Blackstart Resources” to address the concerns expressed. A Blackstart Resource is defined as “A generating unit(s) and its associated set of equipment which has the ability to be started without support from the System or is designed to remain energized without connection to the remainder of the System, with the ability to energize a bus, meeting the Transmission Operator’s restoration plan needs for real and reactive power capability, frequency and voltage control, and that has been included in the Transmission Operator’s restoration plan.” EOP-005-2 R1.4 states that the restoration plan must include “Identification of each Blackstart Resource and its characteristics including but not limited to the following: the name of the Blackstart Resource, location, megawatt and megavar capacity, and type of unit.” The SDT feels that these Blackstart Resources must be classified as Critical Assets. It should be noted that not all blackstart generators must be designated as Blackstart Resources. After considering all of the comments, the SDT chose not change the wording of criterion 1.4.

Criterion 1.5 defines as Critical Assets “The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist.” Some commenters stated that additional qualifying criteria should be added such as "Cranking Paths to critical units as identified in a region’s restoration plan." The SDT noted in its response that there is no longer any NERC requirement to have a region restoration plan. Others asked for clarity around where the point of multiple paths lies in the electrical system. The SDT noted in its response that the point where multiple paths exist in the Cranking Path is the step in the Transmission Operator’s restoration plan per EOP-005-2 R1.5 “Identification of Cranking Paths and initial switching requirements between each Blackstart Resource and the unit(s) to be started” where the Transmission Operator can choose between the next Facilities on the BES to energize. Some commenters expressed concern over the phrase “initial switching requirements.” Based on the comments received, this criterion has been reworded to “The Facilities comprising the Cranking Paths and meeting the initial switching requirements from the Blackstart Resource to the first



interconnection point of the generation unit(s) to be started, or up to the point on the Cranking Path where two or more path options exist, as identified in the Transmission Operator's restoration plan.”

Criterion 1.6 defines as Critical Assets “Transmission Facilities operated at 500 kV or higher.” Commenters expressed that voltage alone is not a sufficient criterion to determine whether or not an asset is critical to the bulk electric system. They suggested that the SDT should consider using capacity or flows based on power flow studies instead of nominal voltage level as the bright line. The SDT responded that all Transmission Facilities operated at 500 kV or higher do not require any further qualification for their role as components of the backbone on the Interconnected BES. Furthermore, the SDT does not feel that capacity or power flow analysis (impact-based or risk-based) would lead to a consistent application of the criteria, due to the numerous factors which can impact substation power flows. Such a study would need to be rigorously defined for the industry. The SDT will take this suggestion under consideration for future revisions. After considering all of the comments, the SDT chose not change the wording of criterion 1.6.

Criterion 1.7 defines as Critical Assets “Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations.” Some commenters provided the suggestion that criterion 1.7 should be reworded to "stations or substations" instead of just "stations" so that it is not implied that it only applies to power plants (stations). Others commented that the SDT should adopt a power flow based bright-line rather than whether the station is connected to three or more other stations, similar to comments for criterion 1.6. Again, the SDT does not feel that power flow analysis (impact-based or risk-based) would lead to a consistent application of the criteria, due to the numerous factors which can impact substation power flows. Such a study would need to be rigorously defined for the industry. Still others commented that the statement regarding "three or more other transmission stations" is confusing. Does the criterion include stations upstream, downstream, networked or radial? Does the criterion include a radial 345 kV substation connected to a generator? The SDT response is that the intent of criterion 1.7 is to classify as Critical Assets all Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations. That includes upstream, downstream, networked, and radial. It should be noted that connections to generators or generation-only substations are not counted in this criterion, since the criterion specifically states “three or more other transmission stations.” The source to the radial substation may be considered a Critical Asset, but the radial substation would not be considered a Critical Asset since by definition it cannot be connected to three or more transmission substations. Based on the comments received, this criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

Criterion 1.8 defines as Critical Assets “Transmission Facilities at a single station location that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).” Some commenters stated that this criterion should be modified because loss of facilities does not cause an IROL violation. An IROL includes a limit and a time constant Tv. In order for an IROL violation to occur, the limit must be exceeded for at least the time constant Tv. Others commented that additional language should be added to clarify that the TO, LSE, etc. is not responsible for demonstrating IROLs. The SDT responded that according to FAC-014-2 IROLs are established by Transmission Operators, Transmission Planners, and Planning Authorities. The Reliability Coordinator ensures that IROLs are established and are consistent with its methodology. Based on the comments received, this criterion has been reworded to “Transmission Facilities



at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

Criterion 1.9 defines as Critical Assets “Flexible AC Transmission Systems (FACTS) at a single station location, that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).” Some commenters felt that the term FACTS should be added to the NERC Glossary. FACTS is defined by IEEE as: “Alternating Current Transmission Systems incorporating power electronics-based and other static controllers to enhance controllability and power transfer capability.” Commonly accepted terms and definitions do not require an insertion in the NERC Glossary. Some questioned why FACTS devices were singled out in the criteria. FACTS devices were singled out to ensure that there was no confusion as to whether or not they were considered Critical Assets. Other comments followed a similar vein as criterion 1.8. Based on the comments received, this criterion has been reworded to ”Flexible AC Transmission Systems (FACTS), at a single station or substation location, that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

Criterion 1.10 defines as Critical Assets “Transmission Facilities providing the generation interconnection required to directly connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets described in Attachment 1, criterion 1.1 or 1.3.” Some commenters asked for clarity about the term “directly connected.” Additional questions concerned whether the language means total loss of a substation or only partial. The intent of this criterion is to ensure the availability of Facilities necessary to support generation Critical Assets. Any Transmission Facility the loss of which would result in the loss of a Critical Asset identified in criterion 1.1 or 1.3 would need to be classified as a Critical Asset. This might include the partial or total loss of a substation. Based on the comments received, this criterion has been reworded to “Transmission Facilities providing the generation interconnection required to connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets identified by any Generator Owner as a result of its application of Attachment 1, criterion 1.1 or 1.3.”

Criterion 1.11 defines as Critical Assets “Transmission Facilities identified as essential to meeting Nuclear Plant Interface Requirements.” Some commenters stated that criterion 1.11 should be eliminated on the basis that is not based upon BES reliability considerations and that criticality of facilities should not be fuel specific. Criterion 1.11 is based on NUC-001-2 R9.2.2 “Identification of facilities, components, and configuration restrictions that are essential for meeting the NPIRs.” Since these facilities were deemed so important that a NERC reliability standard was written and adopted to clarify the issue, the SDT determined that this was adequate justification to include them as Critical Assets. Some felt that this criterion should be limited to Transmission Facilities providing offsite power requirements. Since NUC-001-2 is not limited to offsite power requirements, it did not seem appropriate to limit this criterion. After considering all of the comments, the SDT chose not change the wording of criterion 1.11.

Criterion 1.12 defines as Critical Assets “Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, violate



one or more Interconnection Reliability Operating Limits (IROLs).” Comments similar to those for criterion 1.8 concerning IROLs were received on this criterion. Based on the comments received, this criterion has been reworded to “Each Special Protection System (SPS), Remedial Action Scheme (RAS), or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limits (IROLs) violations for failure to operate as designed.”

Criterion 1.13 defines as Critical Assets “Common control system(s) capable of performing automatic load shedding of 300 MW or more within 15 minutes.” Some commenters stated that the wording of this criterion will inadvertently bring in all SCADA systems with the capability of shedding load even if such SCADA systems are in fact not planned or operated to perform load shedding. This was not the intent of the SDT. Other commenters stated that this item needs to be clarified to confirm that it applies to a single common control system only, and not multiple but separate “like” systems that in aggregate are capable of load shedding up to 300 MW. Also, the criterion needs to be clarified to confirm that it applies to systems “configured” for automatic load shedding, not simply just “capable” of load shedding. Still others stated that this criterion should use the same "bright line" as generation, 1500 MW. This criterion was intended to include as Critical Assets regional Under Frequency Load Shedding and Under Voltage Load Shedding schemes. Based on the comments received, this criterion has been reworded to “Each system or facility that performs automatic load shedding, without human operator initiation, of 300 MW or more implementing Under Voltage Load Shedding (UVLS) or Under Frequency Load Shedding (UFLS) as required by the regional load shedding program.”

Criterion 1.14 defines as Critical Assets “Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator.” No commenter stated that this criterion was inappropriate for Reliability Coordinators. Several commenters stated that the term “control center” needs to be defined in the NERC Glossary. At this time, the SDT is choosing not to add control center to the NERC Glossary. It was felt that defining this term under this proposed version of the Standard would have far-reaching impacts beyond the scope of CIP-002-4 to CIP-009-4. This term is used in other approved NERC standards already in effect. Many commenters stated that control centers for Balancing Authorities (BA) and Transmission Operators (TOP) need bounds. It was stated that a small BA or TOP that does not have any other Critical Assets does not need all of the Requirements in CIP-003-4 to CIP-009-4 applied to them. After considerable discussion, it was determined by the SDT that these “small” BAs and TOPs could be addressed in the next version of the standard. Based on the comments received, this criterion has been reworded to “Each control center or backup control center used to perform the functional obligations of the Reliability Coordinator.” A new criterion 1.16 (the posted criterion 1.16 has been removed, see explanation below) has been added which states “Each control center or backup control center used to perform the functional obligations of the Transmission Operator that includes control of at least one asset identified in criteria 1.2, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11 or 1.12.” A new criterion 1.17 has been added which states “Each control center or backup control center used to perform the functional obligations of the Balancing Authority that includes at least one asset identified in criteria 1.1, 1.3, 1.4, or 1.13. Each control center or backup control center used to perform the functional obligations of the Balancing Authority for generation equal to or greater than an aggregate of 1500 MWs in a single Interconnection.”



Criterion 1.15 defines as Critical Assets “Each control center or backup control center used to control generation identified as a Critical Asset, or used to control generation greater than an aggregate of 1500 MWs in a single Interconnection.” Comments received on this criterion were similar to those received on criterion 1.1 and criterion 1.14. Based on the comments received, this criterion has been reworded to “Each control center or backup control center used to control generation at multiple plant locations, for any generation Facility or group of generation Facilities identified in criteria 1.1, 1.3, or 1.4. Each control center or backup control center used to control generation equal to or exceeding 1500 MWs in a single Interconnection.”

Criterion 1.16 defines as Critical Assets “Any additional assets that the Responsible Entity deems appropriate to include.” This criterion was placed in Attachment 1 to provide Responsible Entities the flexibility to include addition items on their Critical Asset list that did not meet any other criterion in Attachment 1. Many commenters stated that this was contrary to providing a bright line for Critical Asset identification. In addition, it has the potential of causing issues in compliance audits. For these reasons, criterion 1.16 in its current form was deleted from Attachment 1.



Yes Item 1.1: 1500 MW is too high a value that will not capture a significant number of large generation assets which are needed for reliability. 300 MW is a more realistic value consistent with a similar impact that Load Serving Entities have in Item 1.13. Recommend revised language, "Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 300 MW."

Item 1.3 “Each generation Facility that the Planning Coordinator or Transmission Planner designates as required for reliability purposes.” This latest version of the CIP Standard establishes that “the Responsible Entity shall develop a list of its identified Critical Assets determined through an annual application of the criteria contained in CIP-002-4 Attachment 1 - Critical Asset Criteria.” Therefore, Item 1.3 appears to establish that if a PC/TP designates a generation facility as “required for reliability purposes”, the Registered Entity shall determine that the generation facility is an identified Critical Asset. This Item must be struck from Attachment 1 for numerous reasons. First, the current version of Item 1.3 has the same problems as the proposal to include “reliability must run” in the Criteria and, in an even earlier draft, to assign responsibility to a so-called “Reliability Assurer”. As many commented in prior drafts of the CIP Standard, Criteria like that proposed for Item 1.3 are undefined and places the responsibility for identifying the asset with the wrong entity. Specifically: (a) unlike the other Items in the Attachment, Item 1.3 lacks specificity required for providing registered entities with clear guidance on which assets should be deemed critical under CIP-002. Even if the PC/TP were the correct party for making such identifications (which it is not), the Item contains no guidance on how to make such determinations. (b) By placing the PC/TP in the responsible position for identifying which assets are needed for reliability, the Item conflicts with Order No. 706 (as explained further below), stating that the Registered Entity is responsible for identifying their own critical assets. FERC has




stated that the Registered Entities which own the assets are responsible for identifying their assets, and that they should receive guidance from NERC. Item 1.3 does not contain such guidance. (c) Furthermore, with the way Item 1.3 is structured in the Attachment, it also is likely to have the effect of disincentivizing Registered Entities from analyzing whether their own assets are critical, as they are likely to simply wait to be notified from their PC/TP as to whether they are needed for reliability. Even if Item 1.3 is meant only to apply to a Planning Coordinator/Transmission Planner doing “exception-type” reviews, including this role in the Standards suggests that so long as a Responsible Entity does any type of engineering evaluation, the Responsible Entity can effectively shift responsibility to the external reviewer. Because there is no sanction for incomplete or non-substantive evaluations, the Planning Coordinator/Transmission Planners may be deluged with requests to “exempt” assets from the Attachment 1 categorization. This language would effectively undermine FERC’s direction that Responsible Entities remain responsible for classifying their assets and they cannot shift this responsible to the Regional Entity or another Organization. See Order No. 706 at P328. (d) the item fails to provide necessary guidance in that it does not guide the PC/TP as how to assess what risks to take into account for making its determination about whether the facility is “required for reliability purposes”. This is especially problematic given the views that cyber-attacks are intentional and malicious in nature and NERC’s position that N-1 criteria is not a sufficient basis for determining which assets need to be protected for CIP Standards. See “Critical Cyber Asset Identification”, Memo from Michael Assante to Industry Stakeholders (dated April 7, 2009) (available at: http://www.nerc.com/fileUploads/File/News/CIP-002-Identification-Letter-040709.pdf) Second, to the extent that the SDT and NERC desire, third-party review of a Registered Entity’s determinations, that review should be handled through the NERC Rules of Procedure/CMEP, and not in the Standard Requirements. The key parts of Order No. 706 (and 706-A) set out three (3) principles.(I) Responsible entities are, and should remain, responsible for identifying their own assets as requiring critical infrastructure protection. The SDT makes clear in the plain language of the Standard that Responsible Entities are responsible for their own assets. Paragraph 328 of Order No. 706 states that: “responsibility for identifying critical assets should not be shifted to the Regional Entity or another organization instead of the applicable responsible entities identified in the current CIP Reliability Standards. As we stated in the CIP NOPR, and confirmed by commenters, such a shift would not improve the identification of critical assets, but would likely overburden the Regional Entities. While we are sympathetic to AMP Ohio’s concerns regarding small generation owners, generation operators and load serving entities that have a limited view of the Bulk-Power System, we believe that NERC’s development of guidance on the risk-based assessment methodology and our direction above to provide assistance to small entities should support the efforts of entities - both small and large - in performing a proper assessment. We do not believe that the lack of a wide-area view is sufficient reason to forego an assessment or taking responsibility.” See also Order No. 706-A at P53 (: “The responsibility for properly identifying all of a responsible entity’s critical assets and critical cyber assets and adequately protecting those assets rests firmly with the responsible entity. The fact that the Commission has directed the ERO to develop an external review process - as a backup to help assure that the responsible entity does not overlook any critical assets - does




not shift this responsibility from the responsible entity to whatever entity conducts the external review.”) (II) NERC and the Regions should issue guidance to Responsible Entities that do not have a “wide-area” view in order to assist them in identifying which of their assets required critical infrastructure protection (Order No. 706 at P322). The SDT had provided guidance in the form of the Standard itself - i.e., Attachment 1. This Draft Standard effectively directs Registered Entities on how to classify their assets.(III) External review is necessary to: (a) help identify trends in the industry (Order No. 706 at P322 and to support consistency (Id.), and is necessary to review asset more frequently than would occur through the regular audit cycle. (Order No. 706 at P324) (FERC “does not believe that the audit process will provide timely feedback to a responsible entity regarding critical asset determinations”). FERC has explained that NERC may choose to “designate” a Registered Entities (such as, but not necessarily, a Reliability Coordinator) as responsible for this external review if NERC/Regional Entities determined that they did not have the resources/expertise to conduct this review. (Order No. 706 at P255)( “[w]hile we believe that there is a need to assist entities that lack a wide-area view, we are mindful of the ERO’s concern that it would place an undue burden on it and the Regional Entities. If the ERO believes that it and the Regional Entities do not have sufficient resources to take on this responsibility, it should designate another type of entity with a wide-area view, such as a reliability coordinator, to provide needed assistance. This approach is consistent with our determination (discussed later in this Final Rule) regarding the external review of critical asset lists. Accordingly, we direct either the ERO or its designees to provide reasonable technical support to assist entities in determining whether their assets are critical to the Bulk-Power System”). In Order No. 706-A, FERC added that if NERC designated a Reliability Coordinator as having oversight/review authority, the Reliability Coordinator should have the same liability protections as NERC. (Order No. 706-A at P53).In drafting CIP-002-4, Item 1.3 takes a wrong approach to addressing the Commission’s concerns in Order No. 706. With regard to the need for more frequent external review than that provided by audits can and should be handled outside of the Standard Development Process. For example, NERC and the Regions can establish spot-checks or off-site audits through the CMEP program, and NERC can require Responsible Entities to submit information to it (or the Regions) through an information request developed under its Rules of Procedure. If the SDT and NERC address the role of third party review through NERC’s administration of its Rules of Procedures, many significant problems with Item 1.3 would be eliminated. These problems are summarized below.It is premature to place “Planning Coordinators/Transmission Planner” in the Standard. Because NERC has not found that it lacks sufficient resources to take on the external review responsibility, and thereby has not “designated” any other type of Registered Entity with this responsibility, it is premature for the Standard to make reference to the Planning Coordinator/Transmission Planner. See Order No. 706 at P255 ( “[w]hile we believe that there is a need to assist entities that lack a wide-area view, we are mindful of the ERO’s concern that it would place an undue burden on it and the Regional Entities. If the ERO believes that it and the Regional Entities do not have sufficient resources to take on this responsibility, it should designate another type of entity with a wide-area view, such as a reliability coordinator, to provide needed assistance. This approach is consistent with our determination (discussed later in this Final Rule) regarding the external review




of critical asset lists. Accordingly, we direct either the ERO or its designees to provide reasonable technical support to assist entities in determining whether their assets are critical to the Bulk-Power System”). If the Standard Drafting Team is committed to including in its Standard reference to a Registered Entity as having external review oversight, it should wait until NERC makes its designation.Assigning external review responsibilities to Planning Coordinators/Transmission Planners, as opposed to Regional Entities, is likely to fail to achieve FERC’s goal of consistency. Because NERC and the Regional Entities work closely as part of their Regional Entity Delegation Agreement, and because there are fewer Regional Entities than Reliability Coordinators, achieving consistency will be easier if the Regional Entities have the external oversight responsibility. Importantly, because the Standard offers no guidance to Planning Coordinators/Transmission Planners on how to determine if generation facilities are needed for reliability under CIP-002, consistency is unlikely to be achieved.Even if NERC “designates” a Registered Entity (such as, perhaps, the Planning Coordinator/Transmission Planner) as having a role in providing external review, the Registered Entity should have the same liability protections as NERC, as the Registered Entity is essentially carrying out this role as a NERC-designee. It is easier to capture the roles, responsibilities and liabilities protections through amendment to the Delegation Agreements and Rules of Procedure. In Order No. 706-A, FERC reaffirmed the protections given to external reviewers. See Order No. 706-A at P53 (““we agree [with the ISO/RTO Council] that entities designated by the ERO to perform reviews of a responsible entity’s critical asset list should receive the same liability protection for performing this review that the ERO or Regional Entity would have if it performs this review itself.”). These protections include no finding of liability unless intentional misconduct or gross negligence is found. See, e.g., Bylaws at Section 3 (NERC’s trustees, officers, employees, and agents are held harmless “for any injury or damage to [any NERC Member] caused by any act or omission of any trustee, officer, employee, agent, or volunteer in the course of performance of his or her duties on behalf of the Corporation, other than for acts of gross negligence, intentional misconduct, or a breach of confidentiality”). In sum, the SRC recognizes that a different set of expectations may apply to those Regional Entities that are also Registered Entities (e.g., WECC). These entities already have liability protections per their NERC delegation agreements, and in their role as Regional Entities, they ultimately have authority over whether the Responsible Entity has correctly identified bulk power system assets as subject to critical infrastructure protection. Similarly, some of the Canadian Reliability Coordinators (e.g., IESO through its enforcement group) exercise similar oversight authority as a Regional Entity with regard to other Registered Entities.

The Critical Assets listed in 1.6 and 1.7 would have the undesired result of having facilities included that will have no impact on BES reliability. The list of applicable facilities should be determined following an impact-based assessment to be performed by the Reliability Coordinator. If necessary, an additional requirement for the RC to have a risk-based assessment methodology, and to conduct/review the assessment should be included. Suggest 1.6 and 1.7 be reworded as follows:1.6 Transmission facilities operated at 500kV or higher, unless the annual review performed by the RC determines that destruction, degradation or unavailability of those assets will have no impact outside the local area and will not cause BES instability,




separation, or cascading outages.1.7 Transmission Facilities operated at 300 kV or higher to less than 500 kV at stations interconnected at 300 kV or higher with three or more other transmission stations, unless the annual review performed by the RC determines that destruction, degradation or unavailability of those assets will not have impact outside the local area and will not cause BES instability, separation, or cascading outages.

Item 1.15: Size should not be a consideration when determining CA criteria for control centers, control systems, backup control centers and backup control systems used to control generation. Recommend removal of this item and add Generation Operator to this list of functional entities included in Item 1.14.

General: Due to the interconnected nature of responsible entities as well as the downstream requirements of entities to act on information from another party, the listing in Attachment 1 does not adequately address the risk that an entity poses to another entity. For example, not all control centers with ICCP connectivity to RC/BA/TOP are required to be categorized as Critical Assets. Paragraph 256 of FERC Order 706 highlights the issue in this oversight. “A cyber attack can strike multiple assets simultaneously, and a cyber attack can cause damage to an asset for such a time period that other asset outages may occur before the damaged asset can be returned to service. Thus, the fact that the system was developed to withstand the loss of any single asset should not be the basis for not protecting that asset.” It should further assert that the protection should be afforded to those connected to the asset or relying on information from the asset to facilitate real-time operations.Include the class of assets - generation, transmission, and control centers against each criterion in Attachment 1. This will help entities to clearly identify which requirements fall under different classes of assets. For example - 1.5 The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist. (Generation, transmission)


Item 1.1 - Prior drafts had wording about reserve sharing for the threshold. The SDT received feedback that that wording was confusing, that the amount referred to in the reserve sharing was not a specific amount, and that the amounts changed daily. The drafting team conducted an informal survey of the regions, and identified what the megawatt value of the reserve sharing would be for various groups. The drafting team used 1500 MW as a number derived from the most significant Contingency Reserves operated in various BAs in all regions. Based on information provided on the DOE website, the SDT believes that an increased amount of generation capacity will be classified as Critical Assets in the US.

Item 1.3 – The burden for identifying Critical Assets resides with the Responsible Entity that is the asset owner. The Planning Authority and/or Transmission Planner are not designating the asset as critical for CIP purposes; they are determining the unit to be necessary to avoid Adverse Reliability Impacts based on other NERC reliability standards. This criterion has been reworded to “Each generation Facility that the Planning Coordinator or Transmission Planner designates and informs the Generator Owner or Generator Operator as necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon.”




Items 1.6 and 1.7 – You propose to add the criteria that the RC can determine through a risk based evaluation that destruction, degradation or unavailability of certain assets will have no impact outside the local area and will not cause BES instability, separation, or cascading outages. The inclusion of a risk-based evaluation by any entity would not meet the objective of uniform application of Critical Asset identification across all entities. Criterion 1.7 has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

Item 1.15 – This designates generation control centers that control generation Facilities as Critical Assets or used to control generation greater than an aggregate of 1500 MW in a single Interconnection as Critical Assets. In the development of this criterion, the drafting team used 1500 MW as a bright line for aggregate generation controlled based on the bright-line used in Part 1.1.

General –The scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method. The team deliberately limited the scope of changes in this interim standard to minimize the administrative impact on the industry while addressing the identified consistency issues. The drafting team agrees that the issue of Cyber Security and Cyber Security protection is extremely complicated. The Attachment 1 criteria were under development for CIP-010 when the team was asked to use the criteria for the basis of a new CIP Version 4 set of standards. The team expects to continue its work on a functional approach after Version 4.

City of Garland Yes Attachment 1 - 1.15 states “Each control center or backup control center used to control generation identified as a Critical Asset, or used to control generation greater than an aggregate of 1500 MWs in a single Interconnection”. Blackstart Units are identified as Critical Assets in Attachment 1 - 1.4. During Blackstart situations, the Blackstart unit is under the direction / control of the Transmission Operator (TOP). The Blackstart unit IS NOT under direction / control of the Generator Operator (GOP) or under the control of the GOP’s dispatch control system during the Blackstart condition. Therefore, the GOP’s dispatch control system should not be forced to be classified as a Critical Asset due to a Blackstart unit which the GOP has no control over during a Blackstart situation.


Item 1.15 – The concern here is that the GOP control center could provide a path to compromise the functionality of the Blackstart Resource.

NRG Energy Inc. Yes 1.1 - Add capacity factor as a qualifier for exclusion below an established low threshold.

1.3 - Mandate coordination/approval process between the Transmission Planner and entity that have been designated critical by the Transmission Planner. These classifications and approvals need to take into consideration 5 year forecasts for planning and budgeting purposes..

1.5 - TOP needs to define the cranking path in restoration plan to the affected entities to adequately secure these restoration paths..

1.9 - Please explain FACTS - need definition




1.10 - Need coordination between TOP & GO to identify critical assets.

1.15 - How is the 1500 MW aggregate determined? Is it an aggregate of generator name plates or the sum of controllable megawatts between a unit’s high and low limits?

General: Attachment 1 needs to have defined terms for capability, plant, control center


Item 1.1 – The SDT debated whether to include capacity factor in this criterion. The reason we ultimately chose not to include capacity factor is twofold. There is no consistent method to select an appropriate capacity factor, and low capacity factor units may be critical to the system at peak load conditions. There was also a concern that some units might fall below the line during major outage periods, taking them off the Critical Asset list one year and putting them back on the list the next year.

Item 1.3 –This criterion has been reworded to “Each generation Facility that the Planning Coordinator or Transmission Planner designates and informs the Generator Owner or Generator Operator as necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon.” There is no burden or obligation placed on the Planning Coordinator or Transmission Planner to designate any unit as needed for reliability.

Item 1.5 – Regarding concerns of communication to BES Asset Owners and Operators of their role in the Restoration Plan, Transmission Operators are required in EOP-005-2 to “provide the entities identified in its approved restoration plan with a description of any changes to their roles and specific tasks prior to the implementation date of the plan.” This criterion has been reworded to “The Facilities comprising the Cranking Paths and meeting the initial switching requirements from the Blackstart Resource to the first interconnection point of the generation unit(s) to be started, or up to the point on the Cranking Path where two or more path options exist as identified in the Transmission Operator's restoration plan.”

Item 1.9 – FACTS is defined by IEEE as “Alternating Current Transmission Systems incorporating power electronics-based and other static controllers to enhance controllability and power transfer capability.”

Item 1.10 – The assets would be identified by the asset owners. It is agreed that communication between GOs and TO/TOPs will be required. This criterion has been changed to “Transmission Facilities providing the generation interconnection required to connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets identified by any Generator Owner as a result of its application of Attachment 1, criterion 1.1 or 1.3.”

Item 1.15 – This is the aggregate highest rated net Real Power capability output of all generation under dispatch/control.

At this time, the SDT is choosing not to add capability, plant or control center to the NERC Glossary. We feel defining these terms under this proposed version of the Standard would have far-reaching impacts beyond the scope of CIP-002-4 to CIP-009-4. These terms are used in other approved NERC standards already in




effect.

APPA CIP-002-4 Task Force Yes SDT Proposed:1.1 Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW.

APPA Comments: APPA and others commented on the CIP-010-1 standard as having arbitrary bright lines for generating units and requested that these bright line numbers have justification or have them based on the Contingency Reserve of each Reserve Sharing Group region. APPA commends the SDT for their attempted to come to agreement on a nationwide bright line for generating units based on an operationally significant threshold. The use of an average of the Contingency Reserve numbers from all the regions bases the bright-line on what the regions consider operationally significant. We understand that NERC standards are a minimum requirement and regions can look at their own operating criteria and determine if they need additional protection at lower Megawatt bright-lines. APPA is concerned that the use of the “Real Power Capability of the preceding 12 months” would bring in unnecessary volatility to applicability of this standard to certain groups of generating units. To alleviate this volatility we suggest that generation owners should use the facility ratings which are calculated and communicated under FAC-009-1 R2.R2. The Transmission Owner and Generator Owner shall each provide Facility Ratings for its solely and jointly owned Facilities that are existing Facilities, new Facilities, modifications to existing Facilities and re-ratings of existing Facilities to its associated Reliability Coordinator(s), Planning Authority(ies), Transmission Planner(s), and Transmission Operator(s) as scheduled by such requesting entities.

SDT Proposed:1.2. Each reactive resource or group of resources at a single location (excluding generation Facilities) having aggregate net Reactive Power nameplate rating of 1000 MVARs or greater.

APPA Comments: APPA does not have a comment on criteria 1.2 at this time.

SDT Proposed:1.3. Each generation Facility that the Planning Coordinator or Transmission Planner designates as required for reliability purposes.

APPA Comments: APPA commends the SDT on including the criteria in 1.3, which gives the PC and TP the ability to designate as critical any generating facilities for reliability purposes. This will cover critical units that are not captured within the bright line of criteria 1.1 without drawing in all units of a certain size that are not considered critical elsewhere on the system. APPA suggests that the designation of facilities be based on studies conducted under the TPL standards to justify the designation. Also, the use of NERC Glossary of term: “Adverse Reliability Impacts” will help clarify which units should be in this category. We are also concerned that the PC or TP will be looking at local vs. wide area reliability. There are some cases where the PC can designate Must Run units for temporary situations so this must be clarified within the criteria. APPA proposes the following rewording of criteria 1.3:”1.3 Each generation Facility that the Planning Coordinator or




Transmission Planner designates as required to avoid BES Adverse Reliability Impacts for 1 year or longer.”

SDT Proposed:1.4. Each Blackstart Resource identified in the Transmission Operator's restoration plan.

APPA Comments: APPA is concerned that designating all Blackstart Resources as critical will divert limited resources to protect blackstart facilities that are only used to restore localized load. We believe it is the intent of the drafting team to identify the truly critical blackstart units (taking from the CIP-010-1 draft; only high impact facilities). APPA understands that criteria 1.4 uniformly identify all Blackstart Resources listed in the Transmission Operator’s restoration plan as being Critical Assets with regards to the Bulk Electric System. Currently, many utilities include multiple Blackstart resources in the restoration plans provided to the Transmission Operator. Including numerous resources makes the plan much more robust and reliable as it provides additional well documented restoration options should unforeseen problems occur. As currently written, Item 1.4 inadvertently incentivizes utilities to remove blackstart resources from the restoration plan if these resources are not critical to an effective regional restoration plan, reducing the plan’s overall effectiveness. Therefore, we believe there should be a threshold for Blackstart Resources, similar to nearly all other elements being considered in Attachment 1. This would allow utilities the freedom to include numerous resources in the Transmission Operators restoration plan without being swept into being identified as a critical asset. To implement this approach, we believe it is imperative to consider the Blackstart Resource’s actual role in the restoration plan, not just its simple inclusion. For example, a 10 MW Blackstart Resource that directly supports restoration of a critical generating facility is much more important to the Bulk Electric System than a 10 MW Blackstart Resource that simply supplies local load during an outage. Therefore, APPA would propose judging the criticality of a Blackstart Resource by the relative importance of the generating unit(s) it directly supports. We would recommend rewording item 1.4 as follows, leveraging the existing language of criteria 1.15 and the capacity bright-line of criteria 1.13:1.4 Each Blackstart Resource identified in the Transmission Operator’s restoration plan, which meet either of the following criteria:1.4.1 Used to directly start generation identified as a Critical Asset in criteria 1.1 or 1.3, 1.4.2 Used to directly start generation greater than an aggregate of 300 MW. We believe this approach should provide a better measure of a Blackstart Resource’s potential impact on the Bulk Electric System, resulting in Critical Assets that adequately address system reliability in a practical manner. It also mitigates the likelihood that registered entities may decide to retire certain small blackstart units, thereby removing valuable but not critical blackstart resources from the Transmission Operator’s restoration plan. We further support inclusion of “ALL Blackstart Resources” when this standard is revised to provide for a tiered (High, Medium and Low) categorization of Critical Assets, such as the SDT’s draft CIP-010-1 proposal.

SDT Proposed:1.5. The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist.

APPA Comments: APPA commends the SDT on differentiating between a single Cranking Path as a critical




facility and multiple Cranking Paths as having redundancy in the BES and thus being less critical. Having this criteria stated in 1.5 incentivizes the entity to build in redundancy in infrastructure to lower criticality of a single asset. This truly does reward infrastructure reliability through a standard. APPA does request clarification of criteria 1.5: Where does this point of multiple paths lay in the electrical system? Does this include only the Generator Step-up Transformer, or does it include the whole substation where multiple transmission paths depart to a single generator? Also, APPA suggests that the SDT change “switching requirements” to “switching equipment.”

SDT Proposed:1.6. Transmission Facilities operated at 500 kV or higher.


SDT Proposed:1.7. Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations.

APPA Comments: APPA believes that criteria 1.7 should be reworded to "stations or substations" instead of just "stations" so that it is not implied that it only applies to power plants (stations).APPA also supports the MRO standard review team proposal to adopt a power flow based bright-line rather than whether the station is connected to three or more other stations: Under TPL-001, the Planning Coordinator or Transmission Planner already performs annual near-term power flow assessment and this particular assessment would be based on the forecasted peak conditions using Category A of Table 1 of the standard. Proposed rewording of criteria 1.7:1.7. Each Transmission Facility operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher where the TPL peak load studies of the Planning Coordinator or Transmission Planner identifies the sum of the incoming power flows or the sum of the outgoing power flows to exceed 1500 MW.

SDT Proposed:1.8. Transmission Facilities at a single station location that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).

APPA Comments: APPA believes that criteria 1.8 should be reworded to "station or substation" instead of just "station" so that it is not implied that it only applies to power plants (station). We also request that it be clarified who will determine the IROL’s using similar wording to FAC-014: “R5. The Reliability Coordinator, Planning Authority and Transmission Planner shall each provide its SOLs and IROLs to those entities that have a reliability-related need for those limits...”Proposed rewording of criteria 1.8:1.8. Transmission Facilities at a single station or substation that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs) as determined by the Reliability Coordinator.

SDT Proposed:1.9. Flexible AC Transmission Systems (FACTS) at a single station location, that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability




Operating Limits (IROLs).

APPA Comments: APPA believes that criteria 1.9 should be reworded to "station or substation" instead of just "station" so that it is not implied that it only applies to power plants (station).

SDT Proposed:1.10. Transmission Facilities providing the generation interconnection required to directly connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets described in Attachment 1, criterion 1.1 or 1.3.


SDT Proposed:1.11. Transmission Facilities identified as essential to meeting Nuclear Plant Interface Requirements.


SDT Proposed:1.12. Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).

APPA Comments: APPA understands there are utilities within the NPCC region that have SPS type 3 systems that only protect local areas. We seek verification from the SDT that the SPS they refer to in criteria 1.12 is for wide area protection only.

SDT Proposed:1.13. Common control system(s) capable of performing automatic load shedding of 300 MW or more within 15 minutes.

APPA Comments: APPA believes the SDT’s change in wording of criteria 1.13 will inadvertently bring in all SCADA systems with the capability of shedding load even if such SCADA systems are in fact not planned or operated to perform load shedding. As written, this criteria designates as a critical asset various control systems that by themselves could not cause instability or uncontrolled separation of the BES.APPA offers the following alternatives for rewording 1.13:1.13 Common control system(s) configured to perform automatic load shedding of 300 MW or more within 15 minutes. APPA can accept the bright-line of 300 MW if the wording is changed to that stated above, but we still see this bright-line as an arbitrary threshold based on a quantity that has no BES operational significance. Rather, 300 MW is a DOE threshold for electric event reporting.

SDT Proposed:1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator.

APPA Comments: APPA is concerned that criteria 1.14 is overly broad because it includes all BA and TOP




control centers regardless of size. We understand the critical nature of control centers and the need to protect against loss of control of major sections of the BES. However, we ask that the SDT revise this criteria to include a bright-line with similar impact as those in 1.1 and 1.15. APPA offers the following revised wording:1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator with a minimum of 1500 MW of resources under its control. APPA cannot support this standard revision without some form of bright line cutoff to exclude small BAs and TOPs that cannot cause instability or uncontrolled separation of the BES. However, we will support inclusion of “ALL BA and TOP control centers” when this standard is revised to provide for a tiered (High, Medium and Low) categorization of Critical Assets, such as the SDT’s draft CIP-010-1 proposal.

SDT Proposed:1.15. Each control center or backup control center used to control generation identified as a Critical Asset, or used to control generation greater than an aggregate of 1500 MWs in a single Interconnection.

APPA Comments: In the NERC Draft CIP-002-4 webinar it was stated that a control center in criteria 1.15 is understood to be controlling multiple units. APPA recommends that the SDT clarify the wording in criteria 1.15 to coincide with this understanding: 1.15 Each control center or backup control center used to control multiple generation units identified as Critical Assets designated under criterion 1.3 or used to control generation greater than an aggregate of 1500 MWs in a single Interconnection.

SDT Proposed:1.16. Any additional assets that the Responsible Entity deems appropriate to include.

APPA Comments: APPA believes that 1.16 should be removed from the Attachment 1 criteria. We expect that registered entities may voluntarily protect assets above and beyond the ones listed in these criteria. However, we just do not see the reliability benefit of imposing a compliance liability to those self identified critical assets. We feel that the NERC and Regional compliance staff will waste valuable time and resources evaluating entity compliance with cyber security controls for assets that are outside of the scope of this standard.


Item 1.1 – The SDT notes your concern that the use of the “Real Power Capability of the preceding 12 months” would bring in unnecessary volatility to applicability of this standard to certain groups of generating units. The drafting team used time and value parameters to ensure the bright-lines and the values used to measure against them were relatively stable over the review period. Hence, where multiple values of net Real Power capability could be used for the Facilities’ qualification against these bright-lines, the highest value was used. The 12 month time period was used so that seasonal ratings would not be an issue for generating plants that operate near the 1500 MW bright line.

Item 1.3 –This criterion has been reworded to “Each generation Facility that the Planning Coordinator or Transmission Planner designates and informs the




Generator Owner or Generator Operator as necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon.”

Item 1.4 – A Blackstart Resource is defined as “A generating unit(s) and its associated set of equipment which has the ability to be started without support from the System or is designed to remain energized without connection to the remainder of the System, with the ability to energize a bus, meeting the Transmission Operator’s restoration plan needs for real and reactive power capability, frequency and voltage control, and that has been included in the Transmission Operator’s restoration plan.” EOP-005-2 R1.4 states that the restoration plan must include “Identification of each Blackstart Resource and its characteristics including but not limited to the following: the name of the Blackstart Resource, location, megawatt and megavar capacity, and type of unit.” The SDT believes that these Blackstart Resources must be classified as Critical Assets. It should be noted that not all blackstart generators must be designated as Blackstart Resources.

Item 1.5 – The point where multiple paths exist in the Cranking Path is the step in the Transmission Operator’s restoration plan per EOP-005-2 R1.5 “Identification of Cranking Paths and initial switching requirements between each Blackstart Resource and the unit(s) to be started” where the Transmission Operator can choose between the next Facilities on the BES to energize. This criterion has been reworded to “The Facilities comprising the Cranking Paths and meeting the initial switching requirements from the Blackstart Resource to the first interconnection point of the generation unit(s) to be started, or up to the point on the Cranking Path where two or more path options exist as identified in the Transmission Operator's restoration plan.”

Item 1.7 – The SDT agrees to change “stations” to “stations or substations.” The SDT does not believe that power flow based bright-line criteria that is based on MW flows into or out of a substation would meet the objective of uniform application of Critical Asset identification across all entities. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

Item 1.8 – The SDT agrees to change “stations” to “stations or substations.” According to FAC-014-2 IROLs are established by Transmission Operators, Transmission Planners, and Planning Authorities. The Reliability Coordinator ensures that IROLs are established and are consistent with its methodology. The present wording is appropriate. This criterion has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

Item 1.9 - The SDT agrees to change “stations” to “stations or substations.” This criterion has been changed to “Flexible AC Transmission Systems (FACTS), at a single station or substation location, that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

Item 1.12 – Since this item only applies to SPSs that have IROLs associated with them, local area SPSs are not included. This criterion has been changed to “Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limit (IROL) violations for failure to operate as designed.”

Item 1.13 – This criterion has been changed to “Each system or facility that performs automatic load shedding, without human operator initiation, of 300 MW or more implementing Under Voltage Load Shedding (UVLS) or Under Frequency Load Shedding (UFLS) as required by the regional load shedding program.”

Item 1.14 – Based on industry comments received, criterion 1.14 has been reworded to “Each control center or backup control center used to perform the functional obligations of the Reliability Coordinator.” A new criterion 1.16 has been added which states “Each control center or backup control center used to perform the functional obligations of the Transmission Operator that includes control of at least one asset identified in criteria 1.2, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11




or 1.12.” A new criterion 1.17 has been added which states ” Each control center or backup control center used to perform the functional obligations of the Balancing Authority that includes at least one asset identified in criteria 1.1, 1.3, 1.4, or 1.13. Each control center or backup control center used to perform the functional obligations of the Balancing Authority for generation equal to or greater than an aggregate of 1500 MWs in a single Interconnection.”

Item 1.15 – This criterion has been changed to “Each control center or backup control center used to control generation at multiple plant locations, for any generation Facility or group of generation Facilities identified in criteria 1.1, 1.3, or 1.4. Each control center or backup control center used to control aggregate generation equal to or exceeding 1500 MWs in a single Interconnection.”

Item 1.16 – In order to eliminate any confusion, the SDT has chosen to eliminate this criterion in the next ballot.


No See comments to Question 1 above, and the proposed Attachment 1. (Below copied from question 1)

The assets that should be subject to protection under the NERC CIP Standards should not be driven by the physical assets that are implicated in maintaining physical system reliability from an operations and planning perspective. There is not a direct relationship between assets that are subject to protection under the CIP standards and assets that form the basis for the current NERC understanding of planning and operating reliability. Nor should the scope of cyber assets be determined by the identification of physical asset by third parties. Under the current and proposed CIP Standards, the scope of jurisdictional cyber assets is driven by an entity’s Critical Assets, which are physical assets that impact system reliability from an operations/planning perspective (i.e. Critical Assets are defined as: Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.). In addition, the proposed standards include third party identification of critical assets. The Standards Drafting Team should take this opportunity to eliminate all of these inappropriate relationships. As an initial matter, the SDT should remove the term “Critical Assets” from the standard. This term should be replaced with a general term, such as “Assets Subject to Cyber Security Protection”. This change will eliminate the inappropriate cause and effect relationship between physical system reliability - i.e. operations and planning - and cyber security. Instead, the general term directly links the driver of asset identification to cyber security. The next step should focus on the explicit identification of assets that fall within this category. The identification should be based on an objective list of assets. This mitigates the problems that arise from the application of a subjective identification methodology. Attached to these comments is a proposed list, which is intended to be used as a starting point (see proposed Attachment 1 below). The SRC believes this list includes asset types that should be subject to the CIP standards. However, at this point, the list is illustrative and is not intended to be exhaustive. This approach enables the identification of assets that are subject to cyber security protection irrespective of their relationship to the definition of “Critical Asset”. By decoupling the assets subject to cyber protection from the subjective “Critical Asset” terminology, the proposed approach actually expands the number of assets that are subject to the CIP standards. This




approach is a relative improvement because it provides certainty to the regulated community and the regulators by removing the subjectivity associated with the use of terms such as “critical” or “reliability”. In addition to the above recommendations, the SDT should also revise Attachment 1 to explicitly clarify which functional entities are responsible for the relevant asset types. A revised version of Attachment 1 that reflects the above recommendations is provided below. CIP-002-4 - Attachment 1 Assets Subject to Cyber Security Protection

The following are assets subject to Cyber Security Protection:

1. By the Generation Owner (GO):

1.1. Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW.

1.2. Each resource asset that the GO’s Planning Coordinator identifies that if that asset is destroyed, degraded, misused or otherwise rendered unavailable, will violate one or more Interconnection Reliability Operating Limits (IROLs).

1.3. Each Blackstart Resource identified in the GO’s Transmission Operator's restoration plan.

1.4. Each control center, control system, backup control center, or backup control system used to control generation greater than an aggregate of 1500 MWs in a single Interconnection.

1.5. Each GO’s Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).

2. By the Transmission Owner (TO):

2.1. Transmission Facilities operated at 500 kV or higher.

2.2. Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations.

2.3. Each reactive resource or group of resources at a single location (excluding generation Facilities) having aggregate net Reactive Power nameplate rating of 1000 MVARs or greater.

2.4. The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist.

2.5. Each resource asset that the TO’s Planning Coordinator identifies that if that asset is destroyed, degraded, misused or otherwise rendered unavailable, will violate one or more Interconnection Reliability




Operating Limits (IROLs).

2.6. Common control system(s) capable of performing automatic load shedding of 300 MW or more within 15 minutes.

2.7. Each TO’s Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).

2.8. Transmission Facilities identified by a nuclear asset owner as essential to meeting Nuclear Plant Interface Requirements.

2.9. Transmission Facilities providing the generation interconnection required to directly connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets described in Attachment 1, criterion 1.1 or 1.4.

2.10. Flexible AC Transmission Systems (FACTS) at a single station location, that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).

3. By the Reliability Coordinator

3.1. Each control center, control system, backup control center, or backup control system used to perform the RC functional obligations

4. By the Transmission Operator

4.1. Each control center, control system, backup control center, or backup control system used to perform the TOP functional obligations

4.2. Each TOP’s Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).

5. Balancing Authority

5.1. Each control center, control system, backup control center, or backup control system used to perform the BA functional obligations

Response: Thank you for your comments. The drafting team agrees that the issue of Cyber Security and Cyber Security protection is extremely complicated. The Attachment 1 criteria were under development for CIP-010 when the team was asked to use the criteria for the basis of a new CIP Version 4 set of standards. The team expects to continue its work on a functional approach after Version 4. The SDT feels that the current format for Attachment 1 is sufficient.




Bonneville Power Administration Yes Make it clear that substations are the facilities to be identified as Transmission Critical Assets, not lines, transformers, reactive equipment, etc. Another alternative would be to identify all facilities that operate at a specified certain kV level would be determined to be Critical Assets. The different categories identified in Attachment 1 still allow utilities to justify most of what they have already declared as Critical Assets.

Response: Thank you for your comments. Substations are not the only Facilities identified as Critical Assets. Lines, transformers, reactive equipment, and other Facilities can be classified as a Critical Asset if they meet any of the criteria in Attachment 1. Please refer to the guidance document posted on the project page at http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean.pdf for additional clarification.

PSEG Companies Yes In Attachment 1, item 1.4 the blackstart units deemed critical should be only those identified by the TOP as specified to meet the minimum critical blackstart requirement. The TOP may choose to list all its area blackstart capable units in its plan for informational purposes, but a subset of that list may be what is required for blackstart and only those should be considered critical. PSEG suggests that 1.4 be reworded as follows:”Each Blackstart Resource identified in the Transmission Operator’s restoration plan required to meet the minimum critical blackstart requirement.”

For item 1.5, please provide a definition of “initial switching requirements” in the item language. For all other items in Attachment 1, PSEG concurs with and hereby incorporates by reference the comments filed by Edison Electric Institute (“EEI”) in this matter.



Item 1.5 – The term “initial switching requirements” came from EOP-005-2 R1.5 “Identification of Cranking Paths and initial switching requirements between each Blackstart Resource and the unit(s) to be started.” This criterion has been reworded to “The Facilities comprising the Cranking Paths and meeting the initial switching requirements from the Blackstart Resource to the first interconnection point of the generation unit(s) to be started, or up to the point on the Cranking Path where two or more path options exist as identified in the Transmission Operator's restoration plan.”

Pepco Holdings, Inc - Affiliates Yes PHI supports the comments of EEI for Attachment 1. In particular, we believe that the Planning Coordinator and Transmission Planner should be added to the applicability list. Also note that the terms "single plant

http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean.pdf�




location" (1.1) and "single station location" (1.5) are undefined. EEI has also made clarifying language changes.

Response: Thank you for your comments. Since there is no Requirement that applies to the Planning Coordinator or the Transmission Planner, it is not appropriate to include them in the Applicability section. Please refer to the response to EEI’s comments.


Yes Item 1.4

Item 1.4 uniformly identifies all Blackstart Resources listed in the Transmission Operator’s restoration plan as being Critical Assets with regards to the Bulk Electric System. Currently, many utilities include multiple Blackstart resources in the restoration plans they provide to the Transmission Operator. Including numerous resources makes the plan much more robust and reliable, as it provides well documented options should any problems occur. As currently written, Item 1.4 inadvertently provides incentive to utilities to remove resources from the restoration plan, reducing the plan’s overall effectiveness. Therefore, we believe there should be a hierarchy for Blackstart Resources, similar to nearly all other elements being considered, that would allow them to remain listed in the restoration plan without uniformly being identified as critical. To implement this approach, we believe it is imperative to consider the Blackstart Resource’s actual role in the restoration plan, not just its simple inclusion. A 10 MW Blackstart Resource that directly supports restoration of a critical generating facility is much more important to the Bulk Electric System than a 10 MW Blackstart Resource that simply supplies localized load during an outage. Therefore, we would propose judging the relative importance of a Blackstart Resource by the relative importance of the facilities it directly supports.We would recommend rewording item 1.4 as follows, leveraging the existing language of Item 1.15 and the capacity bright line of Item 1.13:”Each Blackstart Resource identified in the Transmission Operator’s restoration plan as used to directly start generation identified as a Critical Asset, or identified in the Transmission Operator’s restoration plan as used to directly start generation greater than an aggregate of 300 MW.”We believe this approach should provide a better sense of a Blackstart Resource’s true impact on the Bulk Electric System, resulting in Critical Assets that adequately address system reliability in a practical manner. It also addresses the inadvertent incentive for removing blackstart resources from the restoration plan.

Item 1.7 We believe this bright line is overly simplistic, and does not provide an accurate measuring stick for defining critical Transmission Facilities. Per NERC TPL-001, we believe the Planning Coordinator or Transmission Planner already perform an annual near-term assessment that could be leveraged to provide a more accurate bright line. We would recommend rewording Item 1.7 as follows, leveraging the existing language of Item 1.7 and the capacity bright line of Item 1.1:”Each Transmission Facility operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher where the Planning Coordinator or Transmission Planner identifies the sum of the incoming power flows or the sum of the outgoing power flows to exceed 1500 MW.”It would be our intention that this particular assessment be based on the forecasted




peak conditions using Category A of Table 1 of the TPL-001 standard.

Item 1.13 We believe this item needs to be clarified to confirm that it applies to a single common control system only, and not multiple but separate “like” systems that in aggregate are capable of load shedding up to 300 MW. Also, we believe this item needs to be clarified to confirm that it applies to systems “configured” for automatic load shedding, not simply just “capable” of load shedding. This should only apply to firm load and not demand side management (DSM).Therefore, we believe this bright line should be reworded as follows:”A single common control system configured for performing automatic load shedding of 300 MW or more of firm load within 15 minutes.”

Item 1.14 We do not believe all control center/systems and backup control centers/systems performing the functional obligations of the Balancing Authority or Transmission Operator should uniformly be considered critical to the Bulk Electric System. We believe the previously proposed CIP-010 criteria 1.13 and 1.14 delineations based on MW or voltage levels should be maintained to provide a more accurate bright line for identifying critical systems.

Items 1.8, 1.9, & 1.12 Criteria 1.8, 1.9, and 1.12 should be modified because loss of facilities does not cause an IROL violation. An IROL includes a limit and a time constant Tv. In order for an IROL violation to occur, the limit must be exceeded for at least the time constant Tv. Tv is usually 30 minutes. Thus, when we consider the impact on the loss of facilities on an IROL, an operator will have enough time to adjust the system to prevent an IROL violation.

For 1.8, the criterion should be modified to reflect that the facilities that comprise an IROL should be considered critical. The drafting team may also wish to consider loss of any facilities that set up the need for the IROL as well or cause the actual limit to change.

For criterion 1.9, it is not clear why FACTs devices need to be singled out. Are they not covered in criterion 1.8 under Transmission Facilities?

Inclusion of 1.9 is redundant and just causes confusion because it causes the reader to infer that the drafting team intended for them to be treated differently when in fact the criterion is the same as 1.8.

For criterion 1.12, it would be more appropriate to assess the impact of an SPS, RAS, or automated switching system on the IROL. If loss of the SPS, RAS, or automated switching system causes an IROL to decrease, then the SPS, RAS, or automated switching system should be considered critical. Contrary to the companion draft guidance document statement in the second paragraph on page 11, most SPS, RAS and automated switching systems are not used to prevent disturbances that would result in IROLs. In fact, some regions consider generation runback schemes to be an SPS even when it is used to simply resolve a generation outlet issue for loss of a line out of a plant. This is a common and economically effective way to avoid the expense of building more transmission lines. This paragraph from the draft guidance document should be




removed.

Item 1.16 Recommend removal of this criterion, this criterion is arbitrary and doesn’t constitute a bright line.


Item 1.4 – A Blackstart Resource is defined as “A generating unit(s) and its associated set of equipment which has the ability to be started without support from the System or is designed to remain energized without connection to the remainder of the System, with the ability to energize a bus, meeting the Transmission Operator’s restoration plan needs for real and reactive power capability, frequency and voltage control, and that has been included in the Transmission Operator’s restoration plan.” The SDT believes that these units must be classified as Critical Assets. It should be noted that not all blackstart generators are Blackstart Resources. We will consider your suggested language in a future version when the topic of prioritization is addressed.

Item 1.7 – The SDT does not feel that a power flow analysis would lead to a consistent application of the criterion, due to the numerous factors which can impact substation power flows. Such a study would need to be rigorously defined for the industry. We thank you for your proposal and will take it under consideration for future revisions. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”


Item 1.14 – Based on industry comments received, criterion 1.14 has been reworded to “Each control center or backup control center used to perform the functional obligations of the Reliability Coordinator.” A new criterion 1.16 has been added which states “Each control center or backup control center used to perform the functional obligations of the Transmission Operator that includes control of at least one asset identified in criteria 1.2, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11 or 1.12.” A new criterion 1.17 has been added which states ” Each control center or backup control center used to perform the functional obligations of the Balancing Authority that includes at least one asset identified in criteria 1.1, 1.3, 1.4, or 1.13. Each control center or backup control center used to perform the functional obligations of the Balancing Authority for generation equal to or greater than an aggregate of 1500 MWs in a single Interconnection.”

Item 1.8 – This criterion has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

Item 1.9 – FACTS devices were singled out to ensure that there was no confusion as to whether or not they were considered Critical Assets.

Item 1.12 – This criterion has been changed to “Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limit (IROL) violations for failure to operate as designed.”


Santee Cooper Yes We believe the Attachment 1 criteria is too prescriptive and would add unnecessary economic and resource burdens. For example, we have made investments to ensure that redundant blackstart resources as well as redundant cranking paths are available where needed for restoration, and therefore any one blackstart




resource or cranking path is not critical to the viability of our restoration plans. Therefore, considering any one such blackstart resource or cranking path critical diminishes the value of our original investment in redundancy.

We also believe the SDT’s change in wording of criteria 1.13 may inappropriately apply to all SCADA systems with the capability of shedding load greater than 300 MW. Such a requirement should only apply to common control systems that are “configured” to perform automatic load shedding of 300 MW or more.

We believe 1.16 in Attachment 1 should be deleted since it is not consistent with the “bright line” concept.

Response: Thank you for your comments




Dominion Yes Dominion has the following comments:

1.1 While we understand the SDT’s reasoning for using net Real Power capability, we prefer the use of a more ‘stable’ value such as generator value (pMax, nameplate rating, etc.) used in the interconnection planning process. We have seen that the net Real Power capability fluctuates annually and have found that using such a value in compliance may not in the best interest of reliability. We began using the value cited in the interconnection planning process because it doesn’t change often and any change is usually accompanied by change management process includes extensive communication between the Transmission Planner and Generator Owner. For this reason, we believe that this is a superior value to use.

1.15 Dominion believes the second criteria is overly conservative and is not necessary for reliability. We cite the following observations:(1) It is likely that many of the generators that will be designated critical assets will be nuclear (due to the typical large size of individual generators and the fact that there are usually more than one unit at each location). However, control and monitoring of nuclear generation is vastly different than other forms of generation (coal, oil, gas, and hydro). Nuclear units are typically either on-line (at very near rated




output) or are off-line. Therefore the ‘control’ of the units consists typically of outage coordination and reporting. The data used to monitor these units (typically mW and mVAr) may or may not be transmitted directly to the TOP. Where the data is transmitted directly to the TOP, the generation control center function consists primarily of outage coordination and reporting. This does not, in our view, warrant critical designation of the control center itself since this coordination and reporting can occur without such center.(2) Where other types of generators (peaking CTs, hydro, etc.) are operated in a manner similar to nuclear (on line at near rated output or off line), we view the control center function as being almost identical to that described above and therefore do not agree that such center should be designated as critical..(3) Where the generator output is not being controlled in a very dynamic manner (such as when proving ancillary services; regulation or spinning reserve), ‘control’ often consists of manual (verbal) dispatch to follow load (I.E. lower output during off-peak hours, higher during on-peak hours and near maximum during peak hours). It is not critical that such generator be dispatched from a designated location (control center), it could be done from almost anywhere that has the necessary communications infrastructure. Where this is true, we do not agree that the control center needs to be designated as critical. (4) We do not believe there is sound technical basis for the 1500 mw threshold. In ERCOT, this value represents approximately 1.4% of the total generation in that Interconnection. In the Western it represents 0.6% and in the Eastern, it represents .02%. We therefore suggest that this criterion be revised in a manner similar to one of the examples shown below: “Each control center or backup control center used to control generation identified as a Critical Asset, or used to control generation greater than an aggregate of;

Example 1 - Based upon some ratio or multiple of frequency response for each Interconnection. This would involve more analysis but would set threshold based on the presumption that misuse could result in loss of all generators controlled by the generation control center and the impact of such loss could result in a drop in frequency of that interconnection to an ‘unacceptable value’ (perhaps that value is .02 Hz, .05 Hz, etc). Acceptance of this proposal might require such value be re-determined on a regular basis (annual, 5 year, ?) or based upon some trigger (large increase or decrease in total generation or frequency response within that interconnection).

Example 2 - Set mw threshold based upon some percentage total generation in the interconnect, but insure that the resulting threshold is less than the sum of all load included in UFLS and UVLS programs within that Interconnect. For example, if UFLS and UVLS are based on 30% of system load, set this threshold at say 5-20% of total generation (verifying that the percentage chosen results in a threshold than is less than the sum of load shed programs.


Item 1.1 –The drafting team used time and value parameters to ensure the bright-lines and the values used to measure against them were relatively stable over the review period. Hence, where multiple values of net Real Power capability could be used for the Facilities’ qualification against these bright-lines, the highest




value was used. The 12 month time period was used so that seasonal ratings would not be an issue for generating plants that operate near the 1500 MW bright line.

Item 1.15 – A control center function includes Bulk Power System (BPS) and system status monitoring and processing for reliability and asset management purposes, such as providing information used by Responsible Entities to make operational decisions regarding the reliability and operability of the BPS. The scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method. Your proposal to use frequency response or percent of total load in an interconnection is similar to an approach taken by the SDT to use reserve sharing for the threshold for generation. The SDT received feedback that that wording was confusing, that the amount referred to in the reserve sharing was not a specific amount, and that the amounts changed daily. The drafting team used 1500 MW as a number derived from the most significant Contingency Reserves operated in various BAs in all regions. The SDT believes that the same threshold should be used for generation control systems.


Yes * Specify for who (function) the Requirements apply to as do other NERC Reliability Standards.* Replace the term 'Critical Assets' with 'Assets subject to Cyber Security Protection'.


The Applicability section of the standard specifies what NERC Registered Entities the standard applies to. All Requirements apply to all Entities listed in the Applicability section. Critical Asset is a defined NERC term and has been used for CIP Versions 1 to 3.

Florida Municipal Power Agency Yes 1.1 Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW.

FMPA Comments: FMPA commends the SDT for their attempted to come to agreement on a nationwide bright line for generating units based on an operationally significant threshold. However, FMPA continues to have the comment we submitted in CIP-010-1 standard as having arbitrary bright lines for generating units and requested that these bright line numbers have justification or have them based on the Contingency Reserve of each Reserve Sharing Group region. FMPA is concerned that the use of the “Real Power Capability of the preceding 12 months” would bring in unnecessary volatility to applicability of this standard to certain groups of generating units. To alleviate this volatility we suggest that generation owners should use the facility ratings which are calculated and communicated under FAC-009-1 R2.


FMPA Comments: FMPA believes that this “bright line” is arbitrary and instead suggests combining this with 1.9. There is no significant difference between the MVARs provided by FACTs devices and those provided by a power plant and it makes sense to treat them both in the same fashion.

SDT Proposed:1.3. Each generation Facility that the Planning Coordinator or Transmission Planner




designates as required for reliability purposes.

FMPA Comments: FMPA commends the SDT on including the criteria in 1.3, which gives the PC and TP the ability to designate as critical any generating facilities for reliability purposes. This will cover critical units that are not captured within the bright line of criteria 1.1 without drawing in all units of a certain size that are not considered critical elsewhere on the system. FMPA suggests that the designation of facilities be based on studies conducted under the TPL standards to justify the designation. Also, the use of NERC Glossary of term: “Adverse Reliability Impacts” will help clarify which units should be in this category. We are also concerned that the PC or TP will be looking at local vs. wide area reliability. There are some cases where the PC can designate Must Run units for temporary situations so this must be clarified within the criteria. FMPA proposes the following rewording of criteria 1.3:”1.3 Each generation Facility that the Planning Coordinator or Transmission Planner designates as required to avoid BES Adverse Reliability Impacts for 1 year or longer.”


FMPA Comments: FMPA is concerned that designating all Blackstart Resources as critical will divert limited resources to protect blackstart facilities that are only used to restore localized load. We believe it is the intent of the drafting team to identify the truly critical blackstart units (taking from the CIP-010-1 draft; only high impact facilities). FMPA understands that criteria 1.4 uniformly identify all Blackstart Resources listed in the Transmission Operator’s restoration plan as being Critical Assets with regards to the Bulk Electric System. Currently, many utilities include multiple Blackstart resources in the restoration plans provided to the Transmission Operator. Including numerous resources makes the plan much more robust and reliable as it provides additional well documented restoration options should unforeseen problems occur. As currently written, Item 1.4 inadvertently incentivizes utilities to remove blackstart resources from the restoration plan if these resources are not critical to an effective restoration plan, reducing the plan’s overall robustness. Therefore, we believe there should be a threshold for Blackstart Resources, similar to nearly all other elements being considered in Attachment 1. This would allow utilities the freedom to include numerous resources in the Transmission Operators restoration plan without being swept into being identified as a critical asset.To implement this approach, we believe it is imperative to consider the Blackstart Resource’s actual role in the restoration plan, not just its simple inclusion. For example, a 10 MW Blackstart Resource that directly supports restoration of a critical generating facility is much more important to the Bulk Electric System than a 10 MW Blackstart Resource that simply supplies local load during an outage. Therefore, FMPA would propose judging the criticality of a Blackstart Resource by the relative importance of the generating unit(s) it directly supports. We would recommend rewording item 1.4 as follows, leveraging the existing language of criteria 1.15 and the capacity bright-line of criteria 1.13:1.4 Each Blackstart Resource identified in the Transmission Operator’s restoration plan, which meet either of the following criteria:1.4.1 Used to directly start generation identified as a Critical Asset in criteria 1.1 or 1.3, 1.4.2 Used to directly start generation greater than an aggregate of 300 MW. We believe this approach should provide a better measure of a Blackstart Resource’s potential impact on the Bulk Electric System, resulting in Critical Assets that adequately address




system reliability in a practical manner. It also mitigates the likelihood that registered entities may decide to retire certain small blackstart units, thereby removing valuable but not critical blackstart resources from the Transmission Operator’s restoration plan.


FMPA Comments: FMPA commends the SDT on differentiating between a single Cranking Path as a critical facility and multiple Cranking Paths as having redundancy in the BES and thus being less critical. Having this criteria stated in 1.5 incentivizes the entity to build in redundancy in infrastructure to lower criticality of a single asset. This truly does reward infrastructure reliability through a standard. FMPA suggests that the SDT change “switching requirements” to “switching equipment.”


FMPA Comments: FMPA believes that criteria 1.7 is rather arbitrary and suggests use of TPL-004-0 Category D testing and to combine 1.7 with 1.8. Does loss of a substation result in an IROL or Adverse Reliability Impacts? Doing so can also remove the voltage class limit. It is also unclear from the working whether the entire substation is a Critical Asset, or whether each Facility connected to that substation is a Critical Asset. FMPA suggests the entire substation. It is also unclear for substations that have two voltage levels (e.g., a 345 kV to 115 kV substation), whether the entire substation should be considered, or just one voltage level. FMPA suggests one voltage level as discussed in the existing TPL-004 standard.


FMPA Comments: FMPA believes that criteria 1.8 should be reworded to "station or substation" instead of just "station" so that it is not implied that it only applies to power plants (station). Also the use of term Adverse Reliability Impact would be beneficial. Proposed rewording of criteria 1.8:1.8. Transmission Facilities at a single station or substation that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs) or can cause an Adverse Reliability Impact as a result of extreme contingency loss of substation testing as part of the TPL standards or as determined by the Reliability Coordinator.

SDT Proposed:1.9. Flexible AC Transmission Systems (FACTS) at a single station location, that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).

FMPA Comments: FMPA believes that criteria 1.9 should be reworded to "station or substation" instead of just




"station" so that it is not implied that it only applies to power plants (station). Also the use of term Adverse Reliability Impact would be beneficial.


FMPA Comments: FMPA believes that adding the phrase “or can cause an Adverse Reliability Impact” would be beneficial.


FMPA Comments: FMPA believes that the 300 MW is arbitrary and seems based more on reporting requirements than on true reliability impacts. Also, it should not matter whether loss of load is caused by an “automatic” system or not. In addition, the power system is more resilient to loss of load than loss of generation; hence, by using the same threshold as is used in 1.1, we are actually being quite conservative. FMPA offers the following alternatives for rewording 1.13:1.13 Common control system(s) that can result in a loss of load equal to or greater than the reserve sharing requirements of the Reserve Sharing Group within 15 minutes.


FMPA Comments: FMPA is concerned that criteria 1.14 is overly broad because it includes all BA and TOP control centers regardless of size. We understand the critical nature of control centers and the need to protect against loss of control of major sections of the BES. However, we ask that the SDT revise this criteria to include a bright-line with similar impact as those in 1.1 and 1.15.FMPA offers the following revised wording:1.14. Each control center, control system, backup control center, or backup control system that can:1.14.1 Cause a loss of generation or load greater than the reserve sharing requirements of the Reserve Sharing Group1.14.2 That if manipulated, can cause an Adverse Reliability Impact as determined through planning studies. FMPA cannot support this standard revision without some form of bright line cutoff to exclude small BAs and TOPs that cannot cause instability, cascading or uncontrolled separation of the BES.


FMPA Comments: With the proposed revision to 1.14, this 1.15 would no longer be required.





FMPA Comments: FMPA believes that 1.16 should be removed from the Attachment 1 criteria. We expect that registered entities may voluntarily protect assets above and beyond the ones listed in these criteria. However, we just do not see the reliability benefit of imposing a compliance liability to those self identified critical assets. We feel that the NERC and Regional compliance staff will waste valuable time and resources evaluating entity compliance with cyber security controls for assets that are outside of the scope of this standard.


Item 1.1 – The SDT notes your concern that the use of the “Real Power Capability of the preceding 12 months” would bring in unnecessary volatility to applicability of this standard to certain groups of generating units. The drafting team used time and value parameters to ensure the bright-lines and the values used to measure against them were relatively stable over the review period. Hence, where multiple values of net Real Power capability could be used for the Facilities’ qualification against these bright-lines, the highest value was used. The 12 month time period was used so that seasonal ratings would not be an issue for generating plants that operate near the 1500 MW bright line. The drafting team used 1500 MW as a number derived from the most significant Contingency Reserves operated in various BAs in all regions. In addition, the scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method.

Item 1.2 – The value of 1000 MVARs used in this criterion is a value deemed reasonable for the purpose of determining criticality. FACTS devices in 1.9 are specifically related to IROLs, whereas the reactive resources in 1.2 are not limited to IROL applications.

Item 1.3 –This criterion has been reworded to “Each generation Facility that the Planning Coordinator or Transmission Planner designates and informs the Generator Owner or Generator Operator as necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon.”



Item 1.7 –The SDT does not believe that power flow based bright-line criteria (i.e. using TPL-004-0) would meet the objective of uniform application of Critical Asset identification across all entities. The term Transmission Facilities can be applied to either the entire substation or each Facility or group of Facilities connected to that substation, as determined by the entity. This would allow an entity which has multiple voltage levels at a single substation to either declare the




entire substation as a Critical Asset or only the portion of the substation that qualifies under criterion 1.7. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

Item 1.8 –The SDT agrees to change “stations” to “stations or substations.” The SDT does not believe that power flow based bright-line criteria (i.e. using TPL standards) would meet the objective of uniform application of Critical Asset identification across all entities. This criterion has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”


Item 1.12 – By limiting the scope of Criterion 1.12 to IROLs, Adverse Reliability Impacts are covered as well. This criterion has been changed to “Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limit (IROL) violations for failure to operate as designed.”



Item 1.15 – This criterion has been changed to “Each control center or backup control center used to control generation at multiple plant locations, for any generation Facility or group of generation Facilities identified in criteria 1.1, 1.3, or 1.4. Each control center or backup control center used to control aggregate generation equal to or exceeding 1500 MWs in a single Interconnection.”


PNGC Power Yes We associate ourselves with NRECA comments:

1. We're concerned that designating all Blackstart Resources as critical will divert limited resources to protect blackstart facilities that are only used to restore localized load. We believe it is the intent of the drafting team to identify the truly critical blackstart units (taking from the CIP-010-1 draft; only high impact facilities). We understands that criteria 1.4 uniformly identify all Blackstart Resources listed in the Transmission Operator’s restoration plan as being Critical Assets with regards to the Bulk Electric System. Currently, many utilities




include multiple Blackstart resources in the restoration plans provided to the Transmission Operator. Including numerous resources makes the plan much more robust and reliable as it provides additional well documented restoration options should unforeseen problems occur. As currently written, Item 1.4 inadvertently incentivizes utilities to remove blackstart resources from the restoration plan if these resources are not critical to an effective regional restoration plan, reducing the plan’s overall effectiveness. Therefore, we believe there should be a threshold for Blackstart Resources, similar to nearly all other elements being considered in Attachment 1. This would allow utilities the freedom to include numerous resources in the Transmission Operators restoration plan without being swept into being identified as a Critical Asset. To implement this approach, we believe it is imperative to consider the Blackstart Resource’s actual role in the restoration plan, not just its simple inclusion. For example, a 10 MW Blackstart Resource that directly supports restoration of a critical generating facility is much more important to the Bulk Electric System than a 10 MW Blackstart Resource that simply supplies local load during an outage. Therefore, we would propose judging the criticality of a Blackstart Resource by the relative importance of the generating unit(s) it directly supports.

2. In item 1.7 the statement regarding "three or more other transmission stations" is confusing. A better explanation is needed -- does this mean stations upstream, downstream, networked or radial?

3. In item 1.14 the term "control center" must be defined, especially when dealing with the significance of the requirements of this standard. Using an undefined term here is inappropriate.

4. In item 1.14 its states that all RC, BA and TOP control centers, etc., are Critical Assets. While NRECA agrees with this as it relates to RCs, we do not agree with this as it relates to all BAs and TOPs. In the draft CIP-010 there was high, medium and low criteria which in many instances appropriately matching CIP requirements to the level of risk certain assets potentially present to the BPS. NRECA strongly believes that the CIP-002-4 standard requirements for smaller BAs and TOPs should match the lower level of risk to BPS reliability that these smaller BAs and TOPs potentially present. Similar to the 1500MW size criteria that is included in item 1.15 for generator control centers, there should be size criteria for the smaller BAs and TOPs. The drafting team should modify item 1.14 to state that all control centers with a peak demand above 2000MW (same as medium criteria in draft CIP-010) shall be designated as a Critical Asset. This is the lowest NRECA could support and also recommend its members to support. We firmly believe that this would capture all of the control centers that truly have a material impact on the reliability of the BPS.

5. Related to the Critical Asset Criteria, there should be a provision in the standard that provides a process for an entity to technically demonstrate that even though the criteria identifies some of their assets as Critical Assets, their assets (or a portion thereof) do not meet the definition of a Critical Asset and should be excluded from applicability of CIP-003 through CIP-009.





Item 1.4 – A Blackstart Resource is defined as “A generating unit(s) and its associated set of equipment which has the ability to be started without support from the System or is designed to remain energized without connection to the remainder of the System, with the ability to energize a bus, meeting the Transmission Operator’s restoration plan needs for real and reactive power capability, frequency and voltage control, and that has been included in the Transmission Operator’s restoration plan.” The SDT believes that these units must be classified as Critical Assets. It should be noted that not all blackstart generators are Blackstart Resources.

Item 1.7 – The intent of criterion 1.7 is to classify as a Critical Asset Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations. That includes upstream, downstream, networked, and radial. It should be noted that connections to generators or generation-only substations are not counted in this criterion. The source to the radial substation may be considered a Critical Asset, but the radial substation would not be considered a Critical Asset since by definition it cannot be connected to three or more transmission substations. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

Item 1.14 - At this time, the SDT is choosing not to add control center to the NERC Glossary. We feel defining this term under this proposed version of the Standard would have far-reaching impacts beyond the scope of CIP-002-4 to CIP-009-4. This term is used in other approved NERC standards already in effect.


The SDT believes that having an exception process to the criteria presents the same challenges associated with a risk-based assessment in external review and oversight.

WECC No specific recommended changes, but some stakeholders have indicated the criteria will lead to the identification of FEWER Critical Assets. Please reveiw for appropriateness.


Southern Company Yes Southern recommends the following changes:

1.6. Transmission Facilities operated at 500 kV or higher Voltage alone is not a sufficient criterion to determine whether or not an asset is critical to the bulk electric system. Southern believes that the way the asset is interconnected should also be included as a portion of the criteria. Accordingly, Southern suggests the SDT delete Section 1.6 based on the comments stated in this paragraph and the protections offered




under Section 1.7.

Southern agrees with the SDT’s proposed language for criterion 1.11 and believes it is important for this criterion to continue to incorporate the language from NUC-001-2 (i.e., “identified as essential to meeting Nuclear Plant Interface Requirements”).

To make Section 1.14 consistent with the language in Section 1.15, Southern recommends the following changes to Section 1.14: 1.14. Each control center and , backup control center used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator.

Southern recommends the following change to Section 1.16: 1.16. Any additional assets owned by the Responsible Entity that the Responsible Entity deems appropriate to include.


Item 1.6 – The drafting team believes all Transmission Facilities operated at 500 kV or higher do not require any further qualification for their role as components of the backbone on the interconnected BES.

Item 1.11 – Thank you for your comment.



Encari, LLC No

Arizona Public Service No

Edison Electric Institute Yes EEI offers the following suggestions for Attachment 1:

1.1 EEI Comment: The phrase “single plant location” is undefined. It is unclear if this means at a single street address or within some number of miles.

1.3 Substitute Text: Each generation Facility that the Planning Coordinator or Transmission Planner has




designated as required to avoid one or more reliability criteria violations.

1.3 EEI Comment: The purpose of these changes is to facilitate the Planning Coordinator or Transmission Planner the opportunity to identify Generation Facilities that have been historically required to support the BES. This criteria is not meant to create the need for new or different planning models to be used by the Planning Coordinator or Transmission Planner.

1.5 Substitute Text: The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where two or more path options exist.

1.8 Substitute Text: Transmission Facilities at a single station location that the Planning Coordinator or Transmission Planner has designated that, if destroyed, degraded, misused or otherwise rendered unavailable, would result in one or more Interconnection Reliability Operating Limit (IROL) violations.

1.8 EEI Comment: The phrase “single station location” is undefined. It is unclear if this means at a single street address or within some number of miles. The Planning Coordinator and Transmission Planner determine and communicate IROLs in the planning time horizon per NERC reliability standard FAC-014. The subject Transmission Facilities are the contingency facilities communicated by the PC and TP per requirement R5 of FAC-014. This criteria is not meant to create the need for new or different planning models to be used by the Planning Coordinator or Transmission Planner. Rather, they should continue to use the legacy planning models as specified in FAC-010, FAC-011 and FAC-014.

1.9 Substitute Text: Flexible AC Transmission Systems (FACTS) at a single station location, that, if destroyed, degraded, misused or otherwise rendered unavailable, would result in one or more Interconnection Reliability Operating Limit (IROLs) violations.

1.11 Substitute Text: Transmission Facilities providing offsite power requirements as identified in the Nuclear Plant Interface Requirements.

1.12 Substitute Text: Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limit (IROLs) violations for failure to operate as designed.

1.14 Substitute Text: Each control center, or backup control center, used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator.

1.14 EEI Comment: Made consistent with 1.15

1.16 Substitute Text: Any additional assets owned by the Responsible Entity that the Responsible Entity




deems appropriate to include.


Item 1.1 – The guidance document posted by the SDT provides direction on the location issue. The document is posted on the Project 2008-06 page at http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean.pdf . Single plant location refers to a group of generating units occupying a defined physical footprint and designated as an individual “plant” using commonly accepted generating facility terminology. Adjacent plants would be defined using the same criteria. The units do not necessarily have to be connected to the BES at the same substation or interconnection point in order to be considered a single plant.


Item 1.5 – This criterion has been reworded to “The Facilities comprising the Cranking Paths and meeting the initial switching requirements from the Blackstart Resource to the first interconnection point of the generation unit(s) to be started, or up to the point on the Cranking Path where two or more path options exist as identified in the Transmission Operator's restoration plan.”


Item 1.9 – This criterion has been changed to “Flexible AC Transmission Systems (FACTS), at a single station or substation location, that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

Item 1.11 – Criterion 1.11 is based on NUC-001-2 R9.2.2 “Identification of facilities, components, and configuration restrictions that are essential for meeting the NPIRs.” It is not limited to offsite power requirements.




Tennessee Valley Authority Yes 1.4. Each Blackstart Resource identified in the Transmission Operator's restoration plan. The language





(TVA) appears to require us to designate “Each” component in the System Restoration plan as CA. Because we currently have black start procedures which include at least 2 paths for black start of most generation plants in the system, the proposed language would require the extension of CA designation to a large number of components which otherwise would not be included by other criteria. The flexibility provided by our robust transmission infrastructure and the large number of black start capable plants serves to ensure reliable operation of the BES, but designating as a CA each component that could participate in the total paths possible doesn’t seem consistent with the intent of the standard.

Recommendation: Revise language to allow entities to limit CA designation to those components participating in the primary black start path.

1.10. Transmission Facilities providing the generation interconnection required to directly connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets described in Attachment 1, criterion 1.1 or 1.3.There isn’t a clear definition of the term “directly connected.” Without this definition there are many way to interpret this requirement. Is this language meant to describe a facility where the substation is co-located with a generation facility? Also, does the language this mean total loss of substation or only partial?

Recommendation: For the purpose of this standard revise language to clearly define “directly connected.”


Item 1.4 – The SDT used the word “primary” in its initial posting of CIP-010-1, but received industry feedback that the term was confusing and it is not a defined NERC Glossary term, nor is it used in EOP-005-2. A Blackstart Resource is defined as “A generating unit(s) and its associated set of equipment which has the ability to be started without support from the System or is designed to remain energized without connection to the remainder of the System, with the ability to energize a bus, meeting the Transmission Operator’s restoration plan needs for real and reactive power capability, frequency and voltage control, and that has been included in the Transmission Operator’s restoration plan.” EOP-005-2 R1.4 states that the restoration plan must include “Identification of each Blackstart Resource and its characteristics including but not limited to the following: the name of the Blackstart Resource, location, megawatt and megavar capacity, and type of unit.” The SDT believes that these Blackstart Resources must be classified as Critical Assets. It should be noted that not all blackstart generators must be designated as Blackstart Resources.

Item 1.10 – The intent is to ensure the availability of Facilities necessary to support those generation Critical Assets. Any transmission Facility the loss of which would result in the loss of a Critical Asset identified in criterion 1.1 or 1.3 would need to be classified as a Critical Asset. That might include the partial or total loss of a substation. This criterion has been changed to “Transmission Facilities providing the generation interconnection required to connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets identified by any Generator Owner as a result of its application of Attachment 1, criterion 1.1 or 1.3.”

PacifiCorp Yes : PacifiCorp suggests improvements to several of the current Critical Asset criteria in Attachment 1:

Criteria 1.8, 1.9, and 1.12 currently refer to certain assets that could violate one or more Interconnection




Reliability Operating Limits (IROLs). However, the term “IROL” is not generally utilized within the Western Electricity Coordinating Council (WECC). Instead, WECC uses the term System Operating Limits (SOLs). The Standards Drafting Team should supplement these criteria to reflect this distinction.

PacifiCorp suggests the following language: “...violate one or more Interconnection Reliability Operating Limits (IROLs), or, for WECC members, System Operating Limits (SOLs) for the transfer paths identified in the most current list of Major WECC Transfer Paths in the Bulk Electric System.”

Criterion 1.9 currently refers to “Flexible AC Transmission Systems (FACTS) at a single station location,” but NERC offers no uniform definition for this term. Such a scenario could lead to confusion among responsible entities, as many devices could be considered FACTS, including static VAR compensators (SVC), D-VAR (Dynamic VAR), synchronous condensers, series caps, STATCOM, and phase shifters. As such, a definition for FACTS should either be included in Attachment 1 or added to the NERC Glossary of Terms.


Items 1.8, 1.9, and 1.12 – According to FAC-014-2 IROLs are established by Transmission Operators, Transmission Planners, and Planning Authorities. The Reliability Coordinator ensures that IROLs are established and are consistent with its methodology. Criterion 1.8 has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.” Criterion 1.9 has been changed to “Flexible AC Transmission Systems (FACTS), at a single station or substation location, that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.” Criterion 1.12 has been changed to “Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limit (IROL) violations for failure to operate as designed.”

Item 1.9 - FACTS is defined by IEEE as “Alternating Current Transmission Systems incorporating power electronics-based and other static controllers to enhance controllability and power transfer capability.” Commonly accepted terms and definitions do not require an insertion in the NERC Glossary.

OGE Yes (In General) Clarify Attachment 1 criteria to minimize the interpretation variance.

(1.1) Add more specificity to the term “location”.(1.1) Refer to MOD-024 within the standard. For the 1500 MW “bright line”; it needs to be perfectly clear which units are included.

(1.3) This criteria is open for auditors to interpret; standards should not be this open-ended. Use language that requires that the facilities be formally designated as “required for reliability purposes”, in advance.

(1.4) Change to "Each resource designated as a Blackstart Resource in the Transmission Operator's restoration plan as required in EOP-005." If a resource is "also mentioned" and/or is "Blackstart capable", it is not necessarily a Critical Asset.

(1.5) This criteria conflicts with the NERC Glossary definition for the term “Cranking Path”. The glossary does




not specify multiple path options, yet the criteria indicates "up to the point on the Cranking Path where multiple path options exist". By NERC definition, the cranking path may connect two generation resources and never have multiple options. Include in the criteria "Where multiple path options do not exist, the entire Cranking Path is included."(1.5) Should this criteria include a time element? Must this be a permanent "Cranking Path"?

(1.6) The criteria compounds the NERC Glossary terms "Transmission" and "Facilities" which is inappropriate. A new "local" definition for the term "Transmission Facilities" should be derived for use in this standard and proposed as an addition to the NERC glossary.(1.6) The criteria appears to include transmission lines as Critical Assets. The overhead associated with tracking all 500+ kV transmission line segments, breakers, busses, and other equipment is excessive.(1.6) Consider using capacity instead of nominal voltage level as the bright line. Dual 345kV lines may be used in place of a single 765kV line. Although there may be independent cyber assets, the loss of either will have a similar impact to the BES.

(1.7) The criteria compounds the NERC Glossary terms "Transmission" and "Facilities" which is inappropriate. A new "local" definition for the term "Transmission Facilities" should be derived for use in this standard and proposed as an addition to the NERC glossary.(1.7) Locally define and explicitly exclude "Generation Interconnection Facilities" from this criteria. This term is used in the NERC document, "Final Report from the Ad Hoc Group for Generation Requirements at the Transmission Interface” located at http://www.nerc.com/files/GO-TO_Final_Report_Complete_2009Nov16.pdf.

(1.10) See [1.7] comment "Locally define..."

(1.13) Define "automatic" within the standard.(1.13) Use the same "bright line" as generation, 1500 MW. While understood it is a reporting threshold, it is difficult to understand how the loss of 300 MW has a significant impact to the reliable operation of the BES.

(1.15) Distinguish between Control Center and Control Room within the Standard or attachment.


Item 1.1 – The guidance document posted by the SDT provides direction on the location issue. The document is posted on the Project 2008-06 page at http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean.pdf . Single plant location refers to a group of generating units occupying a defined physical footprint and designated as an individual “plant” using commonly accepted generating facility terminology. Adjacent plants would be defined using the same criteria. The units do not necessarily have to be connected to the BES at the same substation or interconnection point in order to be considered a single plant. It is NERC’s practice not to directly refer to other standards by name in developing standard language.


Item 1.4 – A Blackstart Resource is defined as “A generating unit(s) and its associated set of equipment which has the ability to be started without support from the

http://www.nerc.com/files/GO-TO_Final_Report_Complete_2009Nov16.pdf�





System or is designed to remain energized without connection to the remainder of the System, with the ability to energize a bus, meeting the Transmission Operator’s restoration plan needs for real and reactive power capability, frequency and voltage control, and that has been included in the Transmission Operator’s restoration plan.” Based on the glossary term Blackstart Resource, the SDT has determined that the reference to EOP-005 is unnecessary. It is NERC’s practice not to directly refer to other standards by name in developing standard language.

Item 1.5 – Cranking Path is defined as “A portion of the electric system that can be isolated and then energized to deliver electric power from a generation source to enable the startup of one or more other generating units.” It does not specify multiple paths, but it also does not exclude them. This criterion has been reworded to “The Facilities comprising the Cranking Paths and meeting the initial switching requirements from the Blackstart Resource to the first interconnection point of the generation unit(s) to be started, or up to the point on the Cranking Path where two or more path options exist as identified in the Transmission Operator's restoration plan.”

Item 1.6 – The SDT appropriately uses the phrase “Transmission Facilities.” The SDT is referring to Facilities that comprise Transmission. The issue with using capacity (or rating) instead of voltage level does not meet the objective of uniform application of Critical Asset identification across all entities.

Item 1.7 – The SDT appropriately uses the phrase “Transmission Facilities.” The SDT is referring to Facilities that comprise Transmission. It should be noted that connections to generators or generation-only substations are not counted in this Criterion. The source to a radial substation may be considered a Critical Asset, but the radial substation would not be considered a Critical Asset since by definition it cannot be connected to three or more transmission substations. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

Item 1.10 – The SDT appropriately uses the phrase “Transmission Facilities.” The SDT is referring to Facilities that comprise Transmission. This criterion has been changed to “Transmission Facilities providing the generation interconnection required to connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets identified by any Generator Owner as a result of its application of Attachment 1, criterion 1.1 or 1.3.”


Item 1.15 – Control centers generally perform control functions for multiple BES assets. These Facilities are evaluated as a control center. Facilities that perform control functions for a single BES asset should be evaluated as part of BES asset (e.g., control room for a single generation plant or transmission substation).

FMPA Yes 1.1 Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW.

FMPA Comments: FMPA commends the SDT for their attempted to come to agreement on a nationwide bright line for generating units based on an operationally significant threshold. However, FMPA continues to have the comment we submitted in CIP-010-1 standard as having arbitrary bright lines for generating units and requested that these bright line numbers have justification or have them based on the Contingency Reserve of each Reserve Sharing Group region. FMPA is concerned that the use of the “Real Power Capability of the preceding 12 months” would bring in unnecessary volatility to applicability of this standard to




certain groups of generating units. To alleviate this volatility we suggest that generation owners should use the facility ratings which are calculated and communicated under FAC-009-1 R2.


FMPA Comments: FMPA believes that this “bright line” is arbitrary and instead suggests combining this with 1.9. There is no significant difference between the MVARs provided by FACTs devices and those provided by a power plant and it makes sense to treat them both in the same fashion.


FMPA Comments: FMPA commends the SDT on including the criteria in 1.3, which gives the PC and TP the ability to designate as critical any generating facilities for reliability purposes. This will cover critical units that are not captured within the bright line of criteria 1.1 without drawing in all units of a certain size that are not considered critical elsewhere on the system. FMPA suggests that the designation of facilities be based on studies conducted under the TPL standards to justify the designation. Also, the use of NERC Glossary of term: “Adverse Reliability Impacts” will help clarify which units should be in this category.We are also concerned that the PC or TP will be looking at local vs. wide area reliability. There are some cases where the PC can designate Must Run units for temporary situations so this must be clarified within the criteria. FMPA proposes the following rewording of criteria 1.3:”1.3 Each generation Facility that the Planning Coordinator or Transmission Planner designates as required to avoid BES Adverse Reliability Impacts for 1 year or longer.”


FMPA Comments: FMPA is concerned that designating all Blackstart Resources as critical will divert limited resources to protect blackstart facilities that are only used to restore localized load. We believe it is the intent of the drafting team to identify the truly critical blackstart units (taking from the CIP-010-1 draft; only high impact facilities). FMPA understands that criteria 1.4 uniformly identify all Blackstart Resources listed in the Transmission Operator’s restoration plan as being Critical Assets with regards to the Bulk Electric System. Currently, many utilities include multiple Blackstart resources in the restoration plans provided to the Transmission Operator. Including numerous resources makes the plan much more robust and reliable as it provides additional well documented restoration options should unforeseen problems occur. As currently written, Item 1.4 inadvertently incentivizes utilities to remove blackstart resources from the restoration plan if these resources are not critical to an effective restoration plan, reducing the plan’s overall robustness. Therefore, we believe there should be a threshold for Blackstart Resources, similar to nearly all other elements being considered in Attachment 1. This would allow utilities the freedom to include numerous resources in the Transmission Operators restoration plan without being swept into being identified as a critical asset.To implement this approach, we believe it is imperative to consider the Blackstart Resource’s actual




role in the restoration plan, not just its simple inclusion. For example, a 10 MW Blackstart Resource that directly supports restoration of a critical generating facility is much more important to the Bulk Electric System than a 10 MW Blackstart Resource that simply supplies local load during an outage. Therefore, FMPA would propose judging the criticality of a Blackstart Resource by the relative importance of the generating unit(s) it directly supports.We would recommend rewording item 1.4 as follows, leveraging the existing language of criteria 1.15 and the capacity bright-line of criteria 1.13:1.4 Each Blackstart Resource identified in the Transmission Operator’s restoration plan, which meet either of the following criteria:1.4.1 Used to directly start generation identified as a Critical Asset in criteria 1.1 or 1.3, 1.4.2 Used to directly start generation greater than an aggregate of 300 MW.We believe this approach should provide a better measure of a Blackstart Resource’s potential impact on the Bulk Electric System, resulting in Critical Assets that adequately address system reliability in a practical manner. It also mitigates the likelihood that registered entities may decide to retire certain small blackstart units, thereby removing valuable but not critical blackstart resources from the Transmission Operator’s restoration plan.


FMPA Comments: FMPA commends the SDT on differentiating between a single Cranking Path as a critical facility and multiple Cranking Paths as having redundancy in the BES and thus being less critical. Having this criteria stated in 1.5 incentivizes the entity to build in redundancy in infrastructure to lower criticality of a single asset. This truly does reward infrastructure reliability through a standard. FMPA suggests that the SDT change “switching requirements” to “switching equipment.”


FMPA Comments: FMPA believes that criteria 1.7 is rather arbitrary and suggests use of TPL-004-0 Category D testing and to combine 1.7 with 1.8. Does loss of a substation result in an IROL or Adverse Reliability Impacts? Doing so can also remove the voltage class limit. It is also unclear from the working whether the entire substation is a Critical Asset, or whether each Facility connected to that substation is a Critical Asset. FMPA suggests the entire substation. It is also unclear for substations that have two voltage levels (e.g., a 345 kV to 115 kV substation), whether the entire substation should be considered, or just one voltage level. FMPA suggests one voltage level as discussed in the existing TPL-004 standard.


FMPA Comments: FMPA believes that criteria 1.8 should be reworded to "station or substation" instead of just "station" so that it is not implied that it only applies to power plants (station). Also the use of term Adverse




Reliability Impact would be beneficial. Proposed rewording of criteria 1.8:1.8. Transmission Facilities at a single station or substation that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs) or can cause an Adverse Reliability Impact as a result of extreme contingency loss of substation testing as part of the TPL standards or as determined by the Reliability Coordinator.


FMPA Comments: FMPA believes that criteria 1.9 should be reworded to "station or substation" instead of just "station" so that it is not implied that it only applies to power plants (station). Also the use of term Adverse Reliability Impact would be beneficial.


FMPA Comments: FMPA believes that adding the phrase “or can cause an Adverse Reliability Impact” would be beneficial.


FMPA Comments: FMPA believes that the 300 MW is arbitrary and seems based more on reporting requirements than on true reliability impacts. Also, it should not matter whether loss of load is caused by an “automatic” system or not. In addition, the power system is more resilient to loss of load than loss of generation; hence, by using the same threshold as is used in 1.1, we are actually being quite conservative. FMPA offers the following alternatives for rewording 1.13:1.13 Common control system(s) that can result in a loss of load equal to or greater than the reserve sharing requirements of the Reserve Sharing Group within 15 minutes.


FMPA Comments: FMPA is concerned that criteria 1.14 is overly broad because it includes all BA and TOP control centers regardless of size. We understand the critical nature of control centers and the need to protect against loss of control of major sections of the BES. However, we ask that the SDT revise this criteria to include a bright-line with similar impact as those in 1.1 and 1.15.FMPA offers the following revised wording:1.14. Each control center, control system, backup control center, or backup control system that




can:1.14.1 Cause a loss of generation or load greater than the reserve sharing requirements of the Reserve Sharing Group1.14.2 That if manipulated, can cause an Adverse Reliability Impact as determined through planning studies. FMPA cannot support this standard revision without some form of bright line cutoff to exclude small BAs and TOPs that cannot cause instability, cascading or uncontrolled separation of the BES.


FMPA Comments: With the proposed revision to 1.14, this 1.15 would no longer be required.


FMPA Comments: FMPA believes that 1.16 should be removed from the Attachment 1 criteria. We expect that registered entities may voluntarily protect assets above and beyond the ones listed in these criteria. However, we just do not see the reliability benefit of imposing a compliance liability to those self identified critical assets. We feel that the NERC and Regional compliance staff will waste valuable time and resources evaluating entity compliance with cyber security controls for assets that are outside of the scope of this standard.

Response: Thank you for your response. Please refer to the response to comments of Florida Municipal Power Agency.

South Carolina Electric and Gas No


No

Central Lincoln Yes The standard needs a definition of “Control Center.” The guidance document contains one, but is not part of the standard. And the one in the guidance document could be interpreted to apply to any laptop or PDA that could be used to control more than one BES asset. Suggest that “Control Center” be defined to be a fixed location.

Response: Thank you for your comments. At this time, the SDT is choosing not to add control center to the NERC Glossary. We feel defining this term under this proposed version of the Standard would have far-reaching impacts beyond the scope of CIP-002-4 to CIP-009-4. This term is used in other approved NERC standards already in effect.


Yes CIP-002-4 Attachment 1-1.1 what is the basis for the 1500 MW versus what used to be Output exceeds Reserve Sharing Group obligation or Output exceeds Contingency Reserve obligation?





Item 1.1 - Prior drafts had wording about reserve sharing for the threshold. The SDT received feedback that that wording was confusing, that the amount referred to in the reserve sharing was not a specific amount, and that the amounts changed daily. The team conducted an informal survey of the regions, and identified what the megawatt value of the reserve sharing would be for various groups. The drafting team used 1500 MW as a number derived from the most significant Contingency Reserves operated in various BAs in all regions.

SPS Consulting Group Inc. Yes Criteria 1.3 states: "Each generation Facility that the Planning Coordinator or Transmission Planner designates as required for reliability purposes." The term "designates" should be deleted and replaced with "demonstrates through independently verified engineering assessments". The problem with the current ability to simply designate a generator as a critical asset is that not all Planning Coordinators and Transmission Planners are independent. There is a significant competitive incentive for the non-independent PCs and TPs to label a competitor as "critical", thereby increasing their cost of operation and decreasing their competitiveness. No entity should be able to simply "designate" another as having critical assets.


Item 1.3 – The burden for identifying Critical Assets is with the Responsible Entity that is the asset owner. This criterion has been reworded to “Each generation Facility that the Planning Coordinator or Transmission Planner designates and informs the Generator Owner or Generator Operator as necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon.” If it is determined through system studies that a unit must run in order to preserve the reliability of the BES, then that unit must be classified as a Critical Asset. If an entity feels that they have an asset that has been unjustly classified as “required for reliability reasons,” there are NERC appeals processes that can be used. The Planning Authority and/or Transmission Planner are not designating the asset as critical for CIP purposes; they are determining the unit to be necessary to avoid Adverse Reliability Impacts based on other NERC reliability standards.

Tacoma Power Yes Comments:

For Section 1.1, Tacoma Power commends the SDT’s attempt to set a bright line for generating units based on a significant operational threshold. However, the bright line criterion of 1500 MW for all regions is not realistic. The bright line criterion should be determined based on the requirements of each region. Tacoma Power also agrees with APPA’s suggestion of using the FAC-009-1 R2 facility ratings. Therefore, Tacoma Power suggests Section 1.1 be changed to read, “Each group of generating units (including nuclear generation) at a single plant location with an aggregate FAC-009-1 facility rating equal to or exceeding the MW value set by the Regional Reliability Organization.”

For section 1.2, Tacoma Power agrees with the need to set a bright line limit but suggests that the bright line limit again be set by the Regional Reliability Organization based on the regional system. Therefore, Tacoma Power suggests the following language, “Each reactive resource or group of resources at a single location (excluding Generation Facilities) having an aggregate net Reactive Power nameplate rating at or above the




value set by the Regional Reliability Organization.”

For section 1.3, Tacoma Power commends the SDT for adding a criterion for including generation facilities that do not fall under the section1.1 criterion. However, Tacoma recommends the language be changed to read, “Any generation Facility that the Planning Coordinator or Transmission Planner designates, provides justification for and receives concurrence from the RRO as required for reliability.”

For Section 1.4, Tacoma Power has no comments.









For Section 1.13, Tacoma Power concurs with APPA’s comments when they said, “APPA believes the SDT’s change in wording of criteria 1.13 will inadvertently bring in all SCADA systems with the capability of shedding load even if such SCADA systems are in fact not planned or operated to perform load shedding. As written, this criteria designates as a critical asset various control systems that by themselves could not cause instability or uncontrolled separation of the BES.APPA offers the following alternatives for rewording 1.13:1.13 Common control system(s) configured to perform automatic load shedding of 300 MW or more within 15 minutes. APPA can accept the bright-line of 300 MW if the wording is changed to that stated above, but we still see this bright-line as an arbitrary threshold based on a quantity that has no BES operational significance. Rather, 300 MW is a DOE threshold for electric event reporting.”

For section 1.14, Tacoma power concurs with APPA’s comments when they say:”APPA is concerned that criteria 1.14 is overly broad because it includes all BA and TOP control centers regardless of size. We understand the critical nature of control centers and the need to protect against loss of control of major sections of the BES. However, we ask that the SDT revise this criteria [sic] to include a bright-line with similar impact as those in 1.1 and 1.15.APPA offers the following revised wording: 1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator with a minimum of 1500 MW of resources under its control. APPA cannot support this standard revision without some form of bright line cutoff




to exclude small BAs and TOPs that cannot cause instability or uncontrolled separation of the BES. However, we will support inclusion of “ALL BA and TOP control centers” only when this standard is revised to provide for a tiered (High, Medium and Low) categorization of Critical Assets, such as the SDT’s draft CIP-010-1 proposal.”




Item 1.1 - The drafting team used time and value parameters to ensure the bright-lines and the values used to measure against them were relatively stable over the review period. Hence, where multiple values of net Real Power capability could be used for the Facilities’ qualification against these bright-lines, the highest value was used. The 12 month time period was used so that seasonal ratings would not be an issue for generating plants that operate near the 1500 MW bright line. The drafting team used 1500 MW as a number derived from the most significant Contingency Reserves operated in various BAs in all regions. The issue with using different MW values in each region is that it does not meet the objective of uniform application of Critical Asset identification across all entities.

Item 1.2 – The issue with using different MVAR values in each region is that it does not meet the objective of uniform application of Critical Asset identification across all entities.




Green Country Energy No

Illinois Municipal Electric Agency Yes IMEA recommends that Criterion 1.8 be continued with the following language: "...(IROLs) as demonstrated by the Reliability Coordinator." If the RC is not appropriate, it may be necessary to add the appropriate functional enttity, for demonstrating IROLs, to Applicability section 4.1. This additional language will clarify that the TO, LSE, etc. is not responsible for demonstrating IROLs.





Item 1.8 – According to FAC-014-2 IROLs are established by Transmission Operators, Transmission Planners, and Planning Authorities. The Reliability Coordinator ensures that IROLs are established and are consistent with its methodology. This criterion has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

Minnkota Power Cooperative Yes 1.12: MPC agrees with criteria 1.12, however the guidance document states that "Since the purpose of SPS and RAS is to prevent disturbances that would result in excursions beyond IROLs.... it is expected that all such systems and schemes will be designated as Critical Assets." MPC disagrees with the statement that this is the purpose of all SPS and RAS.

Response: Thank you for your comments. Please refer to the updated guidance document.

Horizon Wind Energy Yes Criteria 1.15 in attachments A includes generation control centers used to control generation greater than an aggregate of 1500 MWs in a single interconnection. It is true that the span of control of the generation control center may cross multiple BA or RSG areas. In the unlikely event of a common mode failure of such a generation control center that would lead to a loss of all generation, the loss of generation in the multiple BAs or RSGs could fall significantly below the criteria of the 1500 MWs threshold used in criteria 1.1 for generating units at a single plant location, therefore not affecting the reliability and operability of the BES system. There seems to be a disconnect in criteria 1.1 for generation and 1.15 for generation control centers, hence 1500 MWs in a single plant location vs. 1500 MWs aggregate in a single interconnection for generation control centers. Secondly, some generation control centers collect data from generators via SCADA for monitoring purposes and can manually send set points to lower generation if the need would arise. Does this type of arrangement fall under the description of control generation or was it the intent to include, in the description, generation that is controlled to maintain sufficient Contingency Reserve (BAL - 002) and Resource and Demand Balancing (BAL - 003)? Suggest adding language to 1.15 that is more in line with the criteria in 1.1 and clarifying what is meant by control generation.


Item 1.15 – Thank you for your comment. This criterion has been changed to “Each control center or backup control center used to control generation at multiple plant locations, for any generation Facility or group of generation Facilities identified in criteria 1.1, 1.3, or 1.4. Each control center or backup control center used to control aggregate generation equal to or exceeding 1500 MWs in a single Interconnection.” Generation control centers that collect data from generators via SCADA for monitoring purposes and have the ability to manually send set points to lower generation if the need would arise and meet the specifications of criterion 1.15 would be considered Critical Assets. For further information, please refer to the updated guidance document.




Union Power Partners LP Yes I suggest the inclusion of the "common mode" concept, for without a CM system, an outside intruder absolutely cannot obtain control of the entire generating capability at one time. I also, believe there should be some type of exceptions for small companies that do not have the financial capacity to implement all requirements. Are there some requirements that are more important than others which could provide a "floor" of physical & cyber security?

Response: Thank you for your comments. The “common mode” concept is reflected in the identification of Critical Cyber Assets in Requirement R2. Once an asset is identified as a Critical Cyber Asset, it must be compliant with all of the requirements in CIP-003 to CIP-009.

MidAmerican Energy Company Yes MidAmerican Energy Company would like to provide the following suggestion for Critical Asset criteria 1.9 in Attachment 1:Criterion 1.9 does not define “Flexible AC Transmission Systems (FACTS).” A definition for FACTS should either be included in Attachment 1 or added to the NERC Glossary of Terms.


Item 1.9 – FACTS is defined by IEEE as: “Alternating Current Transmission Systems incorporating power electronics-based and other static controllers to enhance controllability and power transfer capability.” Commonly accepted terms and definitions do not require an insertion in the NERC Glossary.


Yes NCEMC agrees with the following NRECA Comments:

1. What is the technical justification for the proposed criteria? The "Rationale and Implementation Reference Document" does not provide technical justification, but rather provides more of an opinion of the drafting team. To the extent possible, there should be technical justification for the proposed criteria that stakeholders can review.








The SDT believes information provided in the guidance document (posted on the Project 2008-06 page at http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean.pdf ) provides sufficient technical justification for each criterion.

Item 1.7 - The intent of Item 1.7 is to classify as a Critical Asset any Transmission Facility operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations. That includes upstream, downstream, networked, and radial. It should be noted that connections to generators or generation-only substations are not counted in this Criterion. The source to the radial substation may be considered a Critical Asset, but the radial substation would not be considered a Critical Asset since by definition it cannot be connected to three or more transmission substations. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”



Hydro One Networks Inc. No 2. We do not agree with criteria 1.6 and 1.7 in Attachment 1 as written. Application of these criteria would result in the inclusion of facilities that will have no impact on the BES reliability. We believe that the list of applicable facilities should be determined following an impact-based assessment to be performed by the Reliability Coordinator. If necessary, an additional requirement that requires the RC to have a risk-based assessment methodology and to conduct/review the assessment should be included. We therefore propose the following wording to replace 1.6 and 1.7 in Attachment 1: 1.6 Transmission facilities operated at 500 kV or higher, unless the annual review performed by the RC determines that destruction, degradation or unavailability of those assets will have no impact outside the local area and will not cause BES instability, separation, or cascading outages.1.7 Transmission Facilities operated at 300 kV or higher to less than 500 kV at stations interconnected at 300 kV or higher with three or more other transmission stations, unless the annual review performed by the RC determines that destruction, degradation or unavailability of those assets will not have impact outside the local area and will not cause BES instability, separation, or cascading outages.


Items 1.6 and 1.7 – The SDT does not feel that a power flow analysis (impact-based or risk-based) would lead to a consistent application of the criteria, due to the numerous factors which can impact substation power flows. Such a study would need to be rigorously defined for the industry. We thank you for your proposal and will take it under consideration for future revisions. Criterion 1.7 has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”






Dynegy Inc. Yes For 1.1 and 1.15, why is 1500 MW the new value? Each draft document that comes out has had different criteria/values. How does the recent survey fit into this? I realize the Rationale and Implementation Reference Document mentions the Contingency Reserve concept mentioned in previous drafts but it does not seem right that one size (i.e. 1500 MW) should fit all Regions. Suggest a better fit by Region.

For 1.3, the Rationale and Implementation Guidance Document uses the term "local area" to help determine if a unit is designated as this type of Critical Asset but it is unclear what "local" means. Please provide additional guidance.

For 1.15, the draft Standard and Rationale and Implementation Guidance Document uses the term "control generation" to help determine if a unit is designated as this type of Critical Asset but it is unclear what "control generation" means. Please provide additional guidance.


Item 1.1 - Prior drafts had wording about reserve sharing for the threshold. The SDT received feedback that that wording was confusing, that the amount referred to in the reserve sharing was not a specific amount, and that the amounts changed daily. The team conducted an informal survey of the regions, and we identified what the megawatt value of the reserve sharing would be for various groups. The drafting team used 1500 MW as a number derived from the most significant Contingency Reserves operated in various BAs in all regions.


Item 1.15 –This criterion has been changed to “Each control center or backup control center used to control generation at multiple plant locations, for any generation Facility or group of generation Facilities identified in criteria 1.1, 1.3, or 1.4. Each control center or backup control center used to control aggregate generation equal to or exceeding 1500 MWs in a single Interconnection.”

Matrikon Inc. Yes The approval of CIP-002-4 is expected to bring in more Critical Assets that are subject to NERC CIP compliance. With this will be organizations that have never experienced CIP and will have a steep learning curve ahead of them. Guidance documents such as the one created unofficially by the SDT for CIP-002-4, as well as compilation of Q&A from Technical Webinars similar to the original FAQ attached to CIP version 1 is highly recommended. There is going to be many organizations looking to clarify how their assets are classified as per Attachment 1, and examples will be helpful.

Response: Thank you for your comments. The SDT is continuing to develop and refine the documents mentioned in your comments.

Northeast Utilities Yes CIP-002-1 Attachment 1 criterion 1.3 reads: “Each generation facility that the planning coordinator or transmission planner designates as required for reliability purposes”. We believe that as stated, this criterion (1.3) is subject to interpretation. Specifically, “for reliability purposes” can be interpreted as “must-run” units,




required for black start (although that could be duplicative to criteria 1.4), or as any generator containing BPS elements. Suggest more clearly defining “for reliability purposes” or restating the criterion. The terminology used in the recent NERC data request appeared to be clearer - that is: “Any generation facility that the planning coordinator identifies as Reliability ‘must run’ assigned units”.

CIP-002-1 Attachment 1 criterion 1.10 reads: “Transmission facilities providing the generation interconnection required to directly connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets described in Attachment 1, criterion 1.1 or 1.3.” We believe that as stated, this criterion (1.10) could be interpreted to mean not only generators owned by the responsible entity but also those not owned by but interconnected to the Transmission Owner’s system. Clarification of criterion 1.3 should serve to clarify criterion 1.10 as well.



Item 1.10 – The SDT agrees that not only generators owned by the Responsible Entity but also those not owned by but interconnected to the Transmission Owner’s system are subject to criterion 1.10. This criterion has been changed to “Transmission Facilities providing the generation interconnection required to connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets identified by any Generator Owner as a result of its application of Attachment 1, criterion 1.1 or 1.3.”

CenterPoint Energy Yes CenterPoint Energy believes the proposed criteria contained in Attachment 1 are generally reasonable.

CenterPoint Energy is concerned that designation of assets under criteria 1.3 relies upon a risk-based assessment in the same manner that designation under the existing requirements of CIP-002-3 relies upon a risk-based assessment. Stated otherwise, criteria 1.3 does not appear to be a true “bright line” criteria.

CenterPoint Energy is also concerned that requirements 1.8, 1.9, and 1.12 may create confusion among industry practitioners and inconsistent application by reliability auditors.

Notwithstanding these concerns, CenterPoint Energy can support the requirements provided in Attachment 1 except criteria 1.11. As CenterPoint Energy understands it, the SDT believes criteria 1.11 is a “bright line” because NUC-001-2 Requirement 9.2.2 requires identification of facilities needed to meet the Nuclear Plant Interface Requirements (NPIRs). Therefore, Transmission Facilities designated as being essential to meeting NPIRs under NUC-001-2 Requirement 9.2.2 would be designated as Critical Assets under CIP-002-4.However, like proposed criteria 1.3, this criteria is not a true “bright line” because it requires a negotiated risk-based assessment to determine NPIRs pursuant to NUC-001-2 Requirement 2 and then to determine the facilities essential to meeting the NPIRs pursuant to NUC-001-2 Requirement 9.2.2. Therefore, it suffers the same flaw as the alleged flaw in CIP-002-3 and the previously noted flaw reflected in criteria 1.3 in




Attachment 1 of CIP-002-4. Additionally, unlike criteria 1.3, criteria 1.11 is not based upon BES reliability considerations. As indicated in the Purpose section of NUC-001-2, the requirements contained in NUC-001-2 are based upon ensuring safe operation and shutdown of nuclear plants. However, as indicated in the Purpose section of CIP-002-4, the “bright line” criteria contained in Attachment 1 is supposed to be criteria related to BES reliability, not criteria related to the safe operation and shutdown of nuclear plants. Therefore, it is misleading and inappropriate to include criteria 1.11 in Attachment 1. CenterPoint Energy is not suggesting that physical and cyber security of facilities required to ensure safe operation and shutdown of nuclear plants is not important. Physical and cyber security of such facilities is an important consideration and is already addressed under NUC-001-2 Requirement 9.3.6.In the context of CIP-002-4, where critical assets are determined based on BES reliability considerations, CenterPoint Energy is concerned that the inclusion of criteria 1.11 will create unnecessary confusion. One point of confusion is that facilities essential to meeting NPIRs under NUC-001-2 R9.2.2 are not necessarily limited to transmission facilities as indicated in CIP-002-4 Attachment 1, criteria 1.11. For example, a NPIR might be that voltage at a substation interconnecting nuclear plants needs to be maintained in a specified range under certain operating conditions. Since voltage control is provided by generators (by regulating reactive power output) in coordination with operation of transmission facilities, it is possible that one or more generating units (particularly the nuclear generating units and nearby generating units) might be designated as facilities essential to meeting the NPIR. The same is true for NPIRs relating to maintaining short circuit current below a specified level. If criteria 1.11 had merit, there is no logical reason why generating facilities potentially identified pursuant to NUC-001-2 R9.2.2 as being essential to meeting NPIRs would not be identified as Critical Assets yet under criteria 1.11 only transmission facilities would be so designated.The point is that proposed criteria 1.11 is an unnecessary criteria that inappropriately and incorrectly mixes the BES reliability considerations in CIP-002-4 with the nuclear plant safety considerations addressed in NUC-001-2. CenterPoint Energy is concerned that the confusion resulting from this inappropriate and incorrect blend of CIP and NUC related matters runs afoul of the stated goal of CIP-002 version 4 to create a clear, unconfusing “bright line” criteria. As a practical matter, besides physical and cyber security of NPIR-related assets being addressed by NUC-001-2 R9.3.6, the nuclear plant and associated switchyard would likely be designated as Critical Assets under CIP-002-4 Attachment 1 criteria 1.1 and 1.10 and possibly under one or more of the other criteria contained in Attachment 1. In summary, criteria 1.11 is an unnecessary, inexact, and confusing attempt to duplicate the concepts found in NUC-001-2 R9.2.2 and R9.3.6. As such, criteria 1.11 should be deleted in its entirety. Alternatively, if the SDT feels compelled to maintain proposed criteria 1.11 in Attachment 1, CenterPoint Energy proposes re-wording criteria 1.11 along the lines of proposed criteria 1.10, such as “Transmission Facilities providing the generation connection required to directly connect nuclear plant generator output to the transmission system.” Although this alternative would still inappropriately mix the nuclear plant safety considerations found in NUC-001-2 with the BES reliability considerations that are the alleged basis for Critical Asset determination in CIP-002-4, this alternative would at least provide a “bright line” criteria. CenterPoint Energy could support either of these alternatives, but cannot support criteria 1.11 as it is currently




written.



Items 1.8, 1.9, and 1.12 – According to FAC-014-2 IROLs are established by Transmission Operators, Transmission Planners, and Planning Authorities. The Reliability Coordinator ensures that IROLs are established and are consistent with its methodology. Criterion 1.8 has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.” Criterion 1.9 has been changed to “Flexible AC Transmission Systems (FACTS), at a single station or substation location, that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.” Criterion 1.12 has been changed to “Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limit (IROL) violations for failure to operate as designed.”

Item 1.11 – Designating facilities already determined necessary for another standard (i.e. NUC-001-2) does not constitute a risk-based approach to the identification of Critical Assets. Once those facilities have been identified, a bright line exists for inclusion as a Critical Asset. This is similar to the approach taken for IROLs.

LCEC Yes Attachment 1:

Paragraph 1.14 includes the Transmission Operator (TOP) function in addition to the Reliability Coordinator (RC) and Balancing Authority (BA) functions. In CIP10 the concept of a true “risk based” approach to the application of security requirements was proposed in the purpose section of the document as follows: Purpose: To identify and categorize BES Cyber Systems that execute or enable functions essential to reliable operation of the BES, for the application of cyber security requirements commensurate with the adverse impact that loss, compromise or misuse of those BES Cyber Systems could have on the reliability of the BES. The concept of matching security controls with risk is common practice that is found in NIST and ISO guidelines for risk management. These best practices should be leveraged when considering the implementation of CIPv4 and the development of future standards such as CIP10 and CIP11 that will include requirements for medium and low risk BES Cyber Systems. In the draft release of CIP10, the Balancing Authority (BA), Reliability Coordinator (RC) and Transmission Operator (TOP) functions were listed separately and with additional qualifying criteria. This is a much better approach that is well aligned with best practices and future standard development. When considering the proposed CIPv4 criteria, the control centers for the Transmission Operator (TOP) function should only be included as Critical Assets if they operate transmission facilities that meet the critical asset bright line criteria listed in paragraph 1.6 (above 500kV) or 1.7 (300Kv or




higher at stations interconnected at 300kV or higher with three or more other transmission stations). Not including these criteria will result in Non-Critical Assets being identified as Critical Assets. In addition, the standards will go against established best practices and be in conflict with the already released draft of the CIP10 and CIP11 standards. Suggested change to Attachment 1 paragraph 1.14:Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator or Balancing Authority. Suggested change to Attachment 1 (Add paragraph 1.x):Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Transmission Operator for Transmission Facilities meeting the criteria in 1.6 or 1.7.



Xcel Energy No We believe that 1.3 needs better definition. Specific criteria for designating generation facilities as required for reliability should be identified.



Great River Energy No 1.3 The criteria needs to be more clear on what is meant by “required for reliability purposes”

1.4 We suggest additional qualifying criteria such as "blackstart resources identified as critical to restoration in a regions restoration plan"

1.5 Suggest additional qualifying criteria "BES elements/facilities comprising the Cranking Paths..." For instance if there are multiple distribution subs within the Cranking Path are these now critical assets? Suggest additional qualifying criteria such as "Cranking Paths to critical units as identified in a region’s restoration plan"

1.7 Is there a specific engineering basis for three? A better explanation is needed - does this mean upstream, downstream, radial, networked, etc.?




1.9 Please add to the standard the commonly accepted definition of a FACTS system and include it as a newly defined term since the definition of FACTS is not currently in the Glossary.

1.11 Please clarify who decides what “essential” is.



Item 1.4 – NERC standard EOP-005-2 requires the Transmission Operator to have a Restoration Plan and to list its Blackstart Resources in its plan as well as requirements to test these Resources. This criterion designates only those generation Blackstart Resources that have been designated as such in the Transmission Operator’s restoration plan. There is no longer any NERC requirement to have a region restoration plan.

Item 1.5 – There is no longer any NERC requirement to have a region restoration plan. Any substation may be considered a Critical Asset if it is in the Cranking Path. This criterion has been reworded to “The Facilities comprising the Cranking Paths and meeting the initial switching requirements from the Blackstart Resource to the first interconnection point of the generation unit(s) to be started, or up to the point on the Cranking Path where two or more path options exist as identified in the Transmission Operator's restoration plan.”

Item 1.7 – In order to be more accurate in terms of the impact, the Drafting Team thought that it was more appropriate to refer to the number of connected transmission substations instead of lines connected to any particular transmission substation. The intent was to get away from the double-circuit conditions and to include facilities that are actually more a part of the network than simple substations with double circuits between them. This includes upstream, downstream, radial and networked substations. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

Item 1.9 – FACTS is defined by IEEE as: “Alternating Current Transmission Systems incorporating power electronics-based and other static controllers to enhance controllability and power transfer capability.” Commonly accepted terms and definitions do not require an insertion in the NERC Glossary.

Item 1.11 – This is defined in NUC-001-2 Requirement 9.2.2 “Identification of facilities, components, and configuration restrictions that are essential for meeting the NPIRs.”

ITC Holdings No


Yes Attachment 1, part 1.14 would make a control center performing the functional obligation of a TOP a Critical Asset. This apparently would be the case even if a TOP’s control center only performed these functions on facilities that are not critical. Small entities have in some cases been forced by Balancing Authorities and former Transmission Operators to register as TOPs. Many of these small entity TOPs operate systems with no assets that qualify as Critical Assets under any of the other Attachment 1 criterion. Some of these TOPs operate systems that do not qualify as Bulk Electric System facilities. It is unreasonable to designate these utilities dispatch centers as Critical Assets unless these dispatch centers actually control or operated Critical




Assets. Part 1.14 should be modified as follows:1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator over any facilities determined to be Critical Assets as determined in Attachment 1, criterion 1.1 through 1.13.



TransAlta Yes It is an improvement using the bright-line approach to identify the critical asset instead of the RBAM. But there are some concerns in the criteria as described below. We will vote affirmative until the following concerns are properly addressed in the next draft.

For the criterion 1.1, it mentions “generating units (including nuclear generation) at a single plant location”. It is not clear what will be defined as a single plant location. Can the drafting team provide guidance for this to help the registered entity to classify the generating units properly?

For the criterion 1.3, the Planning Coordinator or Transmission Planner can unilaterally decide the generation facility as required for reliability purposes without input from the registered entity. The registered entity has not option but comply with. The consequence would be the registered entity would spend a large amount of resources to comply with. We understand that there are some discussions in NERC about the cost recovery for the compliance, which may address this concern in the future. But at this stage, the registered entity has obligation to identify the critical asset. Neither the Planning Coordinator nor Transmission Planner has this accountability. Thus, to address this issue, one option is that the registered entity should be given the right to agree or disagree on any generation facility to be required for reliability purposes if the Planning Coordinator or Transmission Planner plans to do this. For this option, it is recommended adding “to which has been agreed by the responsible entity” at the end of this criterion. Another option is to clearly define “reliability purposes” in the standard, which the Planning Coordinator, Transmission Planner, and registered entity will all have to follow.

For the criteria 1.6 and 1.7, transmission facilities should exclude the Generator Interconnection Facilities which was defined in this nerc project http://www.nerc.com/filez/standards/Project2010-07_GOTO_Project.html. The reason is that Generation Interconnection Facilities are the sole-use facility for the purpose of connecting the generating unit(s) to the transmission grid. Its criticality is directly related to the




criticality of the generation resources which are assessed against Criteria 1.1, 1.3. The criticality of these facilities should be differentiated from other transmission facilities. This issue was discussed in the draft guidance document. We think the appropriate wordings to clarify this should be put in to the standard, instead of addressing this in the guidance document, http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean.pdf.

For the criterion 1.15, control center is not a defined term in the NERC glossary. In all existing FERC approved standard except CIP-002, all requirements with the control center wordings are applicable to BA, TOP, and RC. In the NERC CIPC approved guideline, “Security Guideline for the Electricity Sector: Identifying Critical Assets”, there is a definition of control center. The draft guidance document http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean.pdf talks about the generation control center consideration. But we are still not clear what kind of facilities will be considered as the generation control center. We would like the drafting team to clarify the control center used for the generation.



Item 1.3 – The burden for identifying Critical Assets resides with the Responsible Entity that is the asset owner. The Planning Authority and/or Transmission Planner are not designating the asset as critical for CIP purposes; they are determining the unit to be necessary to avoid Adverse Reliability Impacts based on other NERC reliability standards. This criterion has been reworded to “Each generation Facility that the Planning Coordinator or Transmission Planner designates and informs the Generator Owner or Generator Operator as necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon.”

Item 1.6 –The drafting team believes “Transmission Facilities operated at 500 kV or higher” does not require any further qualification to clarify their role as components of the backbone on the Interconnected BES.

Item 1.7 – The intent of Criterion 1.7 is to classify as a Critical Asset any Transmission Facility operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations. That includes upstream, downstream, networked, and radial. It should be noted that connections to generators or generation-only substations are not counted in this Criterion. The source to the radial substation may be considered a Critical Asset, but the radial substation would not be considered a Critical Asset since by definition it cannot be connected to three or more transmission substations. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

Item 1.15 – At this time, the SDT is choosing not to add control center to the NERC Glossary. We feel defining this term under this proposed version of the







Standard would have far-reaching impacts beyond the scope of CIP-002-4 to CIP-009-4. This term is used in other approved NERC standards already in effect.

Exelon No The revised criteria are acceptable in the sense that all generation is now treated equally, regardless of fuel type, and the specific cyber assets of concern are those with the potential for shutdown of multiple units in real-time.



Yes CIP-002-4 - Attachment 1 Critical Asset Criteria The following are considered Critical Assets:

1.1. Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW. There is no technical basis or justification provided for the 1500MW criteria. If an entity has 4000 MW and is capable of proving that a loss of the 4000MW plant does not cause the BES to become unstable it should not be a Critical Asset. Therefore, suggested wording is: Each group of generating units (including nuclear generation) at a single plant location with its aggregate highest rated net Real Power capability of the preceding 12 months that through either testing or simulation can prove that a loss of the generating units causes an IROL. IF a Bright Line criteria is required than something more reasonable that has an impact on the BES should be considered such as 4000MW.

1.6. Transmission Facilities operated at 500 kV or higher. There is no basis for this. It should state Transmission Facilities operated at 500 kV or higher that if rendered unavailable violate one or more Interconnection Reliability Operating Limits (IROLs). Bright Line criteria - Transmission Facilities that operate at 500KV or higher with greater than 4,000 MW of flow.

1.7. Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations. There is no technical basis for this requirement. Suggestion: Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations that if rendered inoperable violate one or more Interconnection Reliability Operating Limits (IROLs). Bright Line criteria - Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations that have greater than 4,000 MW of flow into the facility.

1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. Based on the way this is written there are Local Control Centers that perform functional obligations for the TOP. I am basing functional obligations as those that are defined in the NERC functional model for a TOP.Suggestion: Add a note that if through testing or simulation a control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability




Coordinator, Balancing Authority, or Transmission Operator is completely destroyed and all breakers on the BES are opened and a violation of one or more Interconnection Reliability Operating Limits (IROLs) does not occur this control center, control system, backup control center, or backup control system can be exempted. Bright Line is required than Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. that control greater than 4,000MW.


Yes Comments: CIP-002-4 - Attachment 1 Critical Asset Criteria The following are considered Critical Assets:




1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. Based on the way this is written there are Local Control Centers that perform functional obligations for the TOP. I am basing functional obligations as those that are defined in the NERC functional model for a TOP.Suggestion: Add a note that if through testing or simulation a control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator is completely destroyed and all breakers on the




BES are opened and a violation of one or more Interconnection Reliability Operating Limits (IROLs) does not occur this control center, control system, backup control center, or backup control system can be exempted. Bright Line is required than Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. that control greater than 4,000MW.






1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. Based on the way this is written there are Local Control Centers that perform functional obligations for the TOP. I am basing functional obligations as those that are defined in the NERC functional model for a TOP.Suggestion: Add a note that if through testing or simulation a control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator is completely destroyed and all breakers on the BES are opened and a violation of one or more Interconnection Reliability Operating Limits (IROLs) does not




occur this control center, control system, backup control center, or backup control system can be exempted. Bright Line is required than Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. that control greater than 4,000MW.



1.1. Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW. There is no technical basis or justification provided for the 1500MW criteria. If an entity has 4000 MW and is capable of proving that a loss of the 4000MW plant does not cause the BES to become unstable it should not be a Critical Asset. Therefore, suggested wording is: Each group of generating units (including nuclear generation) at a single plant location with its aggregate highest rated net Real Power capability of the preceding 12 months that through either testing or simulation can prove that a loss of the generating units causes an IROL. IF a Bright Line criteria is required then something more reasonable that has an impact on the BES should be considered such as 4000MW.



1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. Based on the way this is written there are Local Control Centers that perform functional obligations for the TOP. I am basing functional obligations on those that are defined in the NERC functional model for a TOP.Suggestion: Add a note that if through testing or simulation a control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator is completely destroyed and all breakers on the BES are opened and a violation of one or more Interconnection Reliability Operating Limits (IROLs) does not occur, this control center, control system, backup control center, or backup control system can be exempted.




Bright Line is required for each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator, that controls greater than 4,000MW.






1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. Based on the way this is written there are Local Control Centers that perform functional obligations for the TOP. I am basing functional obligations as those that are defined in the NERC functional model for a TOP.Suggestion: Add a note that if through testing or simulation a control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator is completely destroyed and all breakers on the BES are opened and a violation of one or more Interconnection Reliability Operating Limits (IROLs) does not occur this control center, control system, backup control center, or backup control system can be exempted. Bright Line is required than Each control center, control system, backup control center, or backup control


November 30, 2010 100


system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. that control greater than 4,000MW.

KAMO Power Yes Comments: CIP-002-4 - Attachment 1 Critical Asset Criteria The following are considered Critical Assets:




1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. Based on the way this is written there are Local Control Centers that perform functional obligations for the TOP. I am basing functional obligations as those that are defined in the NERC functional model for a TOP.Suggestion: Add a note that if through testing or simulation a control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator is completely destroyed and all breakers on the BES are opened and a violation of one or more Interconnection Reliability Operating Limits (IROLs) does not occur this control center, control system, backup control center, or backup control system can be exempted. Bright Line is required than Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or


November 30, 2010 101


Transmission Operator that control greater than 4,000MW.








November 30, 2010 102


Transmission Operator. that control greater than 4,000MW.

KAMO Electric Cooperative Yes The following are considered Critical Assets:






November 30, 2010 103




Yes The following are considered Critical Assets:






November 30, 2010 104










November 30, 2010 105










November 30, 2010 106




Yes The following are considered Critical Assets:






November 30, 2010 107



M&A Electric Power Cooperative Yes CIP-002-4 - Attachment 1 Critical Asset Criteria The following are considered Critical Assets:

1.1. Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW. There is no technical basis or justification provided for the 1500MW criteria. If an entity has 4000 MW and is capable of proving that a loss of the 4000MW plant does not cause the BES to become unstable it should not be a Critical Asset. Therefore, suggested wording is: Each group of generating units (including nuclear generation) at a single plant location with its aggregate highest rated net Real Power capability of the preceding 12 months that through either testing or simulation can prove that a loss of the generating units causes an IROL. IF a Bright Line criteria is required then something more reasonable that has an impact on the BES should be considered such as 4000MW.



1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. Based on the way this is written there are Local Control Centers that perform functional obligations for the TOP. I am basing functional obligations on those that are defined in the NERC functional model for a TOP.Suggestion: Add a note that if through testing or simulation a control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator is completely destroyed and all breakers on the BES are opened and a violation of one or more Interconnection Reliability Operating Limits (IROLs) does not occur this control center, control system, backup control center, or backup control system can be exempted. Bright Line is required for each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or


November 30, 2010 108


Transmission Operator that control greater than 4,000MW.








November 30, 2010 109










November 30, 2010 110



AECI Yes 1.1. Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW. There is no technical basis or justification provided for the 1500MW criteria. If an entity has 4000 MW and is capable of proving that a loss of the 4000MW plant does not cause the BES to become unstable it should not be a Critical Asset. Therefore, suggested wording is: Each group of generating units (including nuclear generation) at a single plant location with its aggregate highest rated net Real Power capability of the preceding 12 months that through either testing or simulation can prove that a loss of the generating units causes an IROL. If a Bright Line criteria is required than something more reasonable that has an impact on the BES should be considered such as 4000MW.



1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. Based on the way this is written there are Local Control Centers that perform functional obligations for the TOP. I am basing functional obligations as those that are defined in the NERC functional model for a TOP. Suggestion: Add a note that if through testing or simulation a control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator is completely destroyed and all breakers on the BES are opened and a violation of one or more Interconnection Reliability Operating Limits (IROLs) does not occur this control center, control system, backup control center, or backup control system can be exempted. Bright Line is required than Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. that control greater than 4,000MW.


November 30, 2010 111



Item 1.1 - The scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method by providing bright line criteria. Prior drafts had wording about reserve sharing for the threshold. The SDT received feedback that that wording was confusing, that the amount referred to in the reserve sharing was not a specific amount, and that the amounts changed daily. The team conducted an informal survey of the regions, and identified what the megawatt value of the reserve sharing would be for various groups. The drafting team used 1500 MW as a number derived from the most significant Contingency Reserves operated in various BAs in all regions.

Items 1.6 and 1.7 – The SDT does not feel that a power flow analysis (impact-based or risk-based) to determine line flows for the bright line criteria will lead to a consistent application of the criteria, due to the numerous factors which can impact substation power flows. Such a study would need to be rigorously defined for the industry. We thank you for your proposal and will take it under consideration for future revisions. Criterion 1.7 has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”



Yes 1.5. The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist. If a multiple path option exists from the Black Start Resource to a Next Start unit, does a Critical Path have to be designated? To clarify, the criteria states “The Facilities comprising the Cranking Paths... up to the point where multiple path option exist.” If LCRA has multiple paths originating directly at the Black Start Resource, either path could be used as a cranking path. Therefore, neither path would be considered critical. Could this be clarified?

1.7. Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations. 1) Does this includes radial interconnections? This is a question because a 345 kV station could be interconnected to 3 other stations, but one of the interconnections could be a radial 345 kV line connected to a generator.2) Is there a distance requirement for the interconnection? This is a question because a 345 kV station could be interconnected to 3 other stations, but one of the interconnections could be a 345kV bus connected to another station a few feet away.


Item 1.5 – The point where multiple paths exist in the Cranking Path is the step in the Transmission Operator’s restoration plan per EOP-005-2 R1.5 “Identification


November 30, 2010 112


of Cranking Paths and initial switching requirements between each Blackstart Resource and the unit(s) to be started” where the Transmission Operator can choose between the next Facilities on the BES to energize. Based on your example, neither path would be identified as a Critical Asset. This criterion has been reworded to “The Facilities comprising the Cranking Paths and meeting the initial switching requirements from the Blackstart Resource to the first interconnection point of the generation unit(s) to be started, or up to the point on the Cranking Path where two or more path options exist as identified in the Transmission Operator's restoration plan.”

Item 1.7 – The intent of Criterion 1.7 is to classify as a Critical Asset Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations. That includes upstream, downstream, networked, and radial. It should be noted that connections to generators or generation-only substations are not counted in this Criterion. The source to the radial substation may be considered a Critical Asset, but the radial substation would not be considered a Critical Asset since by definition it cannot be connected to three or more transmission substations. There is no distance requirement in the criterion. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

United Illumiinating Yes Change 1.3 to Each generation Facility that the Planning Coordinator or Transmission Planner has designated as required to avoid one or more reliability criteria violations.

Change 1.8 to Transmission Facilities at a single station location that the Planning Coordinator or Transmission Planner has designated that, if destroyed, degraded, misused or otherwise rendered unavailable, would result in one or more Interconnection Reliability Operating Limit (IROL) violations. The reason for the change is that destruction or misuse of equipment does not violate an IROL, the destruction causes the IROL on another interface to be violated. Also since TPL and PC are not listed as applicable entities to the standard, we feel it appropriate to specifically state that it is the PC and TPL that determine these facilities and no the Transmission Owner; Transmission Owners do not conduct the studies required to determine IROL.

Change 1.11 to Transmission Facilities providing offsite power requirements as identified in the Nuclear Plant Interface Requirements. NPIR is a broad based document with many requirements. IT would be helpful if the standard brightly identified what is critical to a nuclear plant. We believe it is the preservation of off site power for plan safety.

Change 1.12 to Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limit (IROLs) violations for failure to operate as designed. The reason for the change is that the misuse of an SPS would cause an IROL to be violated, and not all SPS are required to protect for IROL so the the standard should only apply to those that are installed to protect for IROL violations.


November 30, 2010 113








Yes Has there been any discussion about the enforcement of criteria versus a requirement in relation to the version 4 draft? The standard describes Attachment 1 as criteria that are to be applied by an entity to develop a Critical Asset list. Criteria have historically been viewed, in my experience, as guides but not Requirements. Has the drafting team stated why they are not clearly documenting that an entity that operates assets meeting the description in Attachment 1 is required to be on the entities Critical Asset list?

Failure to define terms that are used in the Attachment will also continue to create confusion: Transmission Facility, control center, and control system need to be defined to ensure consistent application of the criteria in the attachment.

1.5 In an effort to add clarity, it should be changed to read "The facilities comprising the Cranking Path and initial switching requirements from the Blackstart Resource to the first interconnection point of the generation facility to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist.

1.11 Should be removed. Criticality of facilities should not be fuel specific.

1.13 The threshold should be consistent with that in 1.1. Automatic should be defined as requiring no human interaction to enact load shedding.

1.14 The current use of the term “control center” assumes that every control center fits into a certain box (i.e. remote breaker operations, remote generation start up/shut down, and load shed), but is applied to centers with little to no impact on system reliability. If there is an asset that can affect limits that are critical to the RC and TOP footprint then the protections should be in place. However, for generation assets and their interconnection facilities that do not have the ability to create SOL or IROL conditions, it is not practical to require CIP control measures. The role of such a control center in this case is generally just to capture a data


November 30, 2010 114


point for producing better system models. Such data is not for contingency planning or real time operational response awareness. A complete loss of data does not modify how the RC and TOP respond to the customers therefore, likewise a manipulation of the data would not trigger a BES reliability concern. For systems that cannot operate equipment remotely, applying CIP controls would be costly and provide only marginal reliability improvement at best.

1.15 Defining the area as ‘in a single interconnection’ is extremely broad and should be narrowed down to a maximum area of Balancing Authority. What other control centers /back-up control centers does the drafting team expect to capture that would not be captured under 1.14? How will they define generator control? The “control generation greater than an aggregate of 1500 MWs” criteria should be restricted to the amount of generation that could be controlled in a 10 minute period (NERC Control Performance Standard). The MW change occurs using pre-determined ramp capability limits.


CIP-002-4 Requirement R1 states “Critical Asset Identification — The Responsible Entity shall develop a list of its identified Critical Assets determined through an annual application of the criteria contained in CIP-002-4 Attachment 1 – Critical Asset Criteria. The Responsible Entity shall review this list at least annually, and update it as necessary.” Attachment 1 starts with “The following are considered Critical Assets:” The combination of these two make the criteria in Attachment 1 part of the requirement. Any asset meeting any criterion in Attachment 1 must be listed as a Critical Asset.

At this time, the SDT is choosing not to add Transmission Facility, control center, and control system to the NERC Glossary. We feel defining these term under this proposed version of the Standard would have far-reaching impacts beyond the scope of CIP-002-4 to CIP-009-4. These terms are used in other approved NERC standards already in effect.


Item 1.11 – Criterion 1.11 is based on NUC-001-2 R9.2.2 “Identification of facilities, components, and configuration restrictions that are essential for meeting the NPIRs.” Since these facilities were deemed so important that a NERC standard was written and adopted to clarify the issue, the SDT determined that this was adequate justification to include them as Critical Assets.

Item 1.13 – This criterion has been changed to “System(s) or facilities that perform automatic load shedding, without human operator initiation, of 300 MW or more implementing Under Voltage Load Shedding (UVLS) or Under Frequency Load Shedding (UFLS) as required by the regional load shedding program.”

Item 1.14 – Based on industry comments received, criterion 1.14 has been reworded to “Each control center or backup control center used to perform the functional obligations of the Reliability Coordinator.” A new criterion 1.16 has been added which states “Each control center or backup control center used to perform the functional obligations of the Transmission Operator that includes control of at least one asset identified in criteria 1.2, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10, 1.11 or 1.12.” A new criterion 1.17 has been added which states ” Each control center or backup control center used to perform the functional obligations of the


November 30, 2010 115


Balancing Authority that includes at least one asset identified in criteria 1.1, 1.3, 1.4, or 1.13. Each control center or backup control center used to perform the functional obligations of the Balancing Authority for generation equal to or greater than an aggregate of 1500 MWs in a single Interconnection.”

Item 1.15 – This criterion has been changed to “Each control center or backup control center used to control generation at multiple plant locations, for any generation Facility or group of generation Facilities identified in criteria 1.1, 1.3, or 1.4. Each control center or backup control center used to control aggregate generation equal to or exceeding 1500 MWs in a single Interconnection.”. Criterion 1.14 does not include generation control centers and generation backup control centers


No We appreciate the efforts of the drafting team to identify in Att 1 those Assets that would be deemed Critical. There are a few areas for which we would like the SDT to reconsider:

1.3 Reliability Must-Run Generation - The language here appears to lack precision. For instance, a Transmission Planner may designate a particular generating plant to be required for reliability purposes during specific system conditions, such as above a certain demand level or path flow level. These sorts of occasional must-run situations should not be treated as Critical Generation. Critical should be reserved for instances where the reliability must-run condition is prescribed by the Planner on a perpetual basis.

1.4 The inclusion of “Each Blackstart Resource” identified in the TOP restoration plan may be overboard. In many instances, entities will include multiple options for blackstart resources in their restoration plans, and with this language, all of the blackstart resources that are even mentioned in one’s plan will be deemed Critical. Suggest changing this parameter to the “primary blackstart resource identified in the TOP restoration plan.” The point is that not every one of these blackstart resources should be deemed Critical.

1.7 We would like to see some discussion of the rationale for including 300kV and above stations with three or more connections. Consider the scenario where one or more of these “connections” is radial. Would this station really rise to the level of Critical in that case? We suggest raising the criterion to four or more non-radial connections.

1.15 Need some explicit criteria for what constitutes a “control center” vs a “control room” with respect to generating stations.



Item 1.4 – A Blackstart Resource is defined as “A generating unit(s) and its associated set of equipment which has the ability to be started without support from the System or is designed to remain energized without connection to the remainder of the System, with the ability to energize a bus, meeting the Transmission Operator’s restoration plan needs for real and reactive power capability, frequency and voltage control, and that has been included in the Transmission Operator’s restoration plan.” The SDT believes that these units must be classified as Critical Assets. It should be noted that not all blackstart generators are Blackstart


November 30, 2010 116


Resources.

Item 1.7 – The intent of Criterion 1.7 is to classify as a Critical Asset Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations. That includes upstream, downstream, networked, and radial. It should be noted that connections to generators or generation-only substations are not counted in this Criterion. The source to the radial substation may be considered a Critical Asset, but the radial substation would not be considered a Critical Asset since by definition it cannot be connected to three or more transmission substations. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

Item 1.15 – Thank you for your comment. This criterion has been changed to “Each control center or backup control center used to control generation at multiple plant locations, for any generation Facility or group of generation Facilities identified in criteria 1.1, 1.3, or 1.4. Each control center or backup control center used to control aggregate generation equal to or exceeding 1500 MWs in a single Interconnection.”

SDG&E Yes Comment on 1.3: Need to ensure PC or TP have notified Transmission Operator and Generator Owner. Suggested wording additions “... designates to the Transmission Operator and Generation Owner as ...”.

Comment on 1.4: As worded, the language will discourage a TOP from having additional backup Blackstart Resource. Suggested wording additions “Each primary Blackstart resource identified in the Transmission Operator’s restoration plan.”

Comment on 1.5: As worded, the language will discourage a TOP from having additional backup Blackstart Resource. Suggested wording addition “The Facilities comprising the Cranking Paths and initial switching requirements from the primary Blackstart Resource ...”

Comments on 1.14. Suggest rewording to avoid confusion at Control Centers. Change wording to “Each control center, backup control center, or other facility housing control systems used to perform....”



Item 1.4 – A Blackstart Resource is defined as “A generating unit(s) and its associated set of equipment which has the ability to be started without support from the System or is designed to remain energized without connection to the remainder of the System, with the ability to energize a bus, meeting the Transmission Operator’s restoration plan needs for real and reactive power capability, frequency and voltage control, and that has been included in the Transmission Operator’s restoration plan.” The SDT believes that these units must be classified as Critical Assets. It should be noted that not all blackstart generators are Blackstart Resources. No Transmission Operator is required to designate any “primary” Blackstart Resource. Therefore the language cannot be changed to your suggestion.

Item 1.5 – No Transmission Operator is required to designate any “primary” Blackstart Resource. Therefore the language cannot be changed to your suggestion.


November 30, 2010 117


This criterion has been reworded to “The Facilities comprising the Cranking Paths and meeting the initial switching requirements from the Blackstart Resource to the first interconnection point of the generation unit(s) to be started, or up to the point on the Cranking Path where two or more path options exist as identified in the Transmission Operator's restoration plan.”


Central Lincoln No 1.1 Central Lincoln supports the APPA Comments:APPA and others commented on the CIP-010-1 standard as having arbitrary bright lines for generating units and requested that these bright line numbers have justification or have them based on the Contingency Reserve of each Reserve Sharing Group region. APPA commends the SDT for their attempted to come to agreement on a nationwide bright line for generating units based on an operationally significant threshold. The use of an average of the Contingency Reserve numbers from all the regions bases the bright-line on what the regions consider operationally significant. We understand that NERC standards are a minimum requirement and regions can look at their own operating criteria and determine if they need additional protection at lower Megawatt bright-lines. APPA is concerned that the use of the “Real Power Capability of the preceding 12 months” would bring in unnecessary volatility to applicability of this standard to certain groups of generating units. To alleviate this volatility we suggest that generation owners should use the facility ratings which are calculated and communicated under FAC-009-1 R2.

1.2 Central Lincoln supports the APPA Comments:APPA does not have a comment on criteria 1.2 at this time.

1.3 Central Lincoln supports the APPA Comments:â€‚APPA commends the SDT on including the criteria in 1.3, which gives the PC and TP the ability to designate as critical any generating facilities for reliability purposes. This will cover critical units that are not captured within the bright line of criteria 1.1 without drawing in all units of a certain size that are not considered critical elsewhere on the system. APPA suggests that the designation of facilities be based on studies conducted under the TPL standards to justify the designation. Also, the use of NERC Glossary of term: “Adverse Reliability Impacts” will help clarify which units should be in this category.We are also concerned that the PC or TP will be looking at local vs. wide area reliability. There are some cases where the PC can designate Must Run units for temporary situations so this must be clarified within the criteria. APPA proposes the following rewording of criteria 1.3:”1.3 Each generation Facility that the Planning Coordinator or Transmission Planner designates as required to avoid BES Adverse Reliability Impacts for 1 year or longer.”


November 30, 2010 118


1.4 Central Lincoln supports the APPA Comments:APPA is concerned that designating all Blackstart Resources as critical will divert limited resources to protect blackstart facilities that are only used to restore localized load. We believe it is the intent of the drafting team to identify the truly critical blackstart units (taking from the CIP-010-1 draft; only high impact facilities). APPA understands that criteria 1.4 uniformly identify all Blackstart Resources listed in the Transmission Operator’s restoration plan as being Critical Assets with regards to the Bulk Electric System. Currently, many utilities include multiple Blackstart resources in the restoration plans provided to the Transmission Operator. Including numerous resources makes the plan much more robust and reliable as it provides additional well documented restoration options should unforeseen problems occur. As currently written, Item 1.4 inadvertently incentivizes utilities to remove blackstart resources from the restoration plan if these resources are not critical to an effective regional restoration plan, reducing the plan’s overall effectiveness. Therefore, we believe there should be a threshold for Blackstart Resources, similar to nearly all other elements being considered in Attachment 1. This would allow utilities the freedom to include numerous resources in the Transmission Operators restoration plan without being swept into being identified as a critical asset.To implement this approach, we believe it is imperative to consider the Blackstart Resource’s actual role in the restoration plan, not just its simple inclusion. For example, a 10 MW Blackstart Resource that directly supports restoration of a critical generating facility is much more important to the Bulk Electric System than a 10 MW Blackstart Resource that simply supplies local load during an outage. Therefore, APPA would propose judging the criticality of a Blackstart Resource by the relative importance of the generating unit(s) it directly supports.We would recommend rewording item 1.4 as follows, leveraging the existing language of criteria 1.15 and the capacity bright-line of criteria 1.13:1.4 Each Blackstart Resource identified in the Transmission Operator’s restoration plan, which meet either of the following criteria:1.4.1 Used to directly start generation identified as a Critical Asset in criteria 1.1 or 1.3, 1.4.2 Used to directly start generation greater than an aggregate of 300 MW.We believe this approach should provide a better measure of a Blackstart Resource’s potential impact on the Bulk Electric System, resulting in Critical Assets that adequately address system reliability in a practical manner. It also mitigates the likelihood that registered entities may decide to retire certain small blackstart units, thereby removing valuable but not critical blackstart resources from the Transmission Operator’s restoration plan. We further support inclusion of “ALL Blackstart Resources” only when this standard is revised to provide for a tiered (High, Medium and Low) categorization of Critical Assets, such as the SDT’s draft CIP-010-1 proposal.

1.5 Central Lincoln supports the APPA Comments:APPA commends the SDT on differentiating between a single Cranking Path as a critical facility and multiple Cranking Paths as having redundancy in the BES and thus being less critical. Having this criteria stated in 1.5 incentivizes the entity to build in redundancy in infrastructure to lower criticality of a single asset. This truly does reward infrastructure reliability through a standard. APPA does request clarification of criteria 1.5: Where does this point of multiple paths lay in the electrical system? Does this include only the Generator Step-up Transformer, or does it include the whole substation where multiple transmission paths depart to a single generator? Also, APPA suggests that the


November 30, 2010 119


SDT change “switching requirements” to “switching equipment.”


1.7 Central Lincoln supports the APPA Comments:APPA believes that criteria 1.7 should be reworded to "stations or substations" instead of just "stations" so that it is not implied that it only applies to power plants (stations).APPA also supports the MRO standard review team proposal to adopt a power flow based bright-line rather than whether the station is connected to three or more other stations:Under TPL-001, the Planning Coordinator or Transmission Planner already performs annual near-term power flow assessment and this particular assessment would be based on the forecasted peak conditions using Category A of Table 1 of the standard.Proposed rewording of criteria 1.7:1.7. Each Transmission Facility operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher where the TPL peak load studies of the Planning Coordinator or Transmission Planner identifies the sum of the incoming power flows or the sum of the outgoing power flows to exceed 1500 MW.

1.8 Central Lincoln supports the APPA Comments:APPA believes that criteria 1.8 should be reworded to "station or substation" instead of just "station" so that it is not implied that it only applies to power plants (station).

1.9 Central Lincoln supports the APPA Comments:APPA believes that criteria 1.9 should be reworded to "station or substation" instead of just "station" so that it is not implied that it only applies to power plants (station).



1.12 Central Lincoln supports the APPA Comments:APPA understands there are utilities within the NPCC region that have SPS type 3 systems that only protect local areas. We seek verification from the SDT that the SPS they refer to in criteria 1.12 is for wide area protection only.

1.13 Central Lincoln supports the APPA Comments:APPA believes the SDT’s change in wording of criteria 1.13 will inadvertently bring in all SCADA systems with the capability of shedding load even if such SCADA systems are in fact not planned or operated to perform load shedding. As written, this criteria designates as a critical asset various control systems that by themselves could not cause instability or uncontrolled separation of the BES.APPA offers the following alternatives for rewording 1.13:1.13 Common control system(s) configured to perform automatic load shedding of 300 MW or more within 15 minutes.APPA can accept the bright-line of 300 MW if the wording is changed to that stated above, but we still see this bright-line as an


November 30, 2010 120


arbitrary threshold based on a quantity that has no BES operational significance. Rather, 300 MW is a DOE threshold for electric event reporting.

1.14 Central Lincoln supports the APPA Comments:APPA is concerned that criteria 1.14 is overly broad because it includes all BA and TOP control centers regardless of size. We understand the critical nature of control centers and the need to protect against loss of control of major sections of the BES. However, we ask that the SDT revise this criteria to include a bright-line with similar impact as those in 1.1 and 1.15.APPA offers the following revised wording:1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator with a minimum of 1500 MW of resources under its control. APPA cannot support this standard revision without some form of bright line cutoff to exclude small BAs and TOPs that cannot cause instability or uncontrolled separation of the BES.However, we will support inclusion of “ALL BA and TOP control centers” only when this standard is revised to provide for a tiered (High, Medium and Low) categorization of Critical Assets, such as the SDT’s draft CIP-010-1 proposal.Additional Central Lincoln Comments: The terms “control center,” “control system,” “backup control center,” and “backup control system” all need to be clearly defined. While there is guidance on the subject, guidance cannot be audited to. Some of the guidance would suggest a cell phone capable of receiving text message alarms from two or more BES elements qualifies as a CCA and subject to CIP-003 through 009.

1.15 Central Lincoln supports the APPA Comments:In the NERC Draft CIP-002-4 webinar it was stated that a control center in criteria 1.15 is understood to be controlling multiple units. APPA recommends that the SDT clarify the wording in criteria 1.15 to coincide with this understanding: 1.15 Each control center or backup control center used to control multiple generation units identified as Critical Assets designated under criterion 1.3 or used to control generation greater than an aggregate of 1500 MWs in a single Interconnection.

1.16 Central Lincoln supports the APPA Comments:APPA believes that 1.16 should be removed from the Attachment 1 criteria. We expect that registered entities may voluntarily protect assets above and beyond the ones listed in these criteria. However, we just do not see the reliability benefit of imposing a compliance liability to those self identified critical assets. We feel that the NERC and Regional compliance staff will waste valuable time and resources evaluating entity compliance with cyber security controls for assets that are outside of the scope of this standard.


Item 1.1 – The SDT notes your concern that the use of the “Real Power Capability of the preceding 12 months” would bring in unnecessary volatility to applicability of this standard to certain groups of generating units. The drafting team used time and value parameters to ensure the bright-lines and the values used to measure against them were relatively stable over the review period. Hence, where multiple values of net Real Power capability could be used for the Facilities’ qualification against these bright-lines, the highest value was used. The 12 month time period was used so that seasonal ratings would not be an issue for generating plants


November 30, 2010 121


that operate near the 1500 MW bright line.




Item 1.7 – The SDT agrees to change “stations” to “stations or substations.” The SDT does not believe that power flow based bright-line criteria that is based on MW flows into or out of a substation would meet the objective of uniform application of Critical Asset identification across all entities. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

Item 1.8 – According to FAC-014-2 IROLs are established by Transmission Operators, Transmission Planners, and Planning Authorities. The Reliability Coordinator ensures that IROLs are established and are consistent with its methodology. The present wording is appropriate. The SDT agrees to change “stations” to “stations or substations.” This criterion has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”


Item 1.12 – Since this item only applies to SPSs that have IROLs associated with them, local area SPSs are not included. This criterion has been changed to “Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limit (IROL) violations for failure to operate as designed.”



November 30, 2010 122






Yes 1. A general comment is that there is no technical justification provided for the proposed criteria. The "Rationale and Implementation Reference Document" does not provide technical justification, but rather provides more of an opinion of the drafting team. To the extent possible, there should be technical justification for the proposed criteria that stakeholders can review.

2. NRECA is concerned that designating all Blackstart Resources as critical will divert limited resources to protect blackstart facilities that are only used to restore localized load. We believe it is the intent of the drafting team to identify the truly critical blackstart units (taking from the CIP-010-1 draft; only high impact facilities). NRECA understands that criteria 1.4 uniformly identify all Blackstart Resources listed in the Transmission Operator’s restoration plan as being Critical Assets with regards to the Bulk Electric System. Currently, many utilities include multiple Blackstart resources in the restoration plans provided to the Transmission Operator. Including numerous resources makes the plan much more robust and reliable as it provides additional well documented restoration options should unforeseen problems occur. As currently written, Item 1.4 inadvertently incentivizes utilities to remove blackstart resources from the restoration plan if these resources are not critical to an effective regional restoration plan, reducing the plan’s overall effectiveness. Therefore, we believe there should be a threshold for Blackstart Resources, similar to nearly all other elements being considered in Attachment 1. This would allow utilities the freedom to include numerous resources in the Transmission Operators restoration plan without being swept into being identified as a Critical Asset.To implement this approach, we believe it is imperative to consider the Blackstart Resource’s actual role in the restoration plan, not just its simple inclusion. For example, a 10 MW Blackstart Resource that directly supports restoration of a critical generating facility is much more important to the Bulk Electric System than a 10 MW Blackstart Resource that simply supplies local load during an outage. Therefore, NRECA would propose judging the criticality of a Blackstart Resource by the relative importance of the generating unit(s) it directly supports.

3. In item 1.7 the statement regarding "three or more other transmission stations" is confusing. A better


November 30, 2010 123


explanation is needed -- does this mean stations upstream, downstream, networked or radial?


5. In item 1.14 its states that all RC, BA and TOP control centers, etc., are Critical Assets. While NRECA agrees with this as it relates to RCs, we do not agree with this as it relates to all BAs and TOPs. In the draft CIP-010 there was high, medium and low criteria which in many instances appropriately matching CIP requirements to the level of risk certain assets potentially present to the BPS. NRECA strongly believes that the CIP-002-4 standard requirements for smaller BAs and TOPs should match the lower level of risk to BPS reliability that these smaller BAs and TOPs potentially present. Similar to the 1500MW size criteria that is included in item 1.15 for generator control centers, there should be size criteria for the smaller BAs and TOPs. The drafting team should modify item 1.14 to state that all control centers with a peak demand above 2000MW (same as medium criteria in draft CIP-010) shall be designated as a Critical Asset. This is the lowest NRECA could support and also recommend its members to support. We firmly believe that this would capture all of the control centers that truly have a material impact on the reliability of the BPS.





Item 1.7 – The intent of Criterion 1.7 is to classify as a Critical Asset Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations. That includes upstream, downstream, networked, and radial. It should be noted that connections to generators or generation-only substations are not counted in this Criterion. The source to the radial substation may be considered a Critical Asset, but the radial substation would not be considered a Critical Asset since by definition it cannot be connected to three or more transmission substations. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other




November 30, 2010 124


transmission stations or substations.”

Item 1.14 – At this time, the SDT is choosing not to add control center to the NERC Glossary. We feel defining this term under this proposed version of the Standard would have far-reaching impacts beyond the scope of CIP-002-4 to CIP-009-4. This term is used in other approved NERC standards already in effect.



Tampa Electric No

MEAG Power Yes MEAG supports the APPA’s comments submitted to the NERC CIP standard drafting team.

Response: Thank you for your comments. Please refer to the response to APPA’s comments.

FirstEnergy Corp Yes Overall FE agrees with the fundamental concepts of the Attachment 1 Critical Asset Criteria. In our view, some of the criteria are vaguely written and subject to interpretation - specifically criteria 1.8 and 1.11 - and we offer suggestions for improving expectations and compliance certainty. Additionally, we suggest less substantive changes to criteria 1.5 and 1.14 for clarity and consistency.

1) Criterion 1.8 currently states “Transmission Facilities at a single station location that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).” Clarity needed: A.) It is not evident who is responsible for identifying the applicable transmission facilities covered by 1.8. B.) Item 1.8 should rely on review/analysis that is regularly performed by industry in meeting other NERC reliability standards. Item 1.8 should be based on IROL determinations made from planning horizon studies and information communicated to responsible entities via FAC-010/FAC-014.C.) A possible misinterpretation of Attachment 1, Item 1.8 is that it is intended to review a complete loss of substation. However the words say “Transmission Facilities at a single station location ...” not all transmission facilities at a single substation location. Based on the above items, FirstEnergy proposes the following for item 1.8:”1.8. Transmission Facilities designated by the Planning Coordinator or Transmission Planner that, if destroyed, degraded, misused or otherwise rendered unavailable, demonstrates


November 30, 2010 125


the need for an Interconnection Reliability Operating Limit (IROL).”The Planning Coordinator and Transmission Planner determine and communicate IROLs in the planning time horizon per NERC reliability standard FAC-014. The subject Transmission Facilities are the contingency Transmission Facilities communicated by the PC and TP per requirement R5 of FAC-014. The 1.8 criterion should not appear to require any new study or analysis by the TP or PC.

2) Criterion 1.11 currently states “Transmission Facilities identified as essential to meeting Nuclear Plant Interface Requirements” Clarity needed: The term “essential” is vague and open to interpretation. FE suggests that the SDT focus on Transmission Facilities identified in Nuclear Plant Interface Requirements identified as providing offsite power supply for nuclear plant safety requirements. We propose the following change for 1.11:”1.11 Transmission Facilities providing offsite power requirements as identified in the Nuclear Plant Interface Requirements.”

3) Criterion 1.5 currently states “The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist.” FirstEnergy suggests replacing the word “multiple” with “two or more” for clarity.

4) Criterion 1.14 currently states “Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator.” FirstEnergy suggests removing the text “control system” and “or backup control system” for consistency to criteria 1.15. If the intent is to ensure coverage of offsite data centers or telecommunication centers that support the “control center” then the SDT should provide a separate criterion in Attachment 1. To extend coverage of 1.14 and not 1.15 is inconsistent and the use of the phrase “control system” is vague.


Item 1.8 – According to FAC-014-2, IROLs are established by Transmission Operators, Transmission Planners, and Planning Authorities. The Reliability Coordinator ensures that IROLs are established and are consistent with its methodology. This criterion has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”




November 30, 2010 126



Minnesota Power Yes Criterion 1.1: The phrase “single plant location” is undefined. It is unclear if this means at a single street address or within some number of miles.

Criterion 1.3: Criterion 1.3 should be modified to clarify that it is not meant to create the need for new or different planning models to be used by the Planning Coordinator or Transmission Planner. Rather, the verbiage should be clear that the Planning Coordinator or Transmission Planner has the opportunity to identify Generation Facilities that have been historically required to support the BES.

Criterion 1.10: The phrase “loss of the assets” in criterion 1.10 is vague, leaving open for interpretation to what level a “loss of the assets” might mean. Criterion 1.10 also specifies “Transmission Facilities providing the generation interconnection required to directly connect generator output to the transmission system...” where such assets are included in Criterion 1.1 or 1.3. In reality, there may be multiple paths from an aggregate station to the transmission system. To accommodate the above concerns, Minnesota Power suggests eliminating criterion 1.10 and modifying criterion 1.3 as follows: “1.3 Each generation Facility or Transmission Facility providing the generator interconnection that the Planning Coordinator or Transmission Planner has designated as required to avoid one or more reliability criteria violations.”

Criterion 1.8: The phrase “single station location” is undefined. It is unclear if this means at a single street address or within some number of miles. In addition, criterion 1.8 should be clear that it is not meant to require the Planning Coordinator or Transmission Planner to create new or different planning models. Rather, they should continue to use the legacy planning models as specified in FAC-010, FAC-011 and FAC-014. Minnesota Power recommends the following language for criterion 1.8, with further clarification of the term “single station location”.”1.8 Transmission Facilities at a single station location that the Planning Coordinator or Transmission Planner has designated that, if destroyed, degraded, misused or otherwise rendered unavailable, would result in one or more Interconnection Reliability Operating Limits (IROLs) violations.”

To maintain consistency with the suggested changes to criterion 1.8, Minnesota Power recommends changing criteria 1.9 and 1.12 as follows: “1.9 Flexible AC Transmission Systems (FACTS) at a single station location, that, if destroyed, degraded, misused or otherwise rendered unavailable, would result in one or more Interconnection Reliability Operating Limits (IROLs) violations.””1.12 Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection


November 30, 2010 127


Reliability Operating Limits (IROLs) violations for failure to operate as designed.”

Criterion 1.14: Minnesota Power recommends rewording criterion 1.14 as follows for consistency with criterion 1.15: “Each control center or backup control center used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator.”




Item 1.10 – The intent is to ensure the availability of Facilities necessary to support those generators classified as Critical Assets. Any Transmission Facility the loss of which would result in the loss of a Critical Asset identified in criterion 1.1 or 1.3 would need to be classified as a Critical Asset. This criterion has been changed to “Transmission Facilities providing the generation interconnection required to connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets identified by any Generator Owner as a result of its application of Attachment 1, criterion 1.1 or 1.3.”







November 30, 2010 128


Manitoba Hydro Yes Comments:

Criterion 1.5: Suggest changing wording from “... and initial switching..” to “ ... which meet the initial switching ...”. It is unclear what “multiple path” means.

Criterion 1.13: Distribution Provider is not included in the Applicability section, and therefore 1.13 does not apply to Distribution control systems, including Distribution Control Centres. Please clarify what “automatic” means, whether operator initiated or not operator initiated. It is unclear if the 300MW is shed simultaneously or in blocks over time. The loss of generation or the loss of load are analogous in their reliability impact on the BES, thus criterion 1.13 using a 300 MW threshold seems inconsistent with criterion 1.1 using a 1500 MW threshold.





Yes ATC offers the following suggestions for Attachment 1:

1.1 Support EEI’s suggestion. The phrase “single plant location” is undefined. Suggest the term be defined by the SDT.

1.2 Similar to 1.1; define “single location”. Does this include reactive resources connected to the same kV class or across kV classes in a single substation?

1.3 Support EEI’s suggestion. Modify requirement to indicate the facilities that have been historically required to support the BES.

1.4 None

1.5 None

1.6 None

1.7 If the interconnection to another substation consists of a transformer to a lower kV class, does the language “interconnection at 300 kV” apply to the high side winding voltage of the transformer or the low side winding voltage of the transformer?


November 30, 2010 129


1.8 Support EEI’s suggestion. “...single station location” is undefined. Add clarity by indicating the Planning Coordinator and Transmission Planner determine and communicate IROL’s in the planning horizon per FAC-014. Also, recommend adding the word “All BES” before “Transmission Facilities” at the beginning of the sentence if this is the intent of the language to avoid ambiguity.

1.9 Support EEI’s minor word changes. Clarification should be made if this covers all FACTS devices in a substation even if they connect at different points or are at different kV levels.

1.10 Clarification should be made if this item covers only the Transmission Facilities defined as “Interconnection Facilities” in the Midwest ISO tariff or if more than that is covered. If clarification is not made, entities may misunderstand the terms used in this item.

1.11 Support EEI’s suggestion. Remove the ambiguous term “essential” and insert Transmission Facilities “providing offsite power requirements as identified in the” NPIR.

1.12 Support EEI’s suggestion. Revise wording so that SPS...that “would cause” one or more IROL “violations for failure to operate as designed.”

1.13 None

1.14 None

1.15 None

1.16 Support EEI’s suggestion. Insert “Any additional assets owned by the Responsible Entity.



Item 1.2 – Please see response to Item 1.1 for clarification on “single location.”


Item 1.7 – The “interconnection at 300 kV” would not apply to any substation connected at less than 300 kV. In addition, any lines leaving a substation at less than 300 kV would not be classified as a Critical Asset per criterion 1.7. In short, language applies to any transformer winding 300 kV or more. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other



November 30, 2010 130


transmission stations or substations.”

Item 1.8 – Please see response to Item 1.1 for clarification on “single location.” FAC-014-2 requires all Reliability Coordinators and Planning Authorities to establish IROLs consistent with its SOL methodology. They are the only ones who can establish IROLs. This criterion has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”


Item 1.10 – Please refer to the NERC Glossary definitions of Transmission and Facility.




Ameren Yes We believe that impact on the BES should be evaluated for the Critical Asset using the performance requirement contained in the existing mandatory standards. This would provide consistency between CIP-002 and other standards. In this regard, we suggest that for the facilities identified in the bright line criteria, perform powerflow and stability simulations to assess the impact to the BPS of the outage of these facilities, similar to the tests performed for TPL-003 and 004. If there is an impact (that is not meeting the performance criteria), then the facility is to be considered as critical. If there is no such impact, then the facility is not be considered as critical. If there is a concern for a multi-prong attack, then similar reliability assessment should be performed for such scenarios. We offer some comments/suggestions and also have some questions to the bright line criteria (Attaachment 1):

The term “Facilities” should be changed to “substations and switchyards” throughout Attachment 1 as NERC glossary of terms include “lines” in the definition also. Is it SDT’s intention to include hundreds of miles of lines as critical asset? The term “single station location” and “single plant location” used throughout Attachment 1 need to be defined to avoid confusion whether a single location mean one building or several buildings or stations within a defined geographical boundary or a fenced area.

1.1 - Are there any reliability impact studies to support 1500 MW? We believe that several events larger than this number have occurred and the BES has performed as designed, without any loss of load, or significant


November 30, 2010 131


impact on reliability.

1.6 - We disagree that all transmission facilities operated at 500 kV or greater are “critical”. Again, system studies should be conducted to take into account the impact that the asset has on the reliable operation of the BES before determining that an asset is a Critical Asset.

1.7 - We disagree that all transmission facilities that are operated at 300 kV or above and are interconnected with three or more transmission substations are “critical. System studies should be conducted to take into account the impact that the asset has on the reliable operation of the BES before determining that an asset is a Critical Asset.

1.8 - Wording for this criterion should be changed to “Transmission substations and switchyards that the Planning Coordinator or Transmission Planner designates that, if destroyed, degraded, misused or otherwise rendered unavailable, demonstrates the need for an Interconnection Reliability Operating Limit (IROL). This change would make this criterion consist with FAC-010/FAC-014.1.12 - We believe that the criterion reads ok, but the rationale document for this criterion implies that purpose of SPS/RAS is to prevent disturbance that would result in excursion beyond IROLs. This may not be true in all cases.

1.13 - Wording for this criterion should be changed to “Common control system(s) capable of performing automatic load shedding of 300 MW or more with a single operation”.

1.15 - Same comments as for 1.1 above.

1.16 - Wording for this criterion should be changed to “Any additional assets owned by the Responsible Entity that the Responsible Entity deems appropriate to include.”


The scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method. The team deliberately limited the scope of changes in this interim standard to minimize the impact on the industry while addressing the identified consistency issues. The SDT does not feel that a power flow analysis (impact-based or risk-based) would lead to a consistent application of the criteria, due to the numerous factors which can impact substation power flows. Such a study would need to be rigorously defined for the industry.

A transmission Line can be considered a Critical Asset if it meets the criteria in Attachment 1. It would then be evaluated for possible Critical Cyber Assets, which would be afforded the cyber security protection outlined in CIP-003 to CIP-009. It is not the Critical Asset that falls under CIP-003 to CIP-009, but the Critical Cyber Asset.

The guidance document posted by the SDT provides direction on the location issue. The document is posted on the Project 2008-06 page at http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean.pdf . Single plant location refers to a group of generating units occupying a defined physical footprint and designated as an individual “plant” using commonly accepted generating facility terminology. Adjacent plants would be defined using the same criteria. The units do not necessarily have to be connected to the BES at the same substation or interconnection point in order to be considered a



November 30, 2010 132


single plant.


Items 1.6 and 1.7 – You propose to add the criteria that the Responsible Entity can determine through a risk based evaluation that destruction, degradation or unavailability of certain assets will have no impact outside the local area and will not cause BES instability, separation, or cascading outages. The SDT does not feel that a power flow analysis (impact-based or risk-based) would lead to a consistent application of the criteria, due to the numerous factors which can impact substation power flows. Such a study would need to be rigorously defined for the industry. We thank you for your proposal and will take it under consideration for future revisions. Criterion 1.7 has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”



Item 1.15 –In the development of this criterion, the drafting team used 1500 MW as a bright line for aggregate generation controlled based on the bright-line used in Part 1.1. The drafting team specified a single Interconnection because it is more likely that the span of control of the generation control center may cross multiple BA or RSG areas or even regions and Interconnections.


BGE Yes There is more clarity in the definition of Critical Asset through the 16 criteria.

Specific improvement items:- Clearly state in the Guidance Document the basis for each of the first 15 criteria (1.1 to 1.15), Responsible Entity should define 1.16. The acceptable methods of “deeming appropriate” should be described in the Guidance Document.

In 1.8, 1.9 and 1.12 define the IROLs as those determined in year-out planning studies

Criteria for common control system (1.13) based on system reliability, not a NERC reporting figure. This needs to be consistent with the criteria in 1.1 (1500 MW).

Clarification is required in the Guidance Document on the definition of “automatic load shedding”. Term clearly states "no human intervention".



November 30, 2010 133



Items 1.8, 1.9, and 1.12 – According to FAC-014-2 IROLs are established by Transmission Operators, Transmission Planners, and Planning Authorities. The Reliability Coordinator ensures that IROLs are established and are consistent with its methodology. They are the only ones who can establish IROLs. Criterion 1.8 has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.” Criterion 1.9 has been changed to “Flexible AC Transmission Systems (FACTS), at a single station or substation location, that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”



Yes 1.1 Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW.

BES Comments: BES commends the SDT for their attempt to come to agreement on a nationwide bright line for generating units based on an operationally significant threshold. However, we continues to have the comment FMPA submitted in CIP-010-1 standard as having arbitrary bright lines for generating units and requested that these bright line numbers have justification or have them based on the Contingency Reserve of each Reserve Sharing Group region. BES is concerned that the use of the “Real Power Capability of the preceding 12 months” would bring in unnecessary volatility to applicability of this standard to certain groups of generating units. To alleviate this volatility we suggest that generation owners should use the facility ratings which are calculated and communicated under FAC-009-1, R2.


BES Comments: BES believes that this “bright line” is arbitrary and instead suggests combining this with 1.9. There is no significant difference between the MVARs provided by FACTs devices and those provided by a power plant and it makes sense to treat them both in the same fashion.


BES Comments: BES commends the SDT on including the criteria in 1.3, which gives the PC and TP the ability to designate as critical any generating facilities for reliability purposes. This will cover critical units that are not captured within the bright line of criteria 1.1 without drawing in all units of a certain size that are not considered critical elsewhere on the system. We suggest that the designation of facilities be based on studies conducted under the TPL Standards to justify the designation. Also, the use of NERC Glossary of




November 30, 2010 134


term: “Adverse Reliability Impacts” will help clarify which units should be in this category.We are also concerned that the PC or TP will be looking at local vs. wide area reliability. There are some cases where the PC can designate "Must Run" units for temporary situations, so this must be clarified within the criteria. BES proposes the following rewording of criteria 1.3:”1.3 Each generation Facility that the Planning Coordinator or Transmission Planner designates as required to avoid BES Adverse Reliability Impacts for 1 year or longer.”


BES Comments: BES is concerned that designating all Blackstart Resources as critical will divert limited resources to protect blackstart facilities that are only used to restore localized load. We believe it is the intent of the drafting team to identify the truly critical blackstart units (taking from the CIP-010-1 draft; only high impact facilities). We understand that criteria 1.4 uniformly identify all Blackstart Resources listed in the Transmission Operator’s restoration plan as being Critical Assets with regards to the Bulk Electric System. Currently, many utilities include multiple Blackstart resources in the restoration plans provided to the Transmission Operator. Including numerous resources makes the plan much more robust and reliable as it provides additional well documented restoration options should unforeseen problems occur. As currently written, Item 1.4 inadvertently incentivizes utilities to remove blackstart resources from the restoration plan if these resources are not critical to an effective restoration plan, reducing the plan’s overall robustness. Therefore, we believe there should be a threshold for Blackstart Resources, similar to nearly all other elements being considered in Attachment 1. This would allow utilities the freedom to include numerous resources in the Transmission Operators restoration plan without being swept into being identified as a critical asset.To implement this approach, we believe it is imperative to consider the Blackstart Resource’s actual role in the restoration plan, not just its simple inclusion. For example, a 10 MW Blackstart Resource that directly supports restoration of a critical generating facility is much more important to the Bulk Electric System than a 10 MW Blackstart Resource that simply supplies local load during an outage. Therefore, we would propose judging the criticality of a Blackstart Resource by the relative importance of the generating unit(s) it directly supports.We would recommend rewording item 1.4 as follows, leveraging the existing language of criteria 1.15 and the capacity bright-line of criteria 1.13:1.4 Each Blackstart Resource identified in the Transmission Operator’s restoration plan, which meet either of the following criteria:1.4.1 Used to directly start generation identified as a Critical Asset in criteria 1.1 or 1.3, 1.4.2 Used to directly start generation greater than an aggregate of 300 MW. We believe this approach should provide a better measure of a Blackstart Resource’s potential impact on the Bulk Electric System, resulting in Critical Assets that adequately address system reliability in a practical manner. It also mitigates the likelihood that registered entities may decide to retire certain small blackstart units, thereby removing valuable but not critical blackstart resources from the Transmission Operator’s restoration plan.

SDT Proposed:1.5. The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan


November 30, 2010 135


up to the point on the Cranking Path where multiple path options exist.

BES Comments: BES commends the SDT on differentiating between a single Cranking Path as a critical facility and multiple Cranking Paths as having redundancy in the BES and thus being less critical. Having this criteria stated in 1.5 incentivizes the entity to build in redundancy in infrastructure to lower criticality of a single asset. This truly does reward infrastructure reliability through a standard. We suggest that the SDT change “switching requirements” to “switching equipment.”


BES Comments: BES believes that criteria 1.7 is rather arbitrary and suggests use of TPL-004-0 Category D testing and to combine 1.7 with 1.8. Does loss of a substation result in an IROL or Adverse Reliability Impacts? Doing so can also remove the voltage class limit. It is also unclear from the wording whether the entire substation is a Critical Asset, or whether each Facility connected to that substation is a Critical Asset. We suggest the entire substation. It is also unclear for substations that have two voltage levels (e.g., a 345 kV to 115 kV substation), whether the entire substation should be considered, or just one voltage level. We suggest one voltage level as discussed in the existing TPL-004 standard.


BES Comments: BES believes that criteria 1.8 should be reworded to "station or substation" instead of just "station" so that it is not implied that it only applies to power plants (station). Also the use of term Adverse Reliability Impact would be beneficial. Proposed rewording of criteria 1.8:1.8. Transmission Facilities at a single station or substation that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs) or can cause an Adverse Reliability Impact as a result of extreme contingency loss of substation testing as part of the TPL standards or as determined by the Reliability Coordinator.


BES Comments: BES believes that criteria 1.9 should be reworded to "station or substation" instead of just "station" so that it is not implied that it only applies to power plants (station). Also the use of term Adverse Reliability Impact would be beneficial.

SDT Proposed:1.12. Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered


November 30, 2010 136


unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).

BES Comments: BES believes that adding the phrase “or can cause an Adverse Reliability Impact” would be beneficial.


BES Comments: BES believes that the 300 MW is arbitrary and seems based more on reporting requirements than on true reliability impacts. Also, it should not matter whether loss of load is caused by an “automatic” system or not. In addition, the power system is more resilient to loss of load than loss of generation; hence, by using the same threshold as is used in 1.1, we are actually being quite conservative. BES offers the following alternatives for rewording 1.13:1.13 Common control system(s) that can result in a loss of load equal to or greater than the reserve sharing requirements of the Reserve Sharing Group within 15 minutes.


BES Comments: BES is concerned that criteria 1.14 is overly broad because it includes all BA and TOP control centers regardless of size. We understand the critical nature of control centers and the need to protect against loss of control of major sections of the BES. However, we ask that the SDT revise this criteria to include a bright-line with similar impact as those in 1.1 and 1.15.BES offers the following revised wording:1.14. Each control center, control system, backup control center, or backup control system that can:1.14.1 Cause a loss of generation or load greater than the reserve sharing requirements of the Reserve Sharing Group1.14.2 That if manipulated, can cause an Adverse Reliability Impact as determined through planning studies. BES cannot support this standard revision without some form of bright line cutoff to exclude small BAs and TOPs that cannot cause instability, cascading or uncontrolled separation of the BES.


BES Comments: With the proposed revision to 1.14, this 1.15 would no longer be required.


BES Comments: BES believes that 1.16 should be removed from the Attachment 1 criteria. We expect that registered entities may voluntarily protect assets above and beyond the ones listed in these criteria. However, we just do not see the reliability benefit of imposing a compliance liability to those self identified critical assets.


November 30, 2010 137


We feel that the NERC and Regional compliance staff will waste valuable time and resources evaluating entity compliance with cyber security controls for assets that are outside of the scope of this standard.



Item 1.2 – The value of 1000 MVARs used in this criterion is a value deemed reasonable for the purpose of determining criticality. FACTS devices in 1.9 are specifically related to IROLs, whereas the reactive resources in 1.2 are not limited to IROL applications.




Item 1.7 – The SDT agrees to change “stations” to “stations or substations.” The SDT does not believe that power flow based bright-line criteria (i.e. using TPL-004-0) would meet the objective of uniform application of Critical Asset identification across all entities. The term Transmission Facilities can be applied to either the entire substation or each Facility or group of Facilities connected to that substation, as determined by the entity. This would allow an entity which has multiple voltage levels at a single substation to either declare the entire substation as a Critical Asset or only the portion of the substation that qualifies under criterion 1.7. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

Item 1.8 –The SDT agrees to change “stations” to “stations or substations.” This criterion has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

Item 1.9 - The SDT agrees to change “stations” to “stations or substations.” This criterion has been changed to “Flexible AC Transmission Systems (FACTS), at a single station or substation location, that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of


November 30, 2010 138


Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

Item 1.12 – By limiting the scope of Criterion 1.12 to IROLs, Adverse Reliability Impacts are covered as well. This criterion has been changed to “Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limit (IROL) violations for failure to operate as designed.”





We Energies Yes We suggest that the functional entities Planning Coordinator and Transmission planner be added to the applicability section.

Feedback on specific criteria as follows:

1.1, We request clarification on the phrase “single plant location”. This phrase is not defined and it is not clear what level of proximity of generators would be considered a “single plant location”. Rather than discuss this in terms of geography (location), we feel it would be better to discuss in terms of “Each group of generating units (including nuclear generation), operated using common cyber control systems other than the Control Centers identified in 1.14 and 1.15, with an aggregate...”.

1.3, We suggest the wording: “Each generation facility designated by the Planning Coordinator or Transmission Planner as required to avoid one or more reliability criteria violations”.

1.4, The blackstart units deemed critical should be only those identified by the Transmission Operator to meet the minimum critical blackstart requirement. The resulting suggested wording would be: “Each Blackstart Resource identified in the Transmission Operator’s restoration plan required to meet the minimum critical blackstart requirement”.

1.8, We suggest the wording: “Transmission Facilities at a single location that the Planning Coordinator or


November 30, 2010 139


Transmission planner has designated that, if destroyed, degraded, misused or otherwise rendered unavailable, would result in one or more Interconnection Reliability Operating Limit (IROL) violations”.

1.9, We suggest similar wording: “...unavailable, would result in one or more Interconnection Reliability Operating Limit (IROL) violations”.

1.11, We suggest the following wording: “Transmission Facilities providing offsite power requirements as identified in the Nuclear Plant Interface Requirements”.

1.12, We suggest the following wording: “...unavailable, would cause one or more Interconnection Reliability Operating Limit (IROL) violations for failure to operate as designed”.

1.14, We suggest this be made consistent with 1.15, i.e. “Each control center, or backup control center, used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator”.

1.16, We suggest the following wording: “Any additional assets owned by the Responsible Entity that the Responsible Entity deems appropriate to include”.


Since there is no Requirement that applies to the Planning Coordinator or the Transmission Planner, it is not appropriate to include them in the Applicability section.




Item 1.8 – According to FAC-014-2 IROLs are established by Transmission Operators, Transmission Planners, and Planning Authorities. The Reliability Coordinator ensures that IROLs are established and are consistent with its methodology. This criterion has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of



November 30, 2010 140


Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”






City Utilities of Springfield, MO Yes SPRM agrees with the comments by the APPA Task Force, incorporated herein by reference. SPRM has additional specific comments as noted below.

1.1. Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW. SPRM agrees with the comments from the APPA Task Force.

1.2. Each reactive resource or group of resources at a single location (excluding generation Facilities) having aggregate net Reactive Power nameplate rating of 1000 MVARs or greater. SPRM does not have a comment on criteria 1.2 at this time.

1.3. Each generation Facility that the Planning Coordinator or Transmission Planner designates as required for reliability purposes. SPRM agrees with the comments from the APPA Task Force and will add an additional request for the drafting team to consider using this criterion to identify critical transmission. SPRM proposes the following rewording of criteria 1.3:1.3 Each transmission or generation Facility that the Planning Coordinator or Transmission Planner designates as required to avoid BES Adverse Reliability Impacts for 1 year or longer.

1.4. Each Blackstart Resource identified in the Transmission Operator's restoration plan. SPRM generally


November 30, 2010 141


agrees with the comments from the APPA Task Force. However, SPRM proposes the following exception to the APPA rewording of criteria 1.4:1.4 Each Blackstart Resource identified in the Transmission Operator’s restoration plan used to directly start generation identified as a Critical Asset in criteria 1.1 or 1.3.

1.5. The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist. SPRM agrees with the comments from the APPA Task Force and additionally will suggest the following rewording of criteria 1.5:1.5. The Facilities comprising the Cranking Paths and initial switching equipment from the Blackstart Resource identified in 1.4. to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist.

1.6. Transmission Facilities operated at 500 kV or higher. SPRM would like to recommend that the drafting team verify that all transmission operated at 500 kV or higher is truly critical. Otherwise, SPRM will suggest that our proposed changes in criteria 1.3.would identify all transmission, regardless of voltage, that is critical to the reliable operation of the Bulk Electric System.

1.7. Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations. SPRM generally agrees with the comments from the APPA Task Force and additionally would like to recommend that the drafting team verify that all transmission identified in this criteria is truly critical. Otherwise, SPRM will suggest that our proposed changes in criteria 1.3 would identify all transmission, regardless of voltage or interconnections, that is critical to the reliable operation of the Bulk Electric System.

1.8. Transmission Facilities at a single station location that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).SPRM agrees with the comments from the APPA Task Force.

1.9. Flexible AC Transmission Systems (FACTS) at a single station location, that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs). SPRM agrees with the comments from the APPA Task Force.

1.10. Transmission Facilities providing the generation interconnection required to directly connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets described in Attachment 1, criterion 1.1 or 1.3. SPRM would like the drafting team to clarify if the “Transmission Facilities” is the line connecting the generator to the bus in the substation, or is it the whole substation where the generator is connected?

1.11. Transmission Facilities identified as essential to meeting Nuclear Plant Interface Requirements. SPRM would like to recommend that the drafting team verify that all transmission identified in this criteria is truly


November 30, 2010 142


critical. Otherwise, SPRM will suggest that our proposed changes in criteria 1.3. would identify all transmission, regardless of voltage or interconnection, that is critical to the reliable operation of the Bulk Electric System.

1.12. Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs). SPRM agrees with the comments from the APPA Task Force.

1.13. Common control system(s) capable of performing automatic load shedding of 300 MW or more within 15 minutes. SPRM agrees with the comments from the APPA Task Force.

1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator. SPRM agrees with the comments from the APPA Task Force.

1.15. Each control center or backup control center used to control generation identified as a Critical Asset, or used to control generation greater than an aggregate of 1500 MWs in a single Interconnection. SPRM agrees with the comments from the APPA Task Force.

1.16. Any additional assets that the Responsible Entity deems appropriate to include. SPRM agrees with the comments from the APPA Task Force.

Response: Thank you for your comments. Please refer to the response to APPA’s comments.




Item 1.5 – This criterion has been reworded to “The Facilities comprising the Cranking Paths and meeting the initial switching requirements from the Blackstart


November 30, 2010 143


Resource to the first interconnection point of the generation unit(s) to be started, or up to the point on the Cranking Path where two or more path options exist as identified in the Transmission Operator's restoration plan.”

Item 1.6 –The drafting team felt that Facilities operated at 500 kV or higher did not require any further qualification for their role as components of the backbone on the Interconnected BES.

Item 1.7 – This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

Item 1.10 – The intent is to ensure the availability of Facilities necessary to support those generation Critical Assets. Any Transmission Facility the loss of which would result in the loss of a Critical Asset identified in criterion 1.1 or 1.3 would need to be classified as a Critical Asset. That might include a substation or the line connecting the generator to the bus in the substation. This criterion has been changed to “Transmission Facilities providing the generation interconnection required to connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets identified by any Generator Owner as a result of its application of Attachment 1, criterion 1.1 or 1.3.”

Item 1.11 – This is defined in NUC-001-2 Requirement 9.2.2 “Identification of facilities, components, and configuration restrictions that are essential for meeting the NPIRs.”

National Grid Yes National Grid proposes to include the class of assets - generation, transmission, and control centers against each criterion in attachment 1. This will help entities to clearly identify which requirements fall under different classes of assets. For example - 1.5 The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist. (Generation, transmission)

Response: Thank you for your comments. The Applicability section of the standard specifies what NERC Registered Entities the standard applies to. All Requirements apply to all Entities listed in the Applicability section.

Lincoln Electric System Yes LES supports the comments submitted by the MRO NERC Standards Review Subcommittee (MRO NSRS).

Response: Thank you for your comments. Please refer to the response to MRO NERC Standards Review Subcommittee comments.


Yes Black start overall is not well understood. Black start should be defined as starting the entity’s generation resources to the point that load can be served (not to be confused with bringing on load to balance generation during the black start sequencing). This is often more than starting the first “black start” combustion turbine unit to start a thermal unit. Unless that black start unit has sufficient capacity to start individually every other generation resource in the entity’s footprint that is not self-starting, additional generation is required even if not specifically identified as a black start resource in the entity’s restoration plan.


November 30, 2010 144


Consider declaring DC Tie substations as Critical Assets.

Automated load shedding systems capable of shedding 300 MW or more should be considered Critical Assets regardless of the time it takes for the system to shed the load. Defining a 15 minute window is unnecessary and could result in disagreement between the entity and the auditor over whether the impact could occur within the fifteen minute versus a longer period. Removing the 15 minute criteria resolves that potential ambiguity.

Additionally, please accept and consider the following comments that do not directly apply to any of the questions in the comment form. I have no other way to bring these comments to the drafting team's attention.

M1: Measure M1 should be modified to state “The Responsible Entity shall make available its approved list of Critical Assets as specified in Requirement R1.” (addition of the word "approved")

M2: Measure M2 should be modified to state “The Responsible Entity shall make available its approved list of Critical Cyber Assets as specified in Requirement R2.” (addition of the word "approved")

M3: Measure M3 states “The Responsible Entity shall make available its approval records of annual approvals as specified in Requirement R3.” This measure should be modified to state “The Responsible Entity shall make available its approval records as specified in Requirement R3.” (Removes expectation of annual-only approval and requires any modification to the CA or CCA list to be approved)

The Compliance Enforcement Authority obligations (Section D.1.1) fail to identify who is the Compliance Enforcement Authority for Responsible Entities that do perform delegated tasks for their Regional Entity.

The Responsible Entity data retention requirement (Section D.1.4.1) should be modified to require records to be kept since the effective date of the standard or the most recent scheduled audit of this version of the standard, whichever is a shorter period of time. This is in keeping with NERC Compliance Process Bulletin #2009-005 'Current In-Force Document Data Retention Requirements for Registered Entities'. A similar modification should be made to CIP-003-4 through CIP-009-4. (Entities are already expected to retain all evidence in support of the annual, or in the case of the CIP standards to date, semi-annual self certification, so this is not an undue burden. Retention of records with the exception of specific information with a prescribed shorter retention, such as logs, will allow the CEA to verify sustained compliance with the standards over the full audit period. And, in the case of the logs, the entity will need to maintain some sort of evidence that logs were retained for at least 90 days, although retention of the actual logs is not required.)


Item 1.4 – A Blackstart Resource is defined as “A generating unit(s) and its associated set of equipment which has the ability to be started without support from the System or is designed to remain energized without connection to the remainder of the System, with the ability to energize a bus, meeting the Transmission Operator’s restoration plan needs for real and reactive power capability, frequency and voltage control, and that has been included in the Transmission Operator’s


November 30, 2010 145


restoration plan.” The SDT believes that these units must be classified as Critical Assets. It should be noted that not all blackstart generators are Blackstart Resources.

Concerning DC Tie substations, we thank you for your proposal and will take it under consideration for future revisions.


M1 – There is no requirement in R1 to have the list approved

M2 – There is no requirement in R2 to have the list approved

M3 – Has been modified to “The Responsible Entity shall make available its records of approvals as specified in Requirement R3.”

CEA info – Thank you for your comment. The appropriate clarification has been made.

Data retention – Thank you for the comment. The scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method. The team deliberately limited the scope of changes in this interim standard to minimize the impact on the industry while addressing the identified consistency issues. The suggested changes to the data retention requirement will be made in a subsequent version of the CIP standards.

Indianapolis Power & Light Yes Regarding 1.13, “Common control system(s) capable of performing automatic load shedding of 300 MW or more within 15 minutes”. Our understanding of that criterion seemed clear until we read the rational and implementation reference document that states that “Control Systems that provide a “one-button push” capability of shedding 300 MW or more would also qualify as Critical Assets”. That reference adds manual actuation with automatic therefore allowing additional interpretation of the meaning of the criterion. We also suggest replacing “capable of” with “purposed and programmed for” performing automatic load shedding of 300 MW or more within 15 minutes.” A control system could be capable if programmed to do so but should not be included if that functionality is not its purpose.



Constellation Power Generation Yes Constellation Power Generation believes that in general, the criteria in Attachment #1 have drawn clear bright lines that will assist the industry in identifying critical assets. However, criterion 1.1, 1.5, and 1.11 need some further clarification and changes.

Criterion 1.1 attempts to identify generation assets larger than 1500 MW. Constellation Power Generation (CPG) requests further clarification as to what constitutes a “single plant location.” Would this include the aggregation of separated assets in separate structures with no shared resources other than being physically


November 30, 2010 146


located on a shared footprint? Constellation proposes the following changes to Criterion 1.1: Each group of generating units sharing a physical boundary with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW. CPG also seeks clarification regarding the technical justification of the 1500 MW threshold. The SDT released a guidance document which did not fully explain the derivation of 1500 MWs. If this bright line was the average of reserve sharing in each of the 8 regions, than the value should be 1700 MWs, not 1500 MWs. CPG requests that the SDT reach out to the technical teams that exist within each region to obtain the correct reserve sharing thresholds. This data should be published, preferably in the guidance, to technically justify the seemingly arbitrary MW threshold.

Criterion 1.5 attempts to identify cranking path equipment critical to a TOP’s restoration plan. CPG is concerned that this criterion could be interpreted to include transformers and breakers associated with “the unit(s) being started.” This implies that specific equipment at a generation asset may be critical while the asset itself may not be critical. This criterion would thus bring more equipment to scope that has little to no impact on the reliability of the BES. Constellation proposes the following changes to Criterion 1.5: 1.5. The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the interconnection point of the generation asset to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist.

In addition, Item 1.11 should be removed from Attachment 1. Assets should not be deemed critical simply because they are associated with a nuclear facility. NRC regulations govern the safety and security of nuclear power plants. Rather, critical assets should be defined based upon reliability related criteria, independent of fuel type.







November 30, 2010 147


Item 1.11 – Criterion 1.11 is based on NUC-001-2 R9.2.2 “Identification of facilities, components, and configuration restrictions that are essential for meeting the NPIRs.” Since these facilities were deemed so important that a NERC standard was written and adopted to clarify the issue, the SDT determined that this was adequate justification to include them as Critical Assets.


Yes We do not agree with criteria 1.6 and 1.7 as written since some of the facilities identified as Critical Assets by applying them may have no impact on the BES. We therefore believe the list of relevant transmission facilities developed by the Responsible Entity, should be subject to an impact-based assessment by the Reliability Coordinator who has the wide-area view of the system. If necessary, an additional requirement that requires the RC to have a risk-based assessment methodology and to conduct the assessment should be included. We therefore propose the following specific wording:

1.6 Transmission facilities operated at 500 kV or higher, unless the annual review performed by the Reliability Coordinator (new requirement) demonstrates that destruction, degradation or unavailability of those assets will have no impact outside the local area and will not cause BES instability, separation, or cascading outages.

1.7 Transmission facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations, unless the annual review performed by the Reliability Coordinator (new requirement) demonstrates that destruction, degradation or unavailability of those assets will have no impact outside the local area and will not cause BES instability, separation, or cascading outages.


Items 1.6 and 1.7 – You propose to add the criteria that the RC can determine through a risk based evaluation that destruction, degradation or unavailability of certain assets will have no impact outside the local area and will not cause BES instability, separation, or cascading outages. The inclusion of a risk-based evaluation by any entity would not meet the objective of uniform application of Critical Asset identification across all entities. Criterion 1.7 has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

American Electric Power (AEP) No AEP would contend that there are regional differences that would be relevant to determine a MW threshold for each responsible entity. We support the concept that was contained in the last draft that made the determination based on the capacity reserves. However, the prior language would need to be revisited to ensure that the value was fixed for a period of time.

When do newly identified items in item 1.3. become in scope? During the annual review or does another review need to be done between annual reviews. Since many PA and TP are also Reliability Coordinators, Section 1.3 should be modified to contain “...required for long-term reliability purposes in the planning horizon.” This should not include temporary seasonal reliability needs within the current year. Need a


November 30, 2010 148


requirement for the TP and PA to perform the analysis and have process for posting.

Section 1.13 should be explicitly focused on BES elements and exclude distribution feeder interruptions. Would this include large industrial customers that can interrupt their loads?

Net real power capability testing is defined in MOD-024 standards that have yet to be FERC approved. Furthermore, not all of the regions have defined the parameters for the capability testing. What would be the basis for defining the parameters for net real power capability determination? It is unclear in section 1.1 if what constitutes “single plant location.” Is the physical location important or is it units that have common systems that could disrupt multiple units? AEP contents that it would not be logical to base the requirement on geographic address, but other factors such as voltage it is connect and the relationship of the units at the plant.



Item 1.3 – Newly identified Critical Assets come into scope at the time they are designated by the Planning Coordinator or Transmission Planner. Any associated newly identified Critical Cyber Assets would follow the “Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities.” This criterion has been reworded to “Each generation Facility that the Planning Coordinator or Transmission Planner designates and informs the Generator Owner or Generator Operator as necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon.”


Item 1.1 – CIP-002-4 does not require net real power capability testing.


Orlando Utilities Commission Yes SDT Proposed: 1.1 Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or



November 30, 2010 149


exceeding 1500 MW.

OUC Comments: OUC believes that any system that has the ability to shed sufficient generation to cause system frequency to decline to the point of under-frequency relay protection tripping must be protected. OUC urges the drafting team to consider this aspect and re-design this requirement appropriately. This could probably be drafted as: “Any group of generating units at a single plant location that consist of more than 5% of the generation within a Balancing Authority”

SDT Proposed: 1.2. Each reactive resource or group of resources at a single location (excluding generation Facilities) having aggregate net Reactive Power nameplate rating of 1000 MVARs or greater.

OUC Comments: 1000MVAR is an arbitrary bright line suggest changing criteria to "Any reactive resource identified as a remedy, mitigation or strategy within a long range plan to address either real-time or contingency events. - or- Any reactive resource that if lost or destroyed while in service would result in a voltage change of more than 5% or a change in transmission loading that would result in an overload of a transmission element of more than 125%

SDT Proposed: 1.4. Each Blackstart Resource identified in the Transmission Operator's restoration plan. 1.5. The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist.

OUC Comments: Combine 1.4 and 1.5 path into single criteria to prevent expected interpretations and entity miss-understandings. In order to clearly identify "what’s in and what’s out" re-write the criteria as: "All facilities identified within a Transmission Operators restoration plan, required to establish a least one synchronized tie with a neighbor" The simplicity of this re-write is that it truly meets the requirements of rebuilding the BPS after an event.

SDT Proposed: 1.7. Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations.

OUC Comments: OUC believes that criteria 1.7 should be reworded to "stations or substations" instead of just "stations" so that it is not implied that it only applies to power plants (stations).

SDT Proposed: 1.8. Transmission Facilities at a single station location that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).

OUC Comments: OUC believes that criteria 1.8 should be reworded to "station or substation" instead of just "station" so that it is not implied that it only applies to power plants (station).

SDT Proposed: 1.9. Flexible AC Transmission Systems (FACTS) at a single station location, that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection


November 30, 2010 150


Reliability Operating Limits (IROLs).


SDT Proposed: 1.13. Common control system(s) capable of performing automatic load shedding of 300 MW or more within 15 minutes.

OUC Comments: OUC believes that any system that has the ability to shed sufficient load to cause frequency to increase to the point of over-frequency protection tripping must be protected, this includes system traditionally know as manual load shedding. OUC urges the drafting team to consider this aspect when re-designing this requirement. This could probably be drafted as: “Any system that can be configured to automatically drop 5% of load within a Balancing Authority based on either an automatic or manual initialization”

SDT Proposed: 1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator.

OUC Comments: OUC understands the inter-connectedness of control centers and the risk even a small control center could pose to larger control centers, however this is the reason that strong security controls must exist for control centers that meeting the bright line criteria. However OUC is concerned that criteria 1.14 is overly broad because it includes all BA and TOP control centers regardless of size. We understand the critical nature of control centers and the need to protect against loss of control of major sections of the BES. However, we ask that the SDT revise this criteria to include a bright-line with similar impact as those in 1.1 and 1.15. OUC offers the following revised wording: 1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator with a minimum of 1500 MW of resources under its control.

SDT Proposed: 1.16. Any additional assets that the Responsible Entity deems appropriate to include.

OUC Comments: OUC believes that 1.16 should be removed from the Attachment 1 criteria. We expect that registered entities may voluntarily protect assets above and beyond the ones listed in these criteria. However, we just do not see the reliability benefit of imposing a compliance liability to those self identified critical assets. We feel that the NERC and Regional compliance staff will waste valuable time and resources evaluating entity compliance with cyber security controls for assets that are outside of the scope of this standard.

Orlando Utilities Commission Yes Question 2 Comments:


November 30, 2010 151


SDT Proposed: 1.1 Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW.

OUC Comments: OUC believes that any system that has the ability to shed sufficient generation to cause system frequency to decline to the point of under-frequency relay protection tripping must be protected. OUC urges the drafting team to consider this aspect and re-design this requirement appropriately. This could probably be drafted as: ”Any group of generating units at a single plant location that consist of more than 5% of the generation within a Balancing Authority”

SDT Proposed: 1.2. Each reactive resource or group of resources at a single location (excluding generation Facilities) having aggregate net Reactive Power nameplate rating of 1000 MVARs or greater.


SDT Proposed: 1.4. Each Blackstart Resource identified in the Transmission Operator's restoration plan. 1.5. The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist.

OUC Comments: Combine 1.4 and 1.5 path into single criteria to prevent expected interpretations and entity miss-understandings. In order to clearly identify "what’s in and what’s out" re-write the criteria as: "All facilities identified within a Transmission Operators restoration plan, required to establish a least one synchronized tie with a neighbor" The simplicity of this re-write is that it truly meets the requirements of rebuilding the BPS after an event.

SDT Proposed: 1.7. Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations.


SDT Proposed: 1.8. Transmission Facilities at a single station location that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).



November 30, 2010 152


SDT Proposed: 1.9. Flexible AC Transmission Systems (FACTS) at a single station location, that, if destroyed, degraded, misused or otherwise rendered unavailable, violate one or more Interconnection Reliability Operating Limits (IROLs).


SDT Proposed: 1.13. Common control system(s) capable of performing automatic load shedding of 300 MW or more within 15 minutes.

OUC Comments: OUC believes that any system that has the ability to shed sufficient load to cause frequency to increase to the point of over-frequency protection tripping must be protected, this includes system traditionally know as manual load shedding. OUC urges the drafting team to consider this aspect when re-designing this requirement. This could probably be drafted as: ”Any system that can be configured to automatically drop 5% of load within a Balancing Authority based on either an automatic or manual initialization”

SDT Proposed: 1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator.

OUC Comments: OUC understands the inter-connectedness of control centers and the risk even a small control center could pose to larger control centers, however this is the reason that strong security controls must exist for control centers that meeting the bright line criteria. However OUC is concerned that criteria 1.14 is overly broad because it includes all BA and TOP control centers regardless of size. We understand the critical nature of control centers and the need to protect against loss of control of major sections of the BES. However, we ask that the SDT revise this criteria to include a bright-line with similar impact as those in 1.1 and 1.15. OUC offers the following revised wording: 1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator with a minimum of 1500 MW of resources under its control.

SDT Proposed: 1.16. Any additional assets that the Responsible Entity deems appropriate to include.



November 30, 2010 153


Orlando Utilities Commission Yes SDT Proposed:1.1 Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW.

OUC Comments:OUC believes that any system that has the ability to shed sufficient generation to cause system frequency to decline to the point of under-frequency relay protection tripping must be protected. OUC urges the drafting team to consider this aspect and re-design this requirement appropriately. This could probably be drafted as:”Any group of generating units at a single plant location that consist of more than 5% of the generation within a Balancing Authority”



SDT Proposed:1.4. Each Blackstart Resource identified in the Transmission Operator's restoration plan. 1.5. The Facilities comprising the Cranking Paths and initial switching requirements from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator's restoration plan up to the point on the Cranking Path where multiple path options exist.

OUC Comments:Combine 1.4 and 1.5 path into single criteria to prevent expected interpretations and entity miss-understandings. In order to clearly identify "what’s in and what’s out" re-write the criteria as: "All facilities identified within a Transmission Operators restoration plan, required to establish a least one synchronized tie with a neighbor" The simplicity of this re-write is that it truly meets the requirements of rebuilding the BPS after an event.




OUC Comments: OUC believes that criteria 1.8 should be reworded to "station or substation" instead of just


November 30, 2010 154


"station" so that it is not implied that it only applies to power plants (station).




OUC Comments: OUC believes that any system that has the ability to shed sufficient load to cause frequency to increase to the point of over-frequency protection tripping must be protected, this includes system traditionally know as manual load shedding. OUC urges the drafting team to consider this aspect when re-designing this requirement. This could probably be drafted as:”Any system that can be configured to automatically drop 5% of load within a Balancing Authority based on either an automatic or manual initialization”


OUC Comments: OUC understands the inter-connectedness of control centers and the risk even a small control center could pose to larger control centers, however this is the reason that strong security controls must exist for control centers that meeting the bright line criteria. However OUC is concerned that criteria 1.14 is overly broad because it includes all BA and TOP control centers regardless of size. We understand the critical nature of control centers and the need to protect against loss of control of major sections of the BES. However, we ask that the SDT revise this criteria to include a bright-line with similar impact as those in 1.1 and 1.15.OUC offers the following revised wording:1.14. Each control center, control system, backup control center, or backup control system used to perform the functional obligations of the Reliability Coordinator, Balancing Authority, or Transmission Operator with a minimum of 1500 MW of resources under its control.




November 30, 2010 155




Item 1.2 – The value of 1000 MVARs used in this criterion is a value deemed reasonable for the purpose of determining criticality. The SDT does not feel that a power flow analysis (impact-based or risk-based) would lead to a consistent application of the criteria, due to the numerous factors which can impact substation power flows. Such a study would need to be rigorously defined for the industry.

Items 1.4 and 1.5 – NERC standard EOP-005-2 requires the Transmission Operator to have a Restoration Plan and to list its Blackstart Resources in its plan as well as requirements to test these Resources. NERC standard EOP-005-2 R1.5 requires the Transmission Operator to identify Cranking Paths and initial switching requirements between each Blackstart Resource and the unit(s) to be started. The Facilities identified in compliance with this standard would be the Facilities classified as Critical Assets for Criteria 1.4 and 1.5. Criterion 1.5 has been reworded to “The Facilities comprising the Cranking Paths and meeting the initial switching requirements from the Blackstart Resource to the first interconnection point of the generation unit(s) to be started, or up to the point on the Cranking Path where two or more path options exist as identified in the Transmission Operator's restoration plan.”

Item 1.7 – The SDT agrees to change “stations” to “stations or substations.” This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”

Item 1.8 –The SDT agrees to change “stations” to “stations or substations.” This criterion has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”






November 30, 2010 156


Oglethorpe Power Corporation Yes In general the criteria are very clear and concise and do not require additional explanations. It may however be appropriate, possibly in a separate document to provide some background on how these criteria were arrived at - especially criteria 1.1, 1.2 1.7, 1.13, and 1.15 which rely on seemingly arbitrary limits to determine the inclusion or exclusion of Assets. Additionally, some examples for criterion 1.16 may be a good idea.

Response: Thank you for your comments. Please refer to the draft guidance document posted on the Project 2008-06 page http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean.pdf

Brazos Electric Power Cooperative, Inc.

Yes In criterion 1.2 the use of the term "nameplate rating" should be replaced with "capability" and add "in the preceeding 12 months" at the end similar to criterion in 1.1.

The use of the term "misused" in criterion 1.8, 1.9, 1.10 and 1.12 should be dropped as it leads to interpretation problems and doesn't improve reliability posture.


Item 1.2 – The nameplate value is used here because there is no NERC requirement to verify actual capability of these Facilities.

The term “misused” is in the criteria in response to FERC Order 706.

Midwest ISO No Criteria 1.8, 1.9, and 1.12 should be modified because loss of facilities does not cause an IROL violation. An IROL includes a limit and a time constant Tv. In order for an IROL violation to occur, the limit must be exceeded for at least the time constant Tv. Tv is usually 30 minutes. Thus, when we consider the impact on the loss of facilities on an IROL, an operator will have enough time to adjust the system to prevent an IROL violation.

For 1.8, the criterion should be modified to reflect that the facilities that comprise an IROL should be considered critical. The drafting team may also wish to consider loss of any facilities that set up the need for the IROL or cause the actual limit to change.

For criterion 1.9, it is not clear why FACTs devices need to be singled out. Are they not covered in criterion 1.8 under Transmission Facilities? Inclusion of 1.9 is redundant and just causes confusion because it causes the reader to infer that the drafting team intended for them to be treated differently when in fact the criterion is the same as 1.8.

For criterion 1.12, it would be more appropriate to assess the impact of an SPS, RAS, or automated switching system on the IROL. If loss of the SPS, RAS, or automated switching system causes an IROL to decrease, then the SPS, RAS, or automated switching system should be considered critical. Contrary to the companion



November 30, 2010 157


draft guidance document statement in the second paragraph on page 11, most SPS, RAS and automated switching systems are not used to prevent disturbances that would result in IROLs. In fact, some regions consider generation runback schemes to be an SPS even when it is used to simply resolve a generation outlet issue for loss of a line out of a plant. This is a common and economically effective way to avoid the expense of building more transmission lines. This paragraph from the draft guidance document should be removed.

In the first bulleted paragraph on page 7 of the companion draft guidance document, the paragraph appears to conclude that a substation is a Facility. We disagree that it is facility. Because a facility is defined as a set of equipment that operates as a single BES Element and Element is further defined as “Any electrical device with terminals that may be connected to other electrical devices such as a generator, transformer, circuit breaker, bus section, or transmission line.” We believe facilities terminate in substations (i.e transmission line) or are wholly contained in a substation (i.e. transformer); however, we don’t believe that a substation would fit the definition of facility as a result because it is not an electrical device with its own terminals that are connected to other electrical devices. The draft guidance document needs to be modified to reflect this.

In the last paragraph on page 10 of the generation section draft guidance document, there is a discussion of Cranking Paths. Shouldn’t this be moved to the transmission section?



Item 1.9 – FACTS devices were singled out to ensure that there was no confusion as to whether or not they were considered Critical Assets.


In the first bulleted paragraph on page 7 of the companion draft guidance document (posted on the Project 2008-06 page at http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean.pdf ), the following is stated: “For example, for Transmission assets, the substation may be designated as the group of Facilities.”

Since the Cranking Path may contain both generation and Transmission Facilities, it is appropriate to discuss in both sections.

Duke Energy Yes 1.1 - Consistent with Criteria 1.8 and 1.9, this criterion should be conditioned by adding the phrase “unless planning studies are available to demonstrate that the loss of generation does not cause violation of one or more Interconnection Reliability Operating Limits (IROLs).” Related to the generation loss impact on Interconnection frequency and resource adequacy, Duke Energy disagrees with the arbitrary selection of the



November 30, 2010 158


generation loss MW amount for the following reasons: a) System inertia and frequency response factor into potential impact a generation loss could have on Interconnection frequency, and are different for each Interconnection. A 1,500 MW loss in the Eastern Interconnection is much less significant in terms of the initial frequency deviation than a similar loss within any other Interconnection. b) The limit fails to recognize the options available to the Balancing Authority to restore its balance within the existing criteria of the NERC reliability standards. For example, recovery from the loss of 1,500 MW within a 5,000 MW Balancing Authority may be quite different than recovery from a 1,500 MW loss within a 135,000 MW Balancing Authority in the Eastern Interconnection. PJM alone is about twice the size of ERCOT.

1.2 - We believe that 1000 MVAR may too large, and should be reduced to 500 MVAR. However criterion 1.2 could just be deleted, since any significant reactive resources would be picked up under criterion 1.8

1.3 - “Generation designated as required for reliability purposes” doesn’t seem to be a very “bright line”. We believe this criterion should be further clarified by including language from the “Rationale and Implementation Reference Document”.

1.4 - Need to clarify that this criterion only includes the primary Blackstart Resources. Entities may include various alternative resources in their restoration plans which aren’t Critical Assets, but which may not be clearly distinguished from the primary Blackstart Resources in the restoration plan. Add the phrase “that the entity intends to rely on for system restoration”.

1.5 - The CIPDT is looking to the industry to define Critical Assets based on NERC definitions that are somewhat ambiguous and can be redefined by Standard Drafting Teams any time a group of standards is proposed. This could lead to Critical Assets being removed or added without proper analysis being performed on the impact to the system. Also, the definition of Cranking Path could be debated that it could be from a generating source that provides electricity to a larger resource during restoration. This source could be a small diesel that is sitting next to a large generator that provides the electricity to lift pumps, exciter field, or some other device that provides the means for a larger generator to become a Blackstart Resource. Or it could be argued that the cranking path is from a Blackstart Resource to fossil plants on the system that are used to facilitate the restoration of the system. Duke Energy requests that the Drafting team rewrite this requirement so that it does not use this term. Duke Energy also believes that the CIPDT should get input from those that are familiar with Restoration by requesting input from the Emergency Operations Drafting Team. We propose rewriting 1.5 as follows: The Facilities comprising the current carrying path from the Blackstart Resource to the unit(s) to be started, as identified in the Transmission Operator’s restoration plan, up to the point where multiple path options exist.

1.8 & 1.9 - These two criteria need clarification. First, it should be made clear that this IROL evaluation is to be made in the planning timeframe, because the purpose is to identify Critical Cyber Assets that need to be protected, which is an activity that takes place in the planning timeframe. Also, including the word “destroyed” in the phrase “destroyed, degraded, misused or otherwise rendered unavailable” creates significant


November 30, 2010 159


uncertainty regarding what the IROL analysis is intended to encompass. Add the phrase “via cyber attack” after the word “unavailable”. This will clarify that the evaluation only encompasses destruction, degradation or misuse that can be achieved via cyber attack, and not a physical attack on the station. For example, physical attack could imply multiple transmission lines shorted to ground, which entails a much different analysis than transmission lines removed from service via cyber attack. NOTE: The physical security provided by the CIP standards is focused on protection of the Critical Cyber Assets, not the Critical Assets.

1.10 - As with our comment on 1.8 & 1.9 above, add the phrase “via cyber attack” after the word “unavailable”. We also have a concern that if an entity fails to identify a facility under 1.1 or 1.3, they will also be in violation for failing to identify the corresponding Transmission Facilities under 1.10 (i.e. the double jeopardy issue). Need to replace the phrase “described in” with the phrase “identified by an entity pursuant to”. Alternatively, 1.10 could be folded into 1.1 and 1.3 by adding the phrase “and Transmission Facilities providing the generation interconnection” to those criteria.

1.11 - Need to clarify that these Transmission Facilities are those that are specifically identified in the Nuclear Plant Interface Requirements (NPIRs) in the Agreement developed between the Nuclear Plant Generator Operator and applicable Transmission Entities pursuant to NUC-001-2. At the end of this criterion add the phrase “in the Agreement(s) required by NUC-001 R2.”

1.12 - As with our comment on 1.8 & 1.9 above, this criterion should be revised to clarify that this IROL evaluation is to be made in the planning timeframe, because the purpose is to identify Critical Cyber Assets that need to be protected, which is an activity that takes place in the planning timeframe. Also, the phrase “destroyed, degraded, misused or otherwise rendered unavailable” needs to be clarified by adding the phrase “via cyber attack” after the word “unavailable”.

1.13 - Load control programs shouldn’t be defined as Critical Assets but rather Critical Cyber Assets, since they are a function of the control center, which is already a Critical Asset. Replace the word “Common” with the phrase “Each control center or backup control center used to”. Also, clarify the meaning of “automatic” by inserting the parenthetical (without human intervention) after the word “automatic”.

1.14 - This criterion is far too broad because we don’t have an approved NERC definition of control room, control system, backup control room or backup control system. Many switchyards and substations have control systems that could be used to perform transmission functions, but that doesn’t mean that they are “Critical Assets”. Remove control system and backup control system from this criterion and limit it to identifying the control centers and backup control centers associated with the Critical Assets on the transmission system, just as criteria 1.15 links identification of the control center or backup control center to the generation asset. We propose rewriting 1.14 as follows: Each control center or backup control center associated with the Critical Assets on the transmission system.

1.16 - A “catch-all” criterion seems inappropriate in a “bright line” list. You can always go beyond the


November 30, 2010 160


requirements of a standard and do more than what’s required.


Item 1.1 - Prior drafts had wording about reserve sharing for the threshold. The SDT received feedback that that wording was confusing, that the amount referred to in the reserve sharing was not a specific amount, and that the amounts changed daily. The team conducted an informal survey of the regions, and identified what the megawatt value of the reserve sharing would be for various groups. The drafting team used 1500 MW as a number derived from the most significant Contingency Reserves operated in various BAs in all regions. The issue with using different MW values in each region is that it does not meet the objective of uniform application of Critical Asset identification across all entities.

Item 1.2 – The value of 1000 MVARs used in this criterion is a value deemed reasonable for the purpose of determining criticality.



Item 1.5 – NERC standard EOP-005-2 R1.5 “Identification of Cranking Paths and initial switching requirements between each Blackstart Resource and the unit(s) to be started” designates that Cranking Paths must be identified. This criterion has been reworded to “The Facilities comprising the Cranking Paths and meeting the initial switching requirements from the Blackstart Resource to the first interconnection point of the generation unit(s) to be started, or up to the point on the Cranking Path where two or more path options exist as identified in the Transmission Operator's restoration plan.”

Items 1.8 & 1.9 – Cyber analysis is contained in Requirement R2, not in the identification of Critical Assets. Criterion 1.8 has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.” Criterion 1.9 has been changed to “Flexible AC Transmission Systems (FACTS), at a single station or substation location, that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

Item 1.10 – Cyber analysis is contained in Requirement R2, not in the identification of Critical Assets. There is no double jeopardy, since all of these criteria are contained in the same Requirement. This criterion has been changed to “Transmission Facilities providing the generation interconnection required to connect generator output to the transmission system that, if destroyed, degraded, misused, or otherwise rendered unavailable, would result in the loss of the assets identified by any Generator Owner as a result of its application of Attachment 1, criterion 1.1 or 1.3.”

Item 1.11 – The SDT does not believe that adding the phrase “in the Agreement(s) required by NUC-001 R2” provides any clarification, since the defined NERC term Nuclear Plant Interface Requirements is “The requirements based on NPLRs and Bulk Electric System requirements that have been mutually agreed to by


November 30, 2010 161


the Nuclear Plant Generator Operator and the applicable Transmission Entities.”

Item 1.12 – Cyber analysis is contained in Requirement R2, not in the identification of Critical Assets. This criterion has been changed to “Each Special Protection System (SPS), Remedial Action Scheme (RAS) or automated switching system that operates BES Elements that, if destroyed, degraded, misused or otherwise rendered unavailable, would cause one or more Interconnection Reliability Operating Limit (IROL) violations for failure to operate as designed.”





Yes 1. A general comment is that there is no technical justification provided for the proposed criteria. The "Rationale and Implementation Reference Document" does not provide technical justification, but rather provides more of an opinion of the drafting team. To the extent possible, there should be technical justification for the proposed criteria that stakeholders can review.

2. SEC is concerned that designating all Blackstart Resources as critical will divert limited resources to protect blackstart facilities that are only used to restore localized load. We believe it is the intent of the drafting team to identify the truly critical blackstart units (taking from the CIP-010-1 draft; only high impact facilities). SEC understands that criteria 1.4 uniformly identify all Blackstart Resources listed in the Transmission Operator’s restoration plan as being Critical Assets with regards to the Bulk Electric System. Currently, many utilities include multiple Blackstart resources in the restoration plans provided to the Transmission Operator. Including numerous resources makes the plan much more robust and reliable as it provides additional well documented restoration options should unforeseen problems occur. As currently written, Item 1.4 inadvertently incentivizes utilities to remove blackstart resources from the restoration plan if these resources are not critical to an effective regional restoration plan, reducing the plan’s overall effectiveness. Therefore, we believe there should be a threshold for Blackstart Resources, similar to nearly all other elements being considered in Attachment 1. This would allow utilities the freedom to include numerous resources in the Transmission Operators restoration plan without being swept into being identified as a Critical Asset.To implement this approach, we believe it is imperative to consider the Blackstart Resource’s actual role in the restoration plan, not just its simple inclusion. For example, a 10 MW Blackstart Resource that directly supports restoration of a critical generating facility is much more important to the Bulk Electric System than a


November 30, 2010 162


10 MW Blackstart Resource that simply supplies local load during an outage. Therefore, SEC would propose judging the criticality of a Blackstart Resource by the relative importance of the generating unit(s) it directly supports.



5. In item 1.14 its states that all RC, BA and TOP control centers, etc., are Critical Assets. While SEC agrees with this as it relates to RCs, we do not agree with this as it relates to all BAs and TOPs. In the draft CIP-010 there was high, medium and low criteria which in many instances appropriately matching CIP requirements to the level of risk certain assets potentially present to the BPS. SEC strongly believes that the CIP-002-4 standard requirements for smaller BAs and TOPs should match the lower level of risk to BPS reliability that these smaller BAs and TOPs potentially present. Similar to the 1500MW size criteria that is included in item 1.15 for generator control centers, there should be size criteria for the smaller BAs and TOPs. The drafting team should modify item 1.14 to state that all control centers with a peak demand above 2000MW (same as medium criteria in draft CIP-010) shall be designated as a Critical Asset. This is the lowest SEC could support and also recommend its members to support. We firmly believe that this would capture all of the control centers that truly have a material impact on the reliability of the BPS.








November 30, 2010 163


Item 1.7 – The intent of Criterion 1.7 is to classify as a Critical Asset Transmission Facilities operated at 300 kV or higher at stations interconnected at 300 kV or higher with three or more other transmission stations. That includes upstream, downstream, networked, and radial. It should be noted that connections to generators or generation-only substations are not counted in this Criterion. The source to the radial substation may be considered a Critical Asset, but the radial substation would not be considered a Critical Asset since by definition it cannot be connected to three or more transmission substations. This criterion has been reworded to “Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.”




Progress Energy Yes General Comments:The terms “degraded” and “misused” are subject to a wide range of interpretation, are not auditable and should not be used in bright line standards. Measurable values should be provided.

Criterion 1.1: What is meant by “at a single plant location” should be clarified. Generating units that constitute a plant should be defined based on electrical connection.

Criterion 1.5: Clarification is needed on what is included beyond blackstart generation units.

Criterion 1.8: This requirement should be set aside from this version of the standard and be re-introduced in the next version with appropriate measureable parameters for High, Medium and Low Impact BES facilities.

Criterion 1.9: Same comments as for Criterion 1.8.

Criterion 1.11: The criteria should be: The local nuclear plant switchyards, the transmission lines connected to these switchyards, and the first out substations on the other ends of these transmission lines. These are the transmission facilities essential to meeting the NPIRs.

Criterion 1.13: Distribution should be specifically excluded from this criterion because loss of distribution facilities does not affect the BES.


November 30, 2010 164



The terms “degraded” and “misused” are in the criteria in response to FERC Order 706.



Item 1.8 and Item 1.9 – Criteria 1.8 and 1.9 include those Transmission Facilities that would violate IROLs if they were rendered unavailable or degraded. By definition, IROLs are those operating limits that, if exceeded, would have a Wide Area reliability impact. Criterion 1.8 has been changed to “Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.” Criterion 1.9 has been changed to “Flexible AC Transmission Systems (FACTS), at a single station or substation location, that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.”

Item 1.11 – Criterion 1.11 is based on NUC-001-2 R9.2.2 “Identification of facilities, components, and configuration restrictions that are essential for meeting the NPIRs.”



Yes The NYISO request that the NERC Glossary include definitions for all terms especially in Attachment 1. Examples to add to the NERC Glossary or the standard would be to define: control center, control system, backup control center, and backup control system

Response: Thank you for your comments. At this time, the SDT is choosing not to add terms to the NERC Glossary. We feel defining these terms under this proposed version of the Standard would have far-reaching impacts beyond the scope of CIP-002-4 to CIP-009-4. These terms are used in other approved NERC standards already in effect.

Cowlitz County PUD Yes Further ‘red line’ criteria needs to be added to avoid inclusion of non-critical assets.



November 30, 2010 165



Kansas City Power & Light No Absent engineering analysis and study, this bright line proposal does not establish a sound basis for capturing the elements that should be included and those that should be excluded. Very concerned regarding the proposed criteria specified by criteria 1.4, 1.5, 1.13 and 1.14 as this criteria will identify assets as critical assets for smaller entities that have no regional reliability impact on the bulk electric system and will place an unnecessary compliance burden on them. These criteria need to either be considered for removal or modification such that an applicable application is achieved.


The SDT does not feel that engineering analysis (impact-based or risk-based) would lead to a consistent application of the criteria, due to the numerous factors which can impact the results of the analysis. Such studies would need to be rigorously defined for the industry. We thank you for your proposal and will take it under consideration for future revisions.


November 30, 2010 166

3.

Requirement R1 of draft CIP-002-4 states, “Critical Asset Identification — Each Responsible Entity shall develop a list of its identified Critical Assets determined through an annual application of the criteria contained in CIP-002-4 Attachment 1 – Critical Asset Criteria. The Responsible Entity shall review this list at least annually, and update it as necessary.” Do you agree with the proposed Requirement R1? If not, please explain why and provide specific suggestions for improvement.

Summary Consideration: The majority of commenters that disagreed with Requirement R1 suggested changes to wording that is present in the existing CIP-002-3. The SDT responded that the scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method. The team deliberately limited the scope of changes in this interim standard to minimize the impact on the industry while addressing the identified consistency issues. The phraseology mentioned exists in the existing CIP-002-3 standard. The SDT expects the phraseology to be resolved in the next version. Others stated that their objection was with the wording in Attachment 1. The SDT directed them to the responses offered to their comments in question 2.



Disagree Request an explicit definition of “annual.” Because the “update as necessary” in R1 is not clear, the new assets effective date is in doubt. Should be it be part of “update as necessary” or part of the annual review? The standard clearly mentions the documentation required to comply with CIP-002-4. This includes - list of Critical Assets as specified in R1, list of Critical Cyber Assets as specified in R2, and approval records of annual approvals as specified in R3. However, in the Guidance document, Page 7, bullet point 2, second sentence, it states the following - “...Responsible Entity should document all criteria that qualify this asset as a Critical Asset...” The drafting team should clarify documentation requirements to avoid discrepancies. If it is expected that entities are to document, and retain documentation, of the criteria that supports the categorization of critical assets, this should be explicitly required by the standard. As the proposed standard is written, the only documentation registered entities must create and retain is the actual list of the assets.Agreement based on the assumption that the classifications in Attachment 1 are corrected.

Response: Thank you for your comments. The scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method. The team deliberately limited the scope of changes in this interim standard to minimize the impact on the industry while addressing the identified consistency issues. The phraseology you are concerned about exists in the existing CIP-002-3 standard. The SDT expects this phraseology to be resolved in the next version.

The standard specifies the requirements that the Responsible Entity must comply with. The reference document is intended to provide guidance and does not specify any requirement for compliance.

City of Garland Agree


November 30, 2010 167


NRG Energy Inc. Agree

APPA CIP-002-4 Task Force Agree


Agree The SRC agrees with the obligations prescribed by R1, subject to the SDT’s acceptance of the proposed revisions described in response to Question 1.


Bonneville Power Administration Agree We agree with the “at least annually” aspect of the requirement. Annual review seems appropriate if a utility has not had any major changes or expansion to their grid since their last Critical Asset determination.


PSEG Companies Agree

Pepco Holdings, Inc - Affiliates Agree Requirement 3 should be modified: References to risk-based assessment methodology should be removed.

Response: Thank you for your comments. This requirement will modified prior to the next ballot.


Agree We agree with the annual application of the criteria, however, we want to be clear that we do not agree with all of the criteria listed in Attachment 1. We have included suggested improvements to the criteria under question #2.For clarity, we suggest that the final sentence of this requirement be reworded as follows:”The Responsible Entity shall review this list at least annually, and update it as necessary based on the findings of this review.”


Santee Cooper Disagree We would agree with requirement R1 if Attachment 1 is refined to be more reasonable.


Dominion Agree


November 30, 2010 168



Agree

Florida Municipal Power Agency Disagree FMPA recommends avoiding the use of the term “Annual” due to the ambiguity of the term. Instead something like once a calendar year but no longer than 15 months may be more appropriate.


PNGC Power Disagree Please see criteria in answer to question #2. We do agree with annual review requirement.


WECC Agree

Southern Company Agree

Encari, LLC Disagree The Guidance document states a Critical Asset should be listed by only one Responsible Entity. We therefore question why Generator Operators and Transmission Operators are included as Responsible Entities subject to Requirement R1 of draft CIP-002-4

Response: Thank you for your comments. Generator Operators and Transmission Operators are listed as possible Responsible Entities to address cases where there may be a formal agreement for these Entity types to be responsible for compliance to the CIP requirements: In addition, control centers are typically owned by Generator Operators and Transmission Operators. We have modified the guidance document to reflect this.

Arizona Public Service Agree

Edison Electric Institute Agree


Agree None.


November 30, 2010 169


PacifiCorp Agree

OGE Agree

FMPA Disagree FMPA recommends avoiding the use of the term “Annual” due to the ambiguity of the term. Instead something like once a calendar year but no longer than 15 months may be more appropriate.

Response: Thank you for your comments. The scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method. The team deliberately limited the scope of changes in this interim standard to minimize the impact on the industry while addressing the identified consistency issues. The phraseology you are concerned about exists in the existing CIP-002-3 standard. The SDT expects this phraseology to be resolved in the next version

South Carolina Electric and Gas Agree


Agree

Central Lincoln Agree


Disagree The same question for this one. CIP-002-4 Attachment 1-1.1 what is the basis for the 1500 MW versus what used to be Output exceeds Reserve Sharing Group obligation or Output exceeds Contingency Reserve obligation

Response: Thank you for your comments. Please refer to the response to your comment in Question 2.

SPS Consulting Group Inc. Disagree While I agree with the development of a list and the annual application of the criteria, the "update as necessary" phrase is ambiguous. This is the kind of language that has led to multiple interpretation requests and should never be in a reliability standard requirement. Suggest deleting "and update it as necessary." Annual review should be sufficient to insure protection.


Tacoma Power Agree Tacoma Power agrees with the SDT using a defined list for identifying Critical Assets. However, Tacoma Power recommends that the SDT make the recommended changes noted in Question 2


November 30, 2010 170



Green Country Energy Agree

Illinois Municipal Electric Agency Agree

Minnkota Power Cooperative Agree

Horizon Wind Energy Agree Agree with the annual application of the criteria, but provided comments below on the actuall criteria used.Criteria 1.15 in attachments A includes generation control centers used to control generation greater than an aggregate of 1500 MWs in a single interconnection. It is true that the span of control of the generation control center may cross multiple BA or RSG areas. In the unlikely event of a common mode failure of such a generation control center that would lead to a loss of all generation, the loss of generation in the multiple BAs or RSGs could fall significantly below the criteria of the 1500 MWs threshold used in criteria 1.1 for generating units at a single plant location, therefore not affecting the reliability and operability of the BES system. There seems to be a disconnect in criteria 1.1 for generation and 1.15 for generation control centers, hence 1500 MWs in a single plant location vs. 1500 MWs aggregate in a single interconnection for generation control centers. Secondly, some generation control centers collect data from generators via SCADA for monitoring purposes and can manually send set points to lower generation if the need would arise. Does this type of arrangement fall under the description of control generation or was it the intent to include, in the description, generation that is controlled to maintain sufficient Contingency Reserve (BAL - 002) and Resource and Demand Balancing (BAL - 003)? Suggest adding language to 1.15 that is more in line with the criteria in 1.1 and clarifying what is meant by control generation.

Response: Thank you for your comments. Please refer to the response to your comment in Question 2.

Union Power Partners LP Agree With consideration of the responses to questions 1 & 2.


MidAmerican Energy Company Agree


Disagree Because NCEMC does not currently agree with all of the provisions in Attachment 1 - Critical Asset Criteria, we cannot at this time agree with this question.


November 30, 2010 171



Hydro One Networks Inc. Agree

Dynegy Inc. Agree

Matrikon Inc. Agree

Northeast Utilities Agree

CenterPoint Energy Agree CenterPoint Energy has no concerns with the verbiage in Requirement R1 but, as noted in our previous comments, CenterPoint Energy recommends deletion of proposed Criteria 1.11 in Attachment 1.


LCEC Agree Agree with the concept but not the criteria. See response to questions 1 & 2.


Xcel Energy

Great River Energy Disagree Does not allow for individual interpretation and application

Response: Thank you for your comments. The changes to CIP-002-4 specifically address issues of uniform application across all entities.

ITC Holdings Agree


Agree This is a reasonable expectation of Responsible Entities.


TransAlta


November 30, 2010 172


Exelon Disagree If as expected the NRC accepts the exception process proposed by NERC as part of resolving the Bright-Line Survey, regulation of BOP cyber assets will be by NRC. However, FERC Order 706B remains in force, resulting in the need for Nuclear GO/GOP entities to comply with CIP-002 and annually determine CAs, and then reiterate to NERC that all BOP cyber assets are regulated by NRC. Nuclear makes the comment that with NRC regulation of BOP cyber assets, the annual CIP-002-4 R1 CA determination is unnecessary and we recommend that Nuclear GO/GOP again be exempted from each of the NERC CIP Reliability Standards CIP-002 thru -009.

Response: Thank you for your comments. The proposed standards are drafted with the current regulatory regime in effect and cannot be drafted on any speculation on future outcomes in this area.

AECI Agree


Agree


Agree


Agree


Agree


Agree


Agree

KAMO Power Agree

United Illumiinating Agree


November 30, 2010 173



Agree


Agree

KAMO Electric Cooperative Agree


Agree


Agree


Agree


Agree

SDG&E Agree SDG&E generally agrees with R1 given the comments outlined in question #2 above are incorporated


Central Lincoln Disagree Central Lincoln believes that “annually” should be further clarified. It could be interpreted to either be once in a calendar year or once every twelve months. If the later is intended, suggest specifying a maximum interval to allow for review dates that could otherwise fall on weekends, holidays, or during emergencies. We suggest a maximum interval of 15 months. It remains unclear how assets that are newly discovered to be critical during these reviews are to be treated, as discussed below.


Northeast Missouri Electric Agree


November 30, 2010 174


Power Cooperative


Disagree Since NRECA disagrees with the current CIP-002-4 Attahcment 1 -- Critical Asset Criteria document, we could not select "Agree" here. If requested modifications are made to Attachment 1, then we could agree with R1.


Tampa Electric Agree

M&A Electric Power Cooperative Agree

MEAG Power Agree


Agree


Agree

FirstEnergy Corp Agree

Minnesota Power Agree

Manitoba Hydro Agree


Agree

Ameren Disagree We would agree to review the critical asset list as least annually but we do not agree with the bright line criteria in Attachment 1, see comments for question 2.

Response: Thank you for your comments. Please refer to response to comment in question 2.

BGE Agree Pending the suggested changes to the Attachment 1 and clarify wording as follows: “Critical Asset


November 30, 2010 175


Identification - Each Responsible Entity shall develop a list of its Critical Assets determined through an annual application of the criteria contained in CIP-002-4 Attachment 1 - Critical Asset Criteria. The Responsible Entity shall review its Assets at least annually by applying the criteria contained in CIP-002-4 Attachment 1 Critical Asset Criteria, and update the Critical Asset list as necessary.”

Response: Thank you for your comments. There is not a compelling reason offered to remove the word “identified” from R1. Additionally, the word is in the previous three versions.


Disagree We recommend avoiding the use of the term “Annual” due to the ambiguity of the term. Instead something like "Once a calendar year, but no longer than 15 months" may be more appropriate.


We Energies Agree

City Utilities of Springfield, MO Agree SPRM agrees with the proposed Requirement.


National Grid Agree The standard clearly mentions the documentation required to comply with CIP-002-4 which includes - list of Critical Assets as specified in R1, list of Critical Cyber Assets as specified in R2, and approval records of annual approvals as specified in R3. However, in the Guidance document, Page 7, bullet point 2, second sentence, it states the following - “...Responsible Entity should document all criteria that qualify this asset as a Critical Asset...” National Grid recommends that the drafting team clarifies the documentation requirements to avoid such discrepancies. If the standards drafting board expects entities to document, and retain documentation, of the criteria that supports the categorization of critical assets, this should be explicitly required by the standard. As the proposed standard is written, the only documentation registered entities must create and retain is the actual list of the assets.

Response: Thank you for your comments. The standard specifies the requirements that the Responsible Entity must comply with. The reference document is intended to provide guidance and does not specify any requirement for compliance.

Lincoln Electric System Agree LES supports the comments submitted by the MRO NERC Standards Review Subcommittee (MRO NSRS).


November 30, 2010 176




Disagree Clarify that the first application of the criteria contained in CIP-002-4 Attachment 1 - Critical Asset Criteria and the associated identification of Critical Assets must take place on or before the effective date of the approved standard. This affords the entity a minimum of six months to complete the required assessment. (The auditors will seek evidence based on this expectation, so placing it in the standard or accompanying guidance will remove any ambiguity such as that experienced with Version 1 of the standards)

Response: Thank you for your comments. The implementation plan (posted on the Project 2008-06 project page at http://www.nerc.com/docs/standards/sar/Project2008-06_Implementation_Plan_CIP_V4Standards.pdf ) specifies the proposed compliance schedule of the standards and requirements.

Indianapolis Power & Light Agree

Constellation Power Generation Agree


Disagree While we don’t disagree with Requirement R1 per se, we do have concerns about criteria 1.6 and 1.7. (See our response to Question 2 which includes a suggestion for a new requirement to be placed on the Reliability Coordinator.) Also, we do not agree with the removal from the Applicability Section, of the exclusion that applies to facilities regulated by the Canadian Nuclear Safety Commission. This explicit statement makes it clear that CIP standards do not apply to those facilities which would not be the case if it were removed.

Response: Thank you for your comments. The applicability section has been modified to address the current Canadian regulatory issue for nuclear facilities. Please see response to question 2.

American Electric Power (AEP) Agree AEP suggests that parts of requirement 3 could be added to requirements 1 and 2 and then Requirement 3 could be removed.

Response: Thank you for your comments. The scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method. The team deliberately limited the scope of changes in this interim standard to minimize the impact on the industry while addressing the identified consistency issues.

Orlando Utilities Commission Agree

Oglethorpe Power Corporation Disagree An annual review of the CA and CCA lists is consistent with previous versions of the standards and in general this is a reasonable time frame for verifying that unplanned changes or changes outside the immediate

http://www.nerc.com/docs/standards/sar/Project2008-06_Implementation_Plan_CIP_V4Standards.pdf�


November 30, 2010 177


visibility of a given Registered Entity have not affected the status of the CA and/or CCA lists. However as the implementation plan points out, there are many changes (both corporate and technical) which are planned and for which entities should not wait for an annual review to determine whether they affect the entities’ CA and CCA lists. The requirement should contain a reference to the implementation plan to ensure that such changes are made in a manner that maintains compliance throughout.



Disagree The proposed requirement needs to clarify what "update it as necessary" means.


Midwest ISO Agree

Duke Energy Disagree Requirement R1 is acceptable except for the issues we’ve identified with Attachment 1 in our response to Question #2 above.

Response: Thank you for your comments. Please refer to response to question 2.


Disagree Must disagree based prior comments and disagreement with Attachment 1

Response: Thank you for your comments. Please refer to response to question 2.

Progress Energy Disagree The term "annual" should be defined directly in the requirement. Alternatively, "annual application" could be replaced with "application of the criteria once every 12 months..." and "at least annually" could be replaced with "at least once every 12 months..." if that was the intention.

Response: Thank you for your comments. The scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method. The team deliberately limited the scope of changes in this interim standard to minimize the impact on the industry while addressing the identified consistency issues.


November 30, 2010 178


The phraseology you are concerned about exists in the existing CIP-002-3 standard. The SDT expects this phraseology to be resolved in the next version



Agree The NYISO requests that the SDT be specific with respect to annual. The drafting team should consider using the phrase once every calendar year, or once every 15 months.


Cowlitz County PUD Agree


Kansas City Power & Light Disagree Do not disagree with annual review and updates for determination and identification of critical assets. The current bright line proposal lacks engineering and reliability assessment basis and is arbitrarily chosen to achieve a predetermined number of critical assets that may appear as valid, but in fact, may be lacking or too strong.

Response: Thank you for your comments. Regarding the need for additional engineering studies, the SDT and volunteer industry participants have expended considerable effort to develop consistent Critical Asset Identification approaches. The team endeavored to include work already required by other standards, and provide some constraints for an entity’s assessment. These approaches, in their various iterations, have been presented to industry for review and comment. The industry provided significant feedback for the need to simplify the Critical Asset identification approach. The Attachment 1 criteria were under development for CIP-010 when the team was asked to use the criteria for the basis of a new CIP Version 4 set of standards. NERC issued a data request in August of 2010 to assist the SDT in developing a consistent approach to Critical Asset identification. The results of this request were used to assist the team in developing the criteria in Attachment 1.


November 30, 2010 179

4.

Requirement R2 of draft CIP-002-4 states, “Using the list of Critical Assets developed pursuant to Requirement R1, each Responsible Entity shall develop a list of associated Critical Cyber Assets performing a function essential to the operation of the Critical Asset. For each group of generating units (including nuclear generation) at a single plant location identified in Attachment 1, criterion 1.1, the only Cyber Assets that must be considered are those shared Cyber Assets that could adversely impact the reliable operation of any combination of units that in aggregate exceed Attachment 1, criterion 1.1 within 15 minutes. Each Responsible Entity shall review this list at least annually, and update it as necessary. For the purpose of Standard CIP-002-4, Critical Cyber Assets are further qualified to be those having at least one of the following characteristics”. The requirement then lists characteristics using the same text that is contained in the existing CIP-002-3 R3. Do you agree with the proposed Requirement R2? If not, please explain why and provide specific suggestions for improvement.

Summary Consideration: Of commenters that disagreed with Requirement R2, the majority suggested changes to wording that is present in the existing CIP-002-3. The SDT responded that the scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method. The team deliberately limited the scope of changes in this interim standard to minimize the impact on the industry while addressing the identified consistency issues. The phraseology mentioned exists in the existing CIP-002-3 standard. The SDT expects the phraseology to be resolved in the next version. Some commenters had questions about the 15 minute qualifier. The SDT’s response is that this phrase is inserted to limit the scope to “real time” operations, which is not a NERC defined term. Several commenters had suggested wording to clarify the requirement. Based on the comments received, Requirement R2 has been reworded to:

R2. Critical Cyber Asset Identification — Using the list of Critical Assets developed pursuant to Requirement R1, the Responsible Entity shall develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. The Responsible Entity shall update this list as necessary, and review it at least annually.

For each group of generating units (including nuclear generation) at a single plant location identified in Attachment 1, criterion 1.1, the only Cyber Assets that must be considered are those shared Cyber Assets that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed Attachment 1, criterion 1.1.

For the purpose of Standard CIP-002-4, Critical Cyber Assets are further qualified to be those having at least one of the following characteristics:

• The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter; or, • The Cyber Asset uses a routable protocol within a control center; or, • The Cyber Asset is dial-up accessible.


November 30, 2010 180



Disagree In Attachment 1, Criterion 1.1, why is nuclear generation specifically mentioned? Does this have any implications for other fuel types? Refer to the response above for Question 3.

If the intent is for entities to retain documentation of the basis for categorization, this should be explicitly stated in the standard. Otherwise the only documentation retained may be the list of assets.

As noted in paragraph 236 of FERC Order 706, the proposed standard does not provide guidance on more accurate determination of critical cyber assets.

The language regarding generation units adds confusion to the requirement for entities that are not involved in generation. It should be moved elsewhere such as a footnote or end note.

The 15 minute criteria listed in R2 needs to be better described to avoid misinterpretation.

Response:

Thank you for your comments. The phrase concerning nuclear generation does not change the scope. It is there to add clarification.

Please see our response to Question 3. Please refer to the reference document (posted at http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean.pdf ) for guidance on documentation.

The scope of changes to this Standard only addresses the near-term issues associated with external oversight and review of the risk-based assessment methodology.

The language for generation units is necessary for determining the appropriate Critical Cyber Assets at generating plants and qualifies the immediately preceding requirement to identify Critical Cyber Assets.

The 15 minute threshold is intended to include only those assets at generating units affecting real-time operations. This qualifier is particularly important to a generating plant because several systems (i.e. a fuel-handling system) may be essential after a longer period of time but do not necessarily involve real-time reliability impacts.

City of Garland Agree

NRG Energy Inc. Disagree Need Clarification on routable path, discrete links and serial connections as it pertains to CIP-002-3 R3: Is a device considered to communicate outside the ESP using routable protocol if ANY portion of the communications path uses routable protocol?

Need clarification concerning shared assets. Does it mean shared between a single device or same device on a network? R2 states that only shared cyber assets for a group of generating units at a single location identified in Attachment 1 criteria 1.1, namely the 1500 MWs brightline, that could impact reliable operation should be considered. Does this cyber asset identification only include assets meeting criteria 1.1 and




November 30, 2010 181


therefore exclude any cyber assets utilized for reliable operation of a designated critical asset such as a single blackstart resource? Please provide clarification in this requirement.

Response:

Thank you for your comments. A response to the question regarding routable protocols depends on which part of the communication path you refer to. The guideline on identifying critical cyber assets provides an interpretation on various scenarios that might fit the case mentioned.

The requirement refers to shared cyber assets that can have a reliability impact on the group of generating units. This qualifier only includes Critical Assets identified in criterion 1.1.

APPA CIP-002-4 Task Force Agree


Disagree See comments to Question 1 above and proposed Attachment 1.


Bonneville Power Administration Disagree The requirement as written continues and does not solve the ambiguity with the current Critical Cyber Asset identification requirement. Specifically: “essential to the operation of the Critical Asset” needs to be defined; “adversely impact the reliable operation” needs to be defined; and, it is not clear what “within 15 minutes” means in this context. The intent of the Standards Drafting Team needs to be made clear.

Response:

Thank you for your comments.

The scope of changes to this Standard only addresses the near-term issues associated with external oversight and review of the risk-based assessment methodology. The subjectivity involved in the Critical Cyber Asset identification requirement will be addressed in future releases of these Standards. The 15 minute threshold is intended to include only those assets at generating units affecting real-time operations. This qualifier is particularly important to a generating plant because several systems (i.e. a fuel-handling system) may be essential after a longer period of time but do not necessarily involve real-time reliability impact.

PSEG Companies Agree

Pepco Holdings, Inc - Affiliates Agree

MRO's NERC Standards Review Agree For clarity, we suggest this requirement be reworded as follows:For each group of generating units (including nuclear generation) at a single plant location identified in Attachment 1, criterion 1.1, the only Cyber Assets


November 30, 2010 182


Subcommittee that must be considered are those shared Cyber Assets that could within 15 minutes adversely impact the reliable operation of any combination of units that in aggregate exceed Attachment 1, criterion 1.1.

Response: Thank you for your comments. Requirement R2 has been changed to reflect your suggested wording.

Santee Cooper Disagree We believe R2 is confusing as written, and detracts from the “bright line” concept. Specifically, the 15 minutes is confusing and is not explained well in the CIP-002-4 -Cyber Security- Critical Cyber Asset Identification Rationale and Implementation Reference Document. Perhaps the “within 15 minutes” could be reworded in this manner: Those shared assets which are inoperable for 15 minutes or more, which could cause loss of large generation amounts, will have to be considered. Those shared assets which are inoperable for 15 minutes or more, and could be restored within a reasonable amount of time, and do not cause loss of large generation amounts, would not have to be considered.

Response: Thank you for your comments. Requirement R2 has been changed to clarify the issues presented.

Dominion Disagree While Dominion agrees conceptually with the SDT, we believe that the language in R2 could be improved if the following revision was made; "Using the list of Critical Assets developed pursuant to Requirement R1, the Responsible Entity shall develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. For each group of generating units identified as critical pursuant to Attachment 1, criterion 1.1, the only Cyber Assets that must be considered are those shared Cyber Assets that could adversely impact the reliable operation of those units that in aggregate exceeds Attachment 1, criterion 1.1 within 15 minutes. The Responsible Entity shall review this list at least annually, and update it as necessary. For the purpose of Standard CIP-002-4, Critical Cyber Assets are further qualified to be those having at least one of the following characteristics:”Additionally Dominion would like clarification of the 15 minute criteria. Does it apply to all cyber assets or just to the criteria of 1.1 and 1.13?

Response: Thank you for your comments. Requirement R2 has been changed to clarify the issues presented. The 15 minute threshold is intended to include only those assets at generating units affecting real-time operations. This qualifier is particularly important to a generating plant because several systems (i.e. a fuel-handling system) may be essential after a longer period of time but do not necessarily involve real-time reliability impact.


Agree "... within 15 minutes." What exactly has to happen within 15 minutes?


The 15 minute threshold is intended to include only those assets at generating units affecting real-time operations. This qualifier is particularly important to a generating plant because several systems (i.e. a fuel-handling system) may be essential after a longer period of time but do not necessarily involve real-time


November 30, 2010 183


reliability impact.

Florida Municipal Power Agency Disagree FMPA believes that a similar “shared Cyber Assets” criterion needs to be applied at a substation for transmission Facilities emanating from that substation in a similar fashion as is described for power plants. For instance, if the entire substation is found to be a Critical Asset as a result of application of Attachment 1, a single microprocessor based relay isolated and only operating one non-critical transmission Facility should not be swept into the standards. Instead, only shared Cyber Assets controlling the entire critical substation should be a Critical Cyber Asset.

FMPA recommends avoiding the use of the term “Annual” due to the ambiguity of the term. Instead something like once a calendar year but no longer than 15 months may be more appropriate.

Response:


The term Transmission Facilities can be applied to either the entire substation or each Facility or group of Facilities connected to that substation, as determined by the entity. This would allow an entity which has multiple voltage levels at a single substation to either declare the entire substation as a Critical Asset or only the portion of the substation that qualifies under any particular criterion. The shared cyber asset qualifier only applies to criterion 1.1 because it refers to a group of generating units.

The phraseology you are concerned about (annual) exists in the existing CIP-002-3 standard. The SDT expects this phraseology to be resolved in the next version

PNGC Power

WECC The requirement as written does not resolve the ambiguity with the current Critical Cyber Asset identification requirement. Specifically: “essential to the operation of the Critical Asset” needs to be defined; “adversely impact the reliable operation” needs to be defined. It is also unclear what "adversly impact the reliabile operation of any combination of units within 15 minutes means. Is this intended to mean that anything that could adversly impact these same units in 20 minutes is not a threat or that it could be protected by operator intervention?

Response:


The scope of changes to this Standard only addresses the near-term issues associated with external oversight and review of the risk-based assessment methodology. The subjectivity involved in the Critical Cyber Asset identification requirement will be addressed in future releases of these Standards. The 15


November 30, 2010 184


minute threshold is intended to include only those assets at generating units affecting real-time operations. This qualifier is particularly important to a generating plant because several systems (i.e. a fuel-handling system) may be essential after a longer period of time but do not necessarily involve real-time reliability impact.

Southern Company Agree However, Southern recommends the following change, because this provision should not be limited to only criterion 1.1:”For each group of generating units (including nuclear generation) at a single plant location identified in Attachment 1,”. In addition, the SDT should remove all references to “risk-based assessment” in R3, as this is no longer a Requirement under CIP-002-4 (this term was only partially removed from the revised 10-20-10 version). Importantly, the SDT should also add a provision which specifically excludes any Cyber Assets regulated by Nuclear Regulatory Commission or the Canadian Nuclear Safety Commission. There is currently no reference to this exclusion in CIP-002-4.

Response: Thank you for your comments. The shared cyber asset qualifier only applies to criterion 1.1 because it refers to a group of generating units. The glossary definition for Transmission Facilities allows flexibility for defining the Critical Asset as one that operates as a single BES Element, in which case the relay operating a non-critical Transmission Facility would not be a CCA. All references to “risk-based assessment” will be removed prior to the next ballot. The Applicability section has been revised to address nuclear plants.

Encari, LLC Agree

Arizona Public Service Agree

Edison Electric Institute Agree


Agree None.

PacifiCorp Agree

OGE Agree

FMPA Disagree FMPA believes that a similar “shared Cyber Assets” criterion needs to be applied at a substation for transmission Facilities emanating from that substation in a similar fashion as is described for power plants. For instance, if the entire substation is found to be a Critical Asset as a result of application of Attachment 1, a single microprocessor based relay isolated and only operating one non-critical transmission Facility should not be swept into the standards. Instead, only shared Cyber Assets controlling the entire critical substation should be a Critical Cyber Asset.FMPA recommends avoiding the use of the term “Annual” due to the ambiguity of the term. Instead something like once a calendar year but no longer than 15 months may be


November 30, 2010 185


more appropriate.

Response:



The phraseology you are concerned about (annual) is in the existing CIP-002-3 standard. The SDT expects this phraseology to be resolved in the next version.

South Carolina Electric and Gas Agree


Agree I agree with the first and third sentences as written. I think the language in the second sentence is unclear. I agree with what I think it is saying! For each group of generating units (including nuclear generation) at a single plant location identified in Attachment 1, criterion 1.1, the only Cyber Assets that must be considered are those shared Cyber Assets that could adversely impact the reliable operation of any combination of units that in aggregate exceed Attachment 1, criterion 1.1 within 15 minutes.


Central Lincoln Agree


Agree

SPS Consulting Group Inc. Disagree See previous Question 3 concern about "as necessary" language. Also, I do not understand the reference to "within 15 minutes" in this requirement. Within 15 minutes of what? Of discovering a cyber intrusion? Of the inception of an actual breach of electronic security? Of a SCADA or EMS system (for example) being taken over by a hacker? This reference to 15 minutes also implies a time-stamped piece of evidence that would be extremely difficult to audit. One should put on their auditor hat and imagine sitting down with a Registered Entity and trying to verify compliance with this requirement. We need to do a better job of drafting requirements that are clear and do not put the auditors in the position of making ad hoc interpretations in order to complete the audit.


November 30, 2010 186


Response:


The 15 minutes limiter refers to the reliability impact and not the inception of a breach. The 15 minute threshold is intended to include only those assets at generating units affecting real-time operations. This qualifier is particularly important to a generating plant because several systems (i.e. a fuel-handling system) may be essential after a longer period of time but do not necessarily involve real-time reliability impact. The SDT believes the Responsible Entity can provide evidence demonstrating how certain systems in a generating plant will not have a reliability impact within 15 minutes.

Tacoma Power Disagree Tacoma Power Commends the SDT for recognizing that not all cyber assets within a generation facility are necessarily critical. The wording of the requirement however creates ambiguities. Tacoma Power feels that the statement, “For each group of generating units (including nuclear generation) at a single plant location identified in Attachment 1, criterion 1.1, the only Cyber Assets that must be considered are those shared Cyber Assets that could adversely impact the reliable operation of any combination of units that in aggregate exceed Attachment 1, criterion 1.1 within 15 minutes, “needs clarification. Tacoma Power suggests that the statement read, “For each group of generating units (including nuclear generation) at a single plant location identified in Attachment 1, criterion 1.1, the only Cyber Assets that must be considered are those Cyber Assets networked to a system that could adversely impact the reliable operation of any combination of units that in aggregate exceed Attachment 1, criterion 1.1 within 15 minutes.”

Response:

Thank you for your comments. Requirement R2 has been changed to clarify the issues presented.

Green Country Energy Agree

Illinois Municipal Electric Agency Agree

Minnkota Power Cooperative Agree

Horizon Wind Energy Agree

Union Power Partners LP Disagree Would change the language to "those shared Cyber Assets accessible from outside malicious cyber intrusion that could adversely" in line 4.

Response:

Thank you for your comment. The susceptibility of a Cyber Asset to malicious cyber intrusion is dependent on several factors, many of which are dynamic or


November 30, 2010 187


unknown, including the configuration of the Cyber Asset, the capability of the malicious threat and internal access. The set of CIP cyber security standards (CIP-002 to CIP-009) is a holistic approach to cyber security protection that applies to both internal and external threats.

MidAmerican Energy Company Agree


Disagree Just as in question 3 NCEMC does not currently agree with all of the provisions in Attachment 1 - Critical Asset Criteria, we cannot at this time agree with this question.

Response:

Thank you for your comment. Please refer to response to question 3 and question 2.

Hydro One Networks Inc. Disagree

Dynegy Inc. Disagree For R2, it could be fine but needs further "specific" guidance on the Cyber Assets that could adversely.......impact....within 15 minutes". Suggest providing specific examples.

For R3, remove the comment related to risk-based assessment methodology from the draft Standard.

Response:

Thank you for your comment. Please refer to the guidance document posted at http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean.pdf .

References to the risk-based assessment will be removed prior to the next ballot.

Matrikon Inc. Disagree I believe the original intent, yet never clearly documented, is that the "tampering and misuse" of cyber assets is also criteria to determine the relationship between the Critical Asset and its Cyber Assets. Is tampering and misuse the intent of this requirement? If so, it must be specifically stated, including a definition and direct statements if Entities are expected to use this criterion for identification of CCAs.

Secondly, the 15 minute criterion is going to attract alot of attention and interpretation, further guidance is recommended in the form of scenarios, events and examples. Otherwise, inconsistency in interpretation across different regions, entities and their auditors will result.

Response:

The scope of changes to this Standard only addresses the near-term issues associated with external oversight and review of the risk-based assessment methodology. The subjectivity involved in the Critical Cyber Asset identification requirement will be addressed in future releases of these Standards. The 15




November 30, 2010 188


minute threshold is intended to include only those assets at generating units affecting real-time operations. This qualifier is particularly important to a generating plant because several systems (i.e. a fuel-handling system) may be essential after a longer period of time but do not necessarily involve real-time reliability impact.

This qualifier is particularly important to a generating plant because several systems (i.e. a fuel-handling system) may be essential after a longer period of time but do not necessarily involve reliability impacts.

The SDT believes the Responsible Entity can provide evidence demonstrating how certain systems in a generating plant will not have a reliability impact within 15 minutes.

Northeast Utilities Agree

CenterPoint Energy Agree

LCEC Disagree This section of R2 makes the requirement very confusing:

For each group of generating units (including nuclear generation) at a single plant location identified in Attachment 1, criterion 1.1, the only Cyber Assets that must be considered are those shared Cyber Assets that could adversely impact the reliable operation of any combination of units that in aggregate exceed Attachment 1, criterion 1.1 within 15 minutes. If this is intended to be further clarification for generating units only, there should be a paragraph for this alone. In addition, the basis for “within 15 minutes” is not defined and could lead to subjectivity in the interpretation of this requirement.

Response:

The 15 minute threshold is intended to include only those assets at generating units affecting real-time operations. This qualifier is particularly important to a generating plant because several systems (i.e. a fuel-handling system) may be essential after a longer period of time but do not necessarily involve real-time reliability impact. Please refer to the guidance document for the basis for the 15 minute limitation.

Xcel Energy

Great River Energy Agree

ITC Holdings Disagree New CIP-002-4 R2 Critical Cyber Asset Identification- The revisions made are introducing confusion while only identifying the inclusion of Cyber assets with delimited (arbitrarily) time for impact: “For each group of generating units (including nuclear generation) at a single plant location identified in Attachment 1, criterion 1.1, the only Cyber Assets that must be considered are those shared Cyber Assets that could adversely impact the reliable operation of any combination of units that in aggregate exceed Attachment 1, criterion 1.1 within 15 minutes.” Either a new qualification and characteristic of Critical Cyber Assets is created or the


November 30, 2010 189


existing characteristics shall be updated to explicitly address the type of Cyber Asset.

Response:

The 15 minute threshold is intended to include only those assets at generating units affecting real-time operations. This qualifier is particularly important to a generating plant because several systems (i.e. a fuel-handling system) may be essential after a longer period of time but do not necessarily involve real-time reliability impact.


Agree

TransAlta

Exelon Agree

AECI Agree


Agree


Agree


Agree


Agree


Agree


Agree


November 30, 2010 190


KAMO Power Agree

United Illumiinating Agree


Agree


Agree

KAMO Electric Cooperative Agree


Agree


Agree


Agree


Agree

SDG&E Disagree Neither the mapping document nor the draft language contain the phrase “...performing a function...”. That phrase has been added to this document and should be removed. The standard should focus on those cyber assets that are essential to the operation of the Critical Assets.

Response:

Thank you for your comment. The phrase “…performing a function…” does not exist in the posted Standard.

Central Lincoln Disagree Central Lincoln believes that “annually” should be further clarified. It could be interpreted to either be once in a calendar year or once every twelve months. If the later is intended, suggest specifying a maximum interval to allow for review dates that could otherwise fall on weekends, holidays, or during emergencies. We suggest a maximum interval of 15 months. It remains unclear how cyber assets that are newly discovered to be critical


November 30, 2010 191


during these reviews are to be treated, as discussed below.

Response:

The phraseology you are concerned about is in the existing CIP-002-3 standard. The SDT expects this phraseology to be resolved in the next version.


Agree


Tampa Electric Agree We agree with the proposed language, however if this version does not pass and changes need to be made, we would strongly recommend bright line criteria for Critical Cyber Assets and a CCA identification methodology. In the absence of such criteria and associated methodology we expect inconsistency across entities, and would recommend the language here be modified as follows: “the only Cyber Assets that must be considered are those shared Cyber Assets that could adversely impact the reliable operation of any combination of units via common mode failure that in aggregate exceeds Attachment 1, criterion 1.1 within 15 minutes.”

Response:

Thank you for your comments. The scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method. The team deliberately limited the scope of changes in this interim standard to minimize the impact on the industry while addressing the identified consistency issues.

M&A Electric Power Cooperative Agree

MEAG Power Agree


Agree


Agree


November 30, 2010 192


FirstEnergy Corp Agree

Minnesota Power Agree

Manitoba Hydro Disagree The term “this list” could be interpreted as referring only to the generation units in the previous sentence. Suggest changing to “the list of associated Critical Cyber Assets essential to the operation of the Critical Asset(s)”. The 15-minute “real-time” criterion should be applied to all Critical Cyber Assets, not just generation cyber assets.

Response:

Thank you for your comments. Requirement R2 has been changed to clarify the issues presented.



Agree

Ameren Disagree The word “associated” could mean anything to do with a Critical Assets which is too broad of a term and needs to be defined to avoid confusion. The phrase "could adversely impact the reliable operation" is unclear and vague. What magnitude of "adverse impact" should be considered? Also what is being defined as the Reliable Operation? This phrase should be more clearly defined, otherwise it could introduce different interpretations in the compliance audits.

Response: Thank you for your comments. The term “associated” is used in the same manner in the currently enforceable CIP-002-3. The phrase “adversely impact” limits the scope of the evaluation of Critical Cyber Assets to those that can affect the reliable operation of 1500MW or more of generation at a single plant location.

BGE Agree Clarify wording by moving generation comments to the end of paragraphs, as follows: “Using the list of Critical Assets developed pursuant to Requirement R1, each Responsible Entity shall develop a list of associated Critical Cyber Assets performing a function essential to the operation of the Critical Asset. Each Responsible Entity shall review this list at least annually, and update it as necessary

.For each group of generating units identified in Attachment 1, criterion 1.1, the only Cyber Assets that must be considered are those shared Cyber Assets that could adversely impact the reliable operation of any


November 30, 2010 193


combination of units that in aggregate exceed Attachment 1, criterion 1.1 within 15 minutes.

For the purpose of Standard CIP-002-4, Critical Cyber Assets are further qualified to be those having at least one of the following characteristics:.....”

Response:

Thank you for your comment. Requirement R2 has been changed to clarify the issues presented.


Disagree BES believes that a similar “shared Cyber Assets” criterion needs to be applied at a substation for transmission Facilities emanating from that substation in a similar fashion as is described for power plants. For instance, if the entire substation is found to be a Critical Asset as a result of application of Attachment 1, a single microprocessor-based relay isolated and only operating one non-critical transmission Facility should not be swept into the standards. Instead, only shared Cyber Assets controlling the entire critical substation should be a Critical Cyber Asset.

FMPA recommends avoiding the use of the term “Annual” due to the ambiguity of the term. Instead something like "Once a calendar year, but no longer than 15 months" may be more appropriate.

Response:



The phraseology you are concerned about (annual) is in the existing CIP-002-3 standard. The SDT expects this phraseology to be resolved in the next version

We Energies Agree Although we agree with the proposed Requirement R2, We are concerned that the document “CIP-002-4 Cyber Security - Critical Cyber Asset Identification: Rationale and Implementation Reference Document” actually appears to provide more rationale and guidance on Critical Assets than Critical Cyber Assets.

Response: Thank you for your comments. The guidance document title was chosen based on the title of CIP-002-4.

City Utilities of Springfield, MO Agree SPRM agrees with the proposed Requirement.

Response:


November 30, 2010 194



National Grid Agree Same as for Q3. If the intent is for entities to retain documentation of the basis for categorization, this should be explicitly stated in the standard. Otherwise the only documentation retained may be the list of assets.

Response:

Thank you for your comment.

Please see our response to Question 3. Please refer to the posted reference document for guidance on documentation.

Lincoln Electric System Agree LES supports the comments submitted by the MRO NERC Standards Review Subcommittee (MRO NSRS).

Response:



Disagree The requirement states “the only Cyber Assets that must be considered are those shared Cyber Assets that could adversely impact the reliable operation of any combination of units that in aggregate exceed Attachment 1, criterion 1.1 within 15 minutes.” The requirement should be modified to state” the only Cyber Assets that must be considered are those shared Cyber Assets that if destroyed, degraded, misused or otherwise rendered unavailable, could adversely impact the reliable operation of any combination of units that in aggregate exceed Attachment 1, criterion 1.1.” The fifteen minute criterion is not necessary and could result in disagreement between the entity and the auditor over whether the impact could occur within the fifteen minute versus a longer period. Removing the fifteen minute window and clarifying that the entity must consider both loss and misuse removes that ambiguity.

As with R1, the first instance of Critical Cyber Asset determination under CIP-002-4 needs to take place on or before the effective date of the standard. This affords the entity a minimum of six months to complete the required assessment. (The auditors will seek evidence based on this expectation, so placing it in the standard or accompanying guidance will remove any ambiguity such as that experienced with Version 1 of the standards)

The current qualifying criterion R2.1 states “The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter.” Although well intentioned, this does not adequately address risk exposure. While a given Critical Cyber Asset might not communicate itself with Cyber Assets outside of the Electronic Security Perimeter, the network it is connected to may well have connectivity to external networks. That external connectivity offers a vector for compromise through an intermediary system that both the external network and the Critical Cyber Asset are connected to. This exclusion should only apply in the


November 30, 2010 195


instance where the network employing a routable protocol is completely isolated from any network not enclosed within the same Electronic Security Perimeter.

Additionally, please accept and consider the following comments for Requirement R3. The comment form does not provide an opportunity for "other" considerations.

R3: The requirement states “The senior manager or delegate(s) shall approve annually the list of Critical Assets and the list of Critical Cyber Assets.” This statement should be modified to read “The senior manager or delegate(s) shall approve upon creation or modification, but at least annually if no changes were required, the list of Critical Assets and the list of Critical Cyber Assets.”

R3: The requirement includes the statement “...approval of the risk-based assessment methodology...” As a risk-based assessment methodology is no longer required, this reference needs to be removed.

Response:

Thank you for your comments. The SDT believes the Responsible Entity can more easily demonstrate whether or not a system can impact the reliable operation within 15 minutes as opposed to “if destroyed, degraded, misused or otherwise rendered unavailable, could adversely impact the reliable operation.” The approach taken by the SDT does not preclude the evaluation of CCA for “if destroyed, degraded, misused or otherwise rendered unavailable, could adversely impact the reliable operation.”

The implementation plan (posted on the Project 2008-06 project page at http://www.nerc.com/filez/standards/Project_2008-06_Cyber_Security_PhaseII_Standards.html ) specifies the proposed compliance schedule of the standards and requirements.

Regarding modifications to the routable protocol exception, the scope of CIP-002-4 was to address the consistency issues with the Critical Asset identification method. The team deliberately limited the scope of changes in this interim standard to minimize the impact on the industry while addressing the identified consistency issues.

Modifications to the Critical Cyber Asset list may be made as necessary but the list still only requires annual approval. The SDT believes the annual approval period provides the appropriate level of governance in the process.

References to the risk-based assessment will be removed prior to the next ballot.

Indianapolis Power & Light Agree

Constellation Power Generation Agree


Disagree The “15 minutes” timeline outlined in the second sentence of R2 is not clear to us as the content was interpreted differently by different individuals within our environment; hence, we ask the drafting team to consider clarifying the wordings around this.




November 30, 2010 196


Response:

Thank you for your comments. The 15 minute threshold is intended to include only those assets at generating units affecting real-time operations. This qualifier is particularly important to a generating plant because several systems (i.e. a fuel-handling system) may be essential after a longer period of time but do not necessarily involve real-time reliability impact. Requirement R2 has been changed to add clarity around the issue. Please refer to the guidance document posted on the Project 2008-06 project page at http://www.nerc.com/filez/standards/Project_2008-06_Cyber_Security_PhaseII_Standards.html for additional information.

American Electric Power (AEP) Disagree The language used is a little difficult to follow. “...could adversely impact the reliable operation” suggest adding “if lost or disrupted through cyber attacks.” In addition, R2.2 uses the term control center (also used in attachment 1) that is not a NERC defined term. This will introduce ambiguity to implementation. There has been ongoing confusion regarding the difference between “control centers” and “control rooms.” We do not believe that a “control room” at a power plant or a substation would be considered a “control center.”

There is language in the NERC Security Guideline for Electricity Sector: Identifying Critical Assets document that the SDT should consider and incorporate into the NERC Glossary. We suggest that parts of Requirement 3 could be added to requirements 1 and 2 and then Requirement 3 could be removed.

Response:

Thank you for your comments. The scope of changes to this Standard only addresses the near-term issues associated with external oversight and review of the risk-based assessment methodology.

Please refer to the guidance document posted on the Project 2008-06 project page at http://www.nerc.com/filez/standards/Project_2008-06_Cyber_Security_PhaseII_Standards.html for clarification between “control center” and “control room.”

At this time, the SDT is choosing not to add terms to the NERC Glossary. We feel defining terms under this proposed version of the Standard would have far-reaching impacts beyond the scope of CIP-002-4 to CIP-009-4. These terms are used in other approved NERC standards already in effect.

Orlando Utilities Commission Disagree There are many functions critical to reliable operations that are not essential to the operation of a particular critical asset. Situational awareness is one such example. It would appear that these assets would not be identified under the version of this requirement.

Response: Thank you for your comment. The scope of changes to this Standard only addresses the near-term issues associated with external oversight and review of the risk-based assessment methodology.

Oglethorpe Power Corporation Disagree The wording requiring that adverse effect occur within 15 minutes is a good start, but at the moment, it appears to only pertain to generation related cyber assets. The requirement should be reworded to extend this to all cyber assets, as it makes sense that if 15 minutes is the criterion for generation, it should be the





November 30, 2010 197


criterion for other cyber assets, or if it is not, some other, explicit criterion should be included.

Response:




Disagree The sentences dealing with the generating unit cyber asset should be moved to a sub-requirement.

Response: Thank you for your comment. The SDT considered this and other proposals and changed the wording of R2 based on industry input.

Midwest ISO Agree

Duke Energy Agree


Disagree See prior comments on Attachment 1

Response: Thank you for your comment. See response to question 2.

Progress Energy Agree

Orlando Utilities Commission Agree There are many functions critical to reliable operations that are not essential to the operation of a particular critical asset. Situational awareness is one such example. It would appear that these assets would not be identified under the version of this requirement.

Response: Thank you for your comment. The SDT agrees. The scope of changes to this Standard only addresses the near-term issues associated with external oversight and review of the risk-based assessment methodology.



November 30, 2010 198


Cowlitz County PUD Agree

Orlando Utilities Commission Disagree Question 4 Comments:Â Â Â Â There are many functions critical to reliable operations that are not essential to the operation of a particular critical asset. Situational awareness is one such example. It would appear that these assets would not be identified under the version of this requirement.

Response:

Thank you for your comment. The scope of changes to this Standard only addresses the near-term issues associated with external oversight and review of the risk-based assessment methodology.

Kansas City Power & Light Disagree The phrase “within 15 minutes” introduces audit uncertainty and is subject to debate and disagreement between Registered Entities and Audit Teams. Recommend an improved delineation that is intended that is measurable and auditable.

Response:


The SDT believes the Responsible Entity can demonstrate whether or not a system can impact the reliable operation within 15 minutes. The 15 minute threshold is intended to include only those assets at generating units affecting real-time operations. This qualifier is particularly important to a generating plant because several systems (i.e. a fuel-handling system) may be essential after a longer period of time but do not necessarily involve real-time reliability impact.


November 30, 2010 199

5.

Do you agree with the proposed implementation plan for the Version 4 standards? If not, please explain and provide specific suggestions for improvement.

Summary Consideration: In response to question 5, some commenters asked for new terms to be added to the NERC Glossary. At this time, the SDT is choosing not to add terms to the NERC Glossary since defining these terms would have far-reaching impacts beyond the scope of CIP-002-4 to CIP-009-4. These terms are used in other approved NERC standards already in effect. APPA’s review of the associated implementation plan for CIP-002-4 identified a potential inconsistency between the Implementation Plan and the Reliability Standard. The Reliability Standard clearly provides that updates to the Critical Asset list will be made at the time of the annual review. However, the Implementation Plan is not as clear. Requirements R1 and R2 were modified to clarify that the update is ongoing, and the review must occur at least annually. Several entities requested that the implementation plans be combined. A NERC Standard Implementation Plan address assets that are in place and applicable the date the standard becomes effective. It is retired once the Implementation Plan is completed. The Implementation Plan for Newly Identified Critical Cyber Asset and Newly Registered Entities addresses assets that are identified in the future and future Registered Entities and is an ongoing plan that has no expected retirement date. Some entities asked for a provision for extensions to the implementation plan for good cause. The suggested modification proposes an exception process to a mandatory standard, and the SDT refers the entities to the discussion on technical feasibility exceptions in the FERC Order. Specifically, the oversight framework which must be in place is summarized in paragraph 222. Some commenters felt the implementation plan was too aggressive. The SDT believes there is precedent showing this implementation period is reasonable. Upon FERC Approval, the Responsible Entity has a minimum of 2 years to become compliant with new Critical Cyber Assets. This period is consistent with the implementation plan for version 1 of the CIP Cyber Security Standards and the implementation plan for Registered Entities identifying their first Critical Cyber Asset. Some entities requested a 24 month implementation after effective date of standard, and indicated that the proposed plan was too complicated. The SDT has simplified the implementation plan to reference the Effective Date of CIP-002-4 through CIP-009-4 which is 8 calendar quarters after regulatory approval.



No Need a Control Center definition to clarify 1) control center, 2) control system, 3) backup control center, 4) backup control.

Since the current, approved Implementation Plan for Newly Identified Critical Cyber Asset and Newly Registered Entities addresses most of the criteria covered by CIP-002-4, request that relevant content be moved to that document. Creating a separate Implementation Plan is redundant and will cause confusion for entities trying to address appropriate timelines.


November 30, 2010 200


Response:


At this time, the SDT is choosing not to add control center to the NERC Glossary. We feel defining this term under this proposed version of the Standard would have far-reaching impacts beyond the scope of CIP-002-4 to CIP-009-4. This term is used in other approved NERC standards already in effect.

A NERC Standard Implementation Plan address assets that are in place and applicable the date the standard becomes effective. It is retired once the Implementation Plan is completed. The Implementation Plan for Newly Identified Critical Cyber Asset and Newly Registered Entities addresses assets that are identified in the future and future Registered Entities and is an ongoing plan that has no expected retirement date.

City of Garland Yes

NRG Energy Inc. Yes

APPA CIP-002-4 Task Force No Proposed Implementation Plan

APPA Comments:

APPA’s review of the associated Implementation Plan for CIP-002-4 has identified a potential inconsistency between the Implementation Plan and the Reliability Standard. The Reliability Standard clearly provides that updates to the Critical Asset list will be made at the time of the annual review. However, the Implementation Plan is not as clear. We would request modification to the Implementation Plan such that it reflects the intent of the Reliability Standard.

The Implementation Plan does not adequately address when a “New Asset” that does meet the CIP-002-4 criteria for being a Critical Asset after its commissioning will need to be in compliance. APPA believes that the intent of the Reliability Standard indicates that the post-commissioned New Asset will become a Newly Identified Critical Asset upon the subsequent Annual Review and only at the time of this Annual Review. Further that the timeline associated with this Newly Identified Critical Asset starts with the date of the Annual Review. We raise this point because we are concerned about the potential impact for confusion associated with multiple review dates or continuous reviews of the assets contained within numerous CIP activities. If an entity has multiple Cyber Assets, the entity would likely have multiple Annual Reviews dates.

Response:

Thank you for your comments. Requirements R1 and R2 were modified to clarify that the update is ongoing, and the review must occur at least annually. The text reference was removed from the Implementation Plan.


November 30, 2010 201



No Since the current, approved Implementation Plan for Newly Identified Critical Cyber Asset and Newly Registered Entities addresses most of the criteria covered by CIP-002-4, request that relevant content be moved to that document. Creating a separate Implementation Plan is redundant and will cause confusion for entities trying to address appropriate timelines.

Response:



Bonneville Power Administration No If this version requires more substations to be identified as Critical Assets, then we believe that the proposed implementation is too aggressive. Physical Security Perimeters are expensive and it may not be possible to fund these modifications in the short timeframe for compliance. A 3-year implementation period would be more appropriate.

Response:

Thank you for your comment. The SDT believes there is precedent showing this implementation period is reasonable. Upon FERC Approval, the Responsible Entity has a minimum of 2 years to become compliant with new Critical Cyber Assets. This period is consistent with the implementation plan for version 1 of the CIP Cyber Security Standards and the implementation plan for Registered Entities identifying their first Critical Cyber Asset.

PSEG Companies No PSEG believes that overall, the proposed implementation plan for the Version 4 standards is appropriate and makes sense. PSEG does suggest the following addition:

Reasonably unforeseen circumstances may occur that prevent strict compliance within the timeframes envisioned in the implementation plan. By allowing for Regional Entity review of the need for an extension of time, registered entities can be afforded necessary flexibility without unduly slowing the implementation. In the implementation plan insert before "Prior Version Standard Retirements" the following new section:

Extension for Good Cause

Critical Cyber Assets shall be compliant by the schedule set forth herein unless a Regional Entity grants prior approval of an extension for specified Critical Cyber Assets for good cause based on scheduling constraints or other constraints beyond the control of the Registered Entity.


November 30, 2010 202


Response:

Thank you for your comment. The suggested modification proposes an exception process to a mandatory standard. We refer to the discussion on technical feasibility exceptions in the FERC Order, specifically, to the oversight framework which must be in place that is summarized in paragraph 222. The SDT believes the effective date provides a reasonable timeframe for entities to become compliant with CIP-002-4 through CIP-009-4, which would preclude the need to implement a burdensome exception process for the industry.

Pepco Holdings, Inc - Affiliates No We suggest the following addition:

In the implementation plan insert before "Prior Version Standard Retirements" the following new section:



Response:



No The implementation plan is overly complex and confusing. It is not clear when the “Implementation Plan for Version 4 of Cyber Security Standards CIP-002-4 through CIP-009-4” applies versus when the “Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities” applies. Does the former document apply only upon the approval of the CIP-002-4 and, then, subsequently, the latter implementation plan apply? The flow chart appears to show this. If this is the intention, we suggest that should be made clear somewhere in the document. As the document is written now, it is not clear.

Response:

Thank you for your comments. The SDT has simplified the Implementation Plan to reference the Effective Date of CIP-002-4 through CIP-009-4 which is 8 calendar quarters after regulatory approval.

Santee Cooper No Eighteen months from the effective date of version 4 may not be a reasonable amount of time for certain entities. For example, if an entity recently produced a vulnerability/risk assessment under the current standard, the entity should be allowed up to 12 months before the criteria in Attachment 1 is applied. The


November 30, 2010 203


SDT should consider compliance being effective no earlier than 18 months after completion of the entity’s most recent vulnerability/risk assessment (or application of Attachment 1 after the standard is approved for implementation).

Response:

Thank you for your comment. The SDT has simplified the Implementation Plan to reference the Effective Date of CIP-002-4 through CIP-009-4 which is 8 calendar quarters after regulatory approval.

Dominion Yes Dominion has the following comments: While we recognize that there will be a tremendous amount of effort and coordination required to protect large generation units and transmission facilities to implement the requirements, we agree with the current implementation plan. However we would be concerned of any shortening of the implementation schedule because the logistics required for design and procurement engineering, outage scheduling, and lead times for the acquisition of material, equipment and labor.

Response:



Yes

Florida Municipal Power Agency No Without knowing the outcome of CIP-005-4, we cannot support the implementation plan.

Response:

Thank you for your comments. The implementation plan associated with the Urgent Action SAR for modifications to CIP-005-3 will be drafted as part of a separate ballot and is outside the scope of this SDT. If both ballots pass, then the SDT anticipates NERC will merge the documents for filing with FERC.

PNGC Power No Again we associate ourselves with NRECA's request for a 24 month implementation after effective date of standard. Plus the ability to extend the deadline if conditions warrant.

Response:



November 30, 2010 204


The SDT believes an additional provision to allow for extenuating circumstances carries the same oversight requirements as the TFE process.

WECC

Southern Company No However, the Implementation Plan (under the section titled “Critical Cyber Assets Associated with Critical Assets Newly Identified by CIP-002-4”), requires that Critical Cyber Assets “which are newly identified by CIP-002-4 R1 within the first 18 months following the Effective Date of CIP-002-4 shall be compliant with CIP-003-4 through CIP-009-4 18 months after the Effective Date of CIP-002-4.” This requirement does not provide sufficient time for the Responsible Entity to achieve compliance. For example, under this provision, an asset that is identified on the last day of the 18 month period would only have 1 day to achieve compliance, which is not a sufficient amount of time for implementation. To allow Responsible Entities sufficient time to reach compliance, the SDT should consider deleting the section titled “Critical Cyber Assets Associated with Critical Assets Newly Identified by CIP-002-4.” The result of this change would mean that all Critical Cyber Assets that are newly identified after the Effective Date of CIP-002-4 would be subject to compliance as set forth in the Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities. Southern believes this streamlined approach will be easier to implement than having a separate timeline for Critical Cyber Assets that are newly identified within the first 18 months after the Effective Date of CIP-002-4.This suggestion is contingent upon the SDT’s adoption of Southern’s comments to Question 6 which establishes a uniform 24 month implementation schedule or a different implementation deadline granted by the Regional Entity for good cause, rather than different timelines for different requirements. Furthermore, it is impossible for large utilities to enumerate and verify all the CCAs within 6 months, due to the number of CAs requiring analysis of common systems.

Response:



Encari, LLC Yes

Arizona Public Service No Revising the set of Standards CIP-002 through CIP-009 to Version 4, as described in these drafts, seems to conflict with the (almost) concurrent SAR process to revise CIP-005-4. The ultimate outcome and impact to the proposed implementation plan is unclear. AZPS is unable to determine at this time which CIP-005-4 version is likely to be in effect for this proposed Version 4 implementation plan. It seems highly desirable to incorporate the intended changes to CIP-005-4, as indicated by the SAR revision, into the larger set of


November 30, 2010 205


Version 4 updates. The revision timelines and resulting implementation and auditability implications are of great concern. AZPS urges the 706 SDT team to consider reasonable adjustment in the implementation of the posted Standards CIP-002 through CIP-009 to Version 4 to ensure incorporation and synchronization of the Project 2010-15 â€• Urgent Action Revisions to CIP-005-3 (http://www.nerc.com/filez/standards/SAR-Urgent_Action_Revisions%20to%20CIP-005-3.html) â€• CIP-005 version changes in order to minimize confusion and potential implementation conflict to the industry.

Response:


Edison Electric Institute No EEI believes that overall, the proposed implementation plan for the Version 4 standards is appropriate and makes sense. We suggest the following addition:




Response:



PacifiCorp Yes

OGE Yes

FMPA No Without knowing the outcome of CIP-005-4, we cannot support the implementation plan.


November 30, 2010 206


Response:




Yes

Central Lincoln Yes


Yes

SPS Consulting Group Inc. No I do not see an Implementation Plan on the Project site other than the one for Nuclear facilities that has already been approved by FERC.

Response:

Thank you for your comment. The Implementation plan can be found on the 2008-06 project page under the version 4 documents. The Version 4 page is located at http://www.nerc.com/filez/standards/Project_2008-06_Cyber_Security_PhaseII_Standards.html

Tacoma Power No Tacoma Power would like to identify the following as errors in the proposed implementation plan:

Under Critical Cyber Assets Associated with Critical Assets Newly Identified by CIP-002-4 U.S. Nuclear Power Plant Facilities and also All Other Critical Cyber Assets, the implementation plan reads, “the latter of.” Tacoma Power believes the SDT meant to say “the later of.”

Tacoma Power also suggests that the Category 2 timelines for compliance with CIP-005-4 through CIP-009-4 be extended to 24 months as these standards could require capital improvements necessary to comply with the standards.

Response:



November 30, 2010 207


Thank you for your comments. The text you reference has been removed.


Green Country Energy Yes

Illinois Municipal Electric Agency No IMEA supports comments submitted by the American Public Power Association.

Response:

Thank you for your comments. Please see the SDT response to APPA comments.

Minnkota Power Cooperative No CIP-005-4 is going through a bit of a different process, but its implementation plan is the same as the rest of the Version 4 standards. Based on the number of configuration changes that may be required for communications outside of the ESP for currently designated CCAs, we request a longer implementation plan for CIP-005-4 in terms of currently identified CCAs.

Response:



Union Power Partners LP Yes

MidAmerican Energy Company Yes


No NCEMC agrees with NRECA comment “The proposed implementation plan is incredibly confusing and must be greatly simplified. NRECA recommends an implementation plan that requires compliance within 24 months of the effective date of the standard, with a provision that allows entities to request extensions of this deadline for extenuating circumstances. Additional confusion could come from the fact that CIP-002-4 and its implementation plan could be filed with FERC by the end of 2010 and then CIP-010 and CIP-011 and its implementation plan could be submitted to FERC some time in 2011. With two sets of changes to these standards and related implementation plans being filed with FERC within months, the required implementation of these standards could be very confusing and challangeing to navigate."


November 30, 2010 208


Response:

Thank you for your comments. Please see our response to NRECA comments.

Hydro One Networks Inc. Yes

Dynegy Inc. No This is way to hard to follow and understand. The Implementation Plan is 18 pages. Suggest doing it on one page. I can't tell with certainty when I am due to be compliant. This must be clear so entities don't miss their initial compliance due date because they misunderstood when they were supposed to be compliant.

Response:


Matrikon Inc.


CenterPoint Energy Yes

LCEC Yes

Xcel Energy No The proposed 18 months implementation is not realistic in all cases. Additional flexibility is needed to account for complex changes that can not be completed in that short of a timeframe.

Response:

Thank you for your comments. The SDT believes there is precedent showing this implementation period is reasonable. The Responsible Entity has a minimum of 2 years to become compliant with new Critical Cyber Assets. This period is consistent with the implementation plan for version 1 of the CIP Cyber Security Standards and the implementation plan for Registered Entities identifying their first Critical Cyber Asset.

Great River Energy No For newly identified Critical Assets of a given type (Control Center, Generation Plant, Substation) the entity will be given a longer period of time than if it is not the first instance for that entity.

Response:


November 30, 2010 209




ITC Holdings Yes


Yes

TransAlta

Exelon No In the “Implementation Plan for Version 4 of Cyber Security Standards CIP-002-4 through CIP-009-4”, although page 2 explicitly addresses CCA compliance for Nuclear generators as being 18 months after the CIP-002-4 effective date (with certain exceptions for refueling outages) the flow-chart logic on page 3 does not achieve the same result. That is, if a nuclear generator is not a CA for CIP-002-3 and thus has no CCAs, the second decision diamond would result in a “no” and exit to “Newly Identified CCAs and Newly Registered Entities” and not the 18-month compliance milestone. Suggest the second diamond be reworded to include the logic of no current CA’s, or explicitly refer to nuclear GO/GOP.

Response:


AECI No In some cases there could be a significant outlay of financial and staff resources and current budgets are not going to allow start of implementation of a project until the following year. Therefore, it should be 12 months to identify Critical Assets and 36 months to complete implementing CIPs 003-009. This will provide entities enough time to request financing and the additional staffing that may be required to perform the new requirements of the CIP standards.

Response:



November 30, 2010 210



No In some cases there could be a significant outlay of financial and staff resources and current budgets are not going to allow start of implementation of a project until the following year. Therefore, it should be 12 months to identify Critical Assets and 36 months to complete implementing CIPs 003-009. This will provide entities enough time to request financing and the additional staffing that may be required to perform the new requirements of the CIP standards.

Response:




Response:



No Comments: In some cases there could be a significant outlay of financial and staff resources and current budgets are not going to allow start of implementation of a project until the following year. Therefore, it should be 12 months to identify Critical Assets and 36 months to complete implementing CIPs 003-009. This will provide entities enough time to request financing and the additional staffing that may be required to perform the new requirements of the CIP standards.

Response:


M & A Electric Power No In some cases there could be a significant outlay of financial and staff resources and current budgets are not


November 30, 2010 211


Cooperative going to allow start of implementation of a project until the following year. Therefore, it should be 12 months to identify Critical Assets and 36 months to complete implementing CIPs 003-009. This will provide entities enough time to request financing and the additional staffing that may be required to perform the new requirements of the CIP standards.

Response:



Yes



Response:


KAMO Power No Comments: In some cases there could be a significant outlay of financial and staff resources and current budgets are not going to allow start of implementation of a project until the following year. Therefore, it should be 12 months to identify Critical Assets and 36 months to complete implementing CIPs 003-009. This will provide entities enough time to request financing and the additional staffing that may be required to perform the new requirements of the CIP standards.

Response:



November 30, 2010 212


United Illumiinating No the proposed implementation plan for the Version 4 standards is appropriate and makes sense. We suggest the following addition:



Critical Cyber Assets shall be compliant by the schedule set forth herein unless a Regional Entity grants prior approval of an extension for specified Critical Cyber Assets for good cause based on scheduling constraints or other constaints beyond the control of the Registered Entity.

Response:



No I would suggest that it should not be assumed that an entity with an existing CIP program would require a shorter implementation period than an entity without existing Critical Cyber Asset. The period should be the same at 24 months.

Response:




Response:



November 30, 2010 213


KAMO Electric Cooperative No In some cases there could be a significant outlay of financial and staff resources and current budgets are not going to allow start of implementation of a project until the following year. Therefore, it should be 12 months to identify Critical Assets and 36 months to complete implementing CIPs 003-009. This will provide entities enough time to request financing and the additional staffing that may be required to perform the new requirements of the CIP standards.

Response:




Response:




Response:


Sierra Pacific Power d/b/a NV Yes


November 30, 2010 214


Energy



Response:


SDG&E No What schedule will CIP005 follow given the proposed revisions to that standard?

Response:


Central Lincoln Yes



Response:


National Rural Electric Cooperative Association

No The proposed implementation plan is incredibly confusing and must be greatly simplified. NRECA recommends an implementation plan that requires compliance within 24 months of the effective date of the standard, with a provision that allows entities to request extensions of this deadline for extenuating


November 30, 2010 215


(NRECA) circumstances. Additional confusion could come from the fact that CIP-002-4 and its implementation plan could be filed with FERC by the end of 2010 and then CIP-010 and CIP-011 and its implementation plan could be submitted to FERC some time in 2011. With two sets of changes to these standards and related implementation plans being filed with FERC within months, the required implementation of these standards could be very confusing and challangeing to navigate.

Response:



Tampa Electric Yes

M&A Electric Power Cooperative No In some cases there could be a significant outlay of financial and staff resources and current budgets are not going to allow start of implementation of a project until the following year. Therefore, it should be 12 months to identify Critical Assets and 36 months to complete implementing CIPs 003-009. This will provide entities enough time to request financing and the additional staffing that may be required to perform the new requirements of the CIP standards.

Response:


MEAG Power Yes



Response:

Thank you for your comments. The SDT believes there is precedent showing this implementation period is reasonable. The Responsible Entity has a minimum of


November 30, 2010 216


2 years to become compliant with new Critical Cyber Assets. This period is consistent with the implementation plan for version 1 of the CIP Cyber Security Standards and the implementation plan for Registered Entities identifying their first Critical Cyber Asset.



Response:


FirstEnergy Corp No FirstEnergy believes that overall the Implementation Plan consisting of 15 pages is overly complex and could be greatly simplified. We recognize that for the most part the SDT attempted to make minimal conforming changes to an already approved Implementation Plan. However, much of the Implementation Plan discusses scenarios and examples of company mergers and a recognition that separate Critical Asset identification processes may exist between the companies and time is needed to assess a going-forward position on Critical Asset determinations. The discussion is applicable when companies developed and maintained their own unique Risk Based Assessment Methodologies, however, under the “bright-line” Critical Asset determinations performed with CIP-002-4 it should be expected that minimal differences will result, otherwise we have not achieved the industry consistency desired under this “bright-line” criteria. If the criteria in Attachment 1 are crisp and clear the only potential item open to asset owner subjectivity are the assets classified as Critical Assets under criterion 1.16 which reads “Any additional assets that the Responsible Entity deems appropriate to include.” It is FE’s view that the resulting merged Responsible Entity could adjust 1.16 based on what it “deems necessary” and any CIP-003 through CIP-009 compliance required of the resulting “newly identified Critical Cyber Assets” simply follow Category 1 or Category 2 as appropriate. To simplify the Implementation Plan we encourage the SDT to reconsider the need for material presented under the section titled “Newly Registered Entity Scenarios” on pages 8 through 11 and the continued need for Table 3. There are earlier references to “Newly Registered Entities and Table 3 that exist on page 2 that could potentially be removed as well.

Response:

Thank you for your comments. The SDT has simplified the Implementation Plan to reference the Effective Date of CIP-002-4 through CIP-009-4 which is 8


November 30, 2010 217


calendar quarters after regulatory approval. The section on Newly Registered Entities scenarios has been revised to address your concerns.

Minnesota Power No Minnesota Power believes that overall, the proposed implementation plan for the Version 4 standards is appropriate and makes sense. We suggest the following addition:

In the implementation plan insert before "Prior Version Standard Retirements" the following new section:”


Critical Cyber Assets shall be compliant by the schedule set forth herein unless a Regional Entity grants prior approval of an extension for specified Critical Cyber Assets for good cause based on scheduling constraints or other constraints beyond the control of the Registered Entity.”

Response:

Thank you for your comment. The suggested modification proposes an exception process to a mandatory standard. We refer to the discussion on technical feasibility exceptions in the FERC Order, specifically, to the oversight framework which must be in place that is summarized . We refer to the discussion on technical feasibility exceptions in the FERC Order, specifically, to the oversight framework which must be in place that is summarized in paragraph 222. The SDT believes the effective date provides a reasonable timeframe for entities to become compliant with CIP-002-4 through CIP-009-4, which would preclude the need to implement a burdensome exception process for the industry.

Manitoba Hydro No The proposed 18 month timeframe is too short for the industry to meet compliance for a group of new CCAs. Although the existing approved Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities provides up to 18 months to reach compliance for some requirements under an existing program, the identification of new CCAs would distributed over time, both throughout the entity and throughout the industry. This new CIP-002-4 compliance date could cause a sudden increase in the number of new CCAs throughout the industry, which may not have the resources to meet this sudden compliance burden. Some consideration should be given to the types of environments and their unique challenges when establishing compliance dates. The flowchart on page 3 needs to be revised, since the CAs are identified by the Criteria in Attachment #1, not the CCAs. Suggest changing to “Are the CCAs associated with CAs newly identified by the Criteria...”.

Response:


American Transmission No ATC agrees the implementation schedule in general, should allow for sufficient time (18 months from effective date; 24 months from FERC approval date) for Category 2 entities to become compliant with CIP-003 through


November 30, 2010 218


Company CIP-009. However, we suggest an extension should be allowed for good cause if approved by the Regional Entity.

Response:


Ameren No Under All Facilities Other Than U.S. Nuclear Power Plants Facilities Page 2, Line 3, the words “within the first 18 months following the Effective Date of CIP-002-4” should be removed. The way that this paragraph is currently written if an Entity identifies a Critical Cyber Assets in the 17 month following the Effective Date of CIP-002-4, the Entity would have to be compliant with all of CIP Version 4 the next month (18 months after the Effective Date of CIP-002-4). In the CCA-Based Decision Tree the third diamond (Is the identification of the CCA within 18 months of the Effective Date of CIP-002-4) should be removed.

Also, the implementation schedule should be changed to give an Entity at least 6 months following the Effective Date of CIP-002, R1 to comply with CIP-002, R2 and R3. This would allow an Entity time to inventory all its CCAs, especially for generation assets, this would give the Entity about a year to develop their inventory of CCAs.

Response:

Thank you for your comments. The Implementation Plan has been modified to reference the Effective Date which is 8 calendar quarters after regulatory approval for CIP-002-4 through CIP-009-4.

BGE Yes Strong need for clarifying wording:

- Time line given should be clearly labeled that it is ONLY if the FERC approves the standard in the first quarter 2011.

- Remove the words EXAMPLE and SAMPLE to describe the Scenarios, in the table and in the text. Perhaps a statement that this list of scenarios is not “ALL INCLUSIVE” would be correct in this situation.

- With the time allowed in tables used for varying scenarios, it seems that a similar amount of time should be used for new Cyber Assets never before in service rather than requiring “Compliant upon Commissioning”. There is a focused effort and many changes required to bring a Cyber Asset into compliance and there may be an impact on operability and reliability if delays occur in implementation.


November 30, 2010 219


- Is Scenario used in the text and the table to mean different things?

- P. 11 uses a term bulk power system - is this to mean Bulk Electric System?

- There is no table for Scenario 3.

- Provide an explanation that Auditably Compliant is a term no longer used as all entities who must be compliant should expect that during any audit after approval of the standard, information will be reviewed for compliance

Response:


- The guidance document was modified to address the concerns about time line and list of scenarios not being all-inclusive. - The technical security requirements should be considered as part of the acquisition and commissioning process for a Critical Cyber Asset. - The implementation plan references scenarios for both newly registered entities and newly identified Critical Cyber Assets. The scenarios referenced in Table

1 of this document refer to Critical Cyber Assets. - The reference has been changed to Bulk Electric System - References to Auditably Compliant have been removed.


No Without knowing the outcome of CIP-005-4, we cannot support the implementation plan.

Response:


We Energies Yes

City Utilities of Springfield, MO No SPRM agrees with the comments from the APPA Task Force.

Response:

Thank you for your comment. Please see the SDT response to APPA comments.

National Grid Yes


November 30, 2010 220



Response:

Thank you for your comment. Please see the SDT response to MRO NERC Standards Review Subcommittee


Yes


Constellation Power Generation No Constellation Power Generation believes that 18 months to implement these requirements is not enough time. Based on the number of self reports and compliance issues regarding the CIP standards, it is evident that not enough time was given to entities in the implementation phase. Therefore, Constellation Power Generation suggests that the SDT extend the implementation time to 24 months.

Response:



Yes

American Electric Power (AEP) Yes


Oglethorpe Power Corporation Yes


Midwest ISO No The implementation plan is overly complex and confusing. It is not clear when the “Implementation Plan for Version 4 of Cyber Security Standards CIP-002-4 through CIP-009-4” applies versus when the “Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities” applies.


November 30, 2010 221


Does the former document apply only upon the approval of the CIP-002-4 and, then, subsequently, the latter implementation plan apply? The flow chart appears to show this. If this is the intention, we suggest that should be made clear somewhere in the document. As the document is written now, it is not clear.

Some of the paths in the flowchart in figure 1 of the draft guidance rationale and implementation reference document appear to be missing.

We are placing our comment regarding R3 here because there are no other appropriate questions that ask about R3 or anything else that has not been covered in the other questions. R3 requires conforming changes. In the last sentence, it still refers to the Responsible Entity keeping a signed and dated record of the senior manager’s approval of the risk-based methodology.

Response:

Thank you for your comments. Your understanding of the implementation plan is correct. We will make changes to the guidance document to make this more evident.

We will correct figure 1 on the guidance document.

The issue you raise with R3 has been corrected.

Duke Energy Yes


No The proposed implementation plan is incredibly confusing and must be greatly simplified. SEC recommends an implementation plan that requires compliance within 24 months of the effective date of the standard, with a provision that allows entities to request extensions of this deadline for extenuating circumstances. Additional confusion could come from the fact that CIP-002-4 and its implementation plan could be filed with FERC by the end of 2010 and then CIP-010 and CIP-011 and its implementation plan could be submitted to FERC some time in 2011. With two sets of changes to these standards and related implementation plans being filed with FERC within months, the required implementation of these standards could be very confusing and challenging to navigate.

Response:


Progress Energy No NERC needs to address what happens if an entity’s annual assessment falls within 30-60 days of the approval date. That situation would require the entity to execute their version 3 Risk Based Assessment


November 30, 2010 222


Methodology, and then immediately (or concurrently) do an assessment using the version 4 criteria.

A solution to the above problem is to make version 4 effective on the first day of the calendar quarter after regulatory approval, and then require compliance with CIP-002-4 and for CCAs previously identified 6 months after the effective date, and compliance for CIP-003-4 through CIP-009-4 for newly identified CCAs 24 months after the effective date.

Response:

Thank you for your comments. The SDT does not believe that it is overly burdensome to have entities adjust the timing of their review to accommodate the transition to CIP version 4.



Cowlitz County PUD No There will be some confusion between the Annual Assessment and Commissioning of new assets. The timeline for compliance should begin after the Annual Assessment is concluded finding the new added asset as critical.

Response:

Thank you for your comments. Entities are expected to be compliant with CIP-002-4 to CIP 009-4 upon commissioning of a new Critical Cyber Asset.


Kansas City Power & Light No It should be 24 months to establish compliance with this proposed standard for any newly identified critical assets and newly identified cyber critical assets by the application of this proposed standard. Circumstances can change that are not predetermined but result in an asset qualifying as a critical asset.

Response:



November 30, 2010 223

6.

Do you agree with the proposed revisions to the implementation plan for newly identified CCAs and Responsible Entities? If not, please explain and provide specific suggestions for improvement.

Summary Consideration: In response to question 6, some commenters noted conforming changes that needed to be made in the implementation plan for newly identified CCAs and Responsible Entities. The SDT made these changes and will post them in the next ballot. Most other comments were similar to those offered in question 5, for which the SDT offered the same responses.



No Agree as long as an Entity can request additional time due to a large increase in identified assets - something like a TFE with a mitigating plan.

Throughout the Implementation Plan for Newly Identified Critical Cyber Asset and Newly Registered Entities, Critical Asset identification is noted as a “Critical Asset identification process”. Process should be stricken as it is not supported by the wording of the requirement R1.

Request that the term “Bulk Electric System” be used in the document in place of “bulk power system”. This is in keeping with the standard and the NERC glossary.

The inclusion of CIP-005-4 R6 in the proposed changes is dependent upon concurrent industry, BOT, and FERC approval of CIP-005-4 and CIP-002-4. If these approvals do not occur at the same time, request removal of CIP-005-4 R6 from Table 2.

Request clarification regarding the implementation plan for prior versions of the CIP standards. Will implementation plans of approved CIP standards remain in place until those standards are retired and audit periods have closed for those versions?

Response:

Thank you for your comments. The suggested modification proposes an exception process to a mandatory standard. We refer to the discussion on technical feasibility exceptions in the FERC Order, specifically, to the oversight framework which must be in place that is summarized in paragraph 222. The SDT believes the effective date provides a reasonable timeframe for entities to become compliant with CIP-002-4 through CIP-009-4, which would preclude the need to implement a burdensome exception process for the industry.

The requirements of CIP-002-4 R1 still require a process of Critical Asset Identification.

Agreed. The SDT has changed the reference from bulk power system to Bulk Electric System.


November 30, 2010 224


Regarding CIP-005-4, NERC will make conforming changes dependent on the results of the CIP-005-4 Urgent Action SAR ballot.

Upon the Effective Date for version 4 Standards, previous implementation plans are no longer in effect.

City of Garland Yes

NRG Energy Inc. Yes

APPA CIP-002-4 Task Force No Proposed Implementation Plan

APPA Comments:

APPA’s review of the associated Implementation Plan for CIP-002-4 has identified a potential inconsistency between the Implementation Plan and the Reliability Standard. The Reliability Standard clearly provides that updates to the Critical Asset list will be made at the time of the annual review. However, the Implementation Plan is not as clear. We would request modification to the Implementation Plan such that it reflects the intent of the Reliability Standard.

The Implementation Plan does not adequately address when a “New Asset” that does meet the CIP-002-4 criteria for being a Critical Asset after its commissioning will need to be in compliance. APPA believes that the intent of the Reliability Standard indicates that the post-commissioned New Asset will become a Newly Identified Critical Asset upon the subsequent Annual Review and only at the time of this Annual Review. Further that the timeline associated with this Newly Identified Critical Asset starts with the date of the Annual Review. We raise this point because we are concerned about the potential impact for confusion associated with multiple review dates or continuous reviews of the assets contained within numerous CIP activities. If an entity has multiple Cyber Assets, the entity would likely have multiple Annual Reviews dates.

Response:



No See comments to Question 1 above and the proposed Attachment 1.

Response:

Thank you for your comments. Please refer to response to Question 1.


November 30, 2010 225


Bonneville Power Administration Yes Yes, these look appropriate.

PSEG Companies No Although the proposed revisions to the implementation plan for newly identified CCAs and Responsible Entities reflect historical precedent in terms of FERC approval, PSEG believes that with the exception of nuclear facilities, it would be better to simply have a uniform 18 month implementation deadline for newly identified CCAs and Responsible Entities, rather than different timelines for different requirements. Nuclear timelines are subject to NRC requirements and the necessity of accomplishing some tasks only during refueling outages and thus are appropriately kept on a separate schedule.

Other comment:

As posted, the revised CIP-002-4 has the following language (Page 2):R3. Annual Approval -The senior manager or delegate(s) shall approve annually the risk-based assessment methodology, the list of Critical Assets and the list of Critical Cyber Assets. Based on Requirements R1, R2, and R23 the Responsible Entity may determine that it has no Critical Assets or Critical Cyber Assets. The Responsible Entity shall keep a signed and dated record of the senior manager or delegate(s)’s approval of the risk-based assessment methodology, the list of Critical Assets and the list of Critical Cyber Assets (even if such lists are null.)

Recommendation:

References to risk-based assessment methodology should be removed.

Response:

Thank you for your comments. Due to the limited scope of version 4, the SDT is only making conforming changes to the Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities.

The references to risk-based assessment have been removed.

Pepco Holdings, Inc - Affiliates No Although the proposed revisions to the implementation plan for newly identified CCAs and Responsible Entities reflect historical precedent in terms of FERC approval, we believe that with the exception of nuclear facilities discussed under U.S. Nuclear Power Plant Facilities, it would be better to simply have a uniform18 month implementation deadline for newly identified CCAs and Responsible Entities, rather than different timelines for different requirements.

Response:

Thank you for your comments. Due to the limited scope of version 4, the SDT is only making conforming changes to the Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities.


November 30, 2010 226



No For newly identified Critical Assets, a 24 month implementation is provided for Entities that have never identified a Critical Asset under the version 3 standards, with only 18 months provided for Entities with existing Critical Assets. We believe the SDT has developed a sound approach with this delineation. However, we also believe the 24 month implementation should be expanded to include Entities that may have existing Critical Assets, but have never identified a Critical Asset of a given type, i.e., generating unit, transmission facility, control center, etc. For example, if a company had a control center that was previously identified as critical, but version 4 results in their first generating unit being identified, then we would propose that they be given 24 months to become compliant as they are working on their first generating unit.

Also, many sections of the new identified CCAs and responsible entities still reflect the former risk-based assessment methodology. For example, in the Implementation Milestone Categories on page 4, there is a discussion regarding a change in power flows causing non-critical assets to become Critical Assets. Under the new criteria, there is no evaluation of power flows. A better example would be referencing criterion 1.3 in CIP-002-4 Attachment 1 - “When a PC or TP newly identifies a generation Facility that is required for reliability purposes.” In the section discussing mergers, there is discussion of how to combine Critical Asset identification processes. Again, this was written assuming entities needed to combine their risk-based assessment methodologies and resolve any differences. There is no need for discussion of combining these processes with bright line criteria. Furthermore, there are other statements in the merger section that need to be updated to reflect the bright line criteria as well. The paragraph from the merger section in 3 (a) that begins with “Registered Entities are encouraged when combining separate risk-based Critical Asset identification processes...” should be removed since there should be no reduction in Critical Assets from a merger with bright line criteria.

For Table 3, how do we know which column applies? Is it based on category 1 and category 2 as shown in Table 2 and described in the Implementation Milestone Categories and Schedules? If so, then column headings should be added to Table 3 to clarify.

Response:

Thank you for your comments. The SDT believes the shorter timeframe for entities having Critical Cyber Assets in version 3 reflects the organizational knowledge and expertise in implementing the cyber security requirements. Also, all entities have 24 months from regulatory approval to implement the requirements of the CIP Cyber Security Standards.

The SDT agrees the text you reference still reflects the risk-based assessment methodology and have made those conforming changes.

Table 3 only applies to entities registered after the CIP-002-4 Effective Date. The column headings reflect 12 months and 24 months respectively after the date of registration.


November 30, 2010 227


Santee Cooper No The implementation plans are confusing and long. The industry would probably prefer one document, with tables or charts that depict all possible scenarios, combining all elements of all implementation plans.

Response:

Thank you for your comment. In the general case, a Responsible Entity has at least 6 months to comply with CIP-002-4 and 18 additional months to comply with CIP-003-4 through CIP-009-4. The SDT believes the additional specification is appropriate to provide Responsible Entities reasonable time to comply in the respective scenarios.


Dominion No Certain Table 2 Milestone Category 2 time frames do not appear to give due consideration to the effort that may be involved with implementation. For example, providing training is allowed 18 months where as establishing physical and electronic security, which is likely to involve engineering and construction, is only allowed 12 months. Dominion suggests time frames for Category 2 physical and electronic security be changed to 18 months.

Response:

Thank you for your comment. The 18 month time frame for training recognizes all other cyber security controls must be in place prior to training personnel.


Yes

Florida Municipal Power Agency No Without knowing the outcome of CIP-005-4, we cannot support the implementation plan.

Response:


PNGC Power No Same as #5


November 30, 2010 228


WECC

Southern Company No Southern believes the SDT should implement a uniform 24 month implementation deadline, or a different implementation deadline granted by the Regional Entity for good cause, rather than different timelines for different requirements.

Response:


Encari, LLC Yes

Arizona Public Service Yes

Edison Electric Institute No Although the proposed revisions to the implementation plan for newly identified CCAs and Responsible Entities reflect historical precedent in terms of FERC approval, we believe that with the exception of nuclear facilities, it would be better to simply have a uniform18 month implementation deadline for newly identified CCAs and Responsible Entities, rather than different timelines for different requirements. We have additional input:

The Following Functional entities to be added to the applicability section: Planning Coordinator, Transmission Planner.

Issue:

As posted, the revised CIP-002-4 has the following language (Page 2):R3. Annual Approval -The senior manager or delegate(s) shall approve annually the risk-based assessment methodology, the list of Critical Assets and the list of Critical Cyber Assets. Based on Requirements R1 , R2, and R23 the Responsible Entity may determine that it has no Critical Assets or Critical Cyber Assets. The Responsible Entity shall keep a signed and dated record of the senior manager or delegate(s)’s approval of the risk-based assessment methodology, the list of Critical Assets and the list of Critical Cyber Assets (even if such lists are null.)

Recommendation:

References to risk-based assessment methodology should be removed.


November 30, 2010 229


Response:

Thank you for your comment. Because FERC has already approved this plan, and due to the limited scope, the SDT is only making conforming changes at this time.

There are no requirements in version 4 of the CIP Cyber Security Standards for Planning Coordinators and Transmission Planners.

References to the risk-based assessment methodology have been removed.


PacifiCorp Yes : While PacifiCorp agrees with the proposed revisions to this implementation plan, the Company does suggest an alternative approach that may remove the complications that are created with the current multiple implementation schedules. It would be simpler if all responsible entities had 18 months from the effective date of CIP-002-4 to bring any newly identified Critical Cyber Assets (CCAs) into compliance with CIP-003-4 through CIP-009-4, regardless of the reason for which new CCAs are identified.

Response:

Thank you for your comment. As written in the Implementation Plan, all entities have 18 months from the effective date of CIP-002-4 to bring new CCAs into compliance.


OGE Yes

FMPA No Without knowing the outcome of CIP-005-4, we cannot support the implementation plan.

Response:



Pinellas County Resource Yes


November 30, 2010 230


Recovery Facility

Central Lincoln Yes


Yes

SPS Consulting Group Inc. No See answer to Question 5.

Response:


Tacoma Power Yes Tacoma Power agrees with the proposed revisions to the implementation plan.

Response:


Green Country Energy Yes

Illinois Municipal Electric Agency No IMEA supports comments submitted by the American Public Power Association.

Response:


Minnkota Power Cooperative Yes As mentioned in question 5, our concern is over the implementation of current CCAs.

Response:



Union Power Partners LP Yes


November 30, 2010 231


MidAmerican Energy Company Yes MidAmerican Energy Company agrees with the proposed revisions to the implementation plan but would like to suggest an 18 month compliance deadline regardless of whether the responsible entity has previously identified CCAs. MidAmerican Energy Company believes a uniform 18 month deadline would reduce confusion among responsible entities and provide a simplified method of compliance for CIP-002-4 going forward.

Response:

Thank you for your comment. Because FERC has already approved this plan, and due to the limited scope, the SDT is only making conforming changes at this time. The SDT believes the shorter timeframe for entities having Critical Cyber Assets in version 3 reflects the organizational knowledge and expertise in implementing the cyber security requirements. Also, all entities have 24 months from regulatory approval to implement the requirements of the CIP Cyber Security Standards.


No See answer to item 5 above

Response:


Hydro One Networks Inc. Yes

Dynegy Inc. No See previous comments to Question 5.

Response:


Matrikon Inc.


CenterPoint Energy Yes

LCEC Yes


November 30, 2010 232


Xcel Energy

Great River Energy No Our rationale is the same for CCAs as it is for CAs. See comment for question 5 above.

Response:


ITC Holdings Yes


Yes

TransAlta

Exelon Yes

AECI No In some cases there could be a significant outlay of financial and staff resources and current budgets are not going to allow start of implementation of a project until the following year. Therefore, it should be 12 months to identify Critical Assets and 36 months to complete implementing CIPs 003-009. This will provide entities enough time to request financing and the additional staffing that may be required to perform the new requirements of the CIP standards.

Response:




Response:


November 30, 2010 233





Response:



No Comments: : In some cases there could be a significant outlay of financial and staff resources and current budgets are not going to allow start of implementation of a project until the following year. Therefore, it should be 12 months to identify Critical Assets and 36 months to complete implementing CIPs 003-009. This will provide entities enough time to request financing and the additional staffing that may be required to perform the new requirements of the CIP standards.

Response:




Response:

Thank you for your comments. The SDT believes there is precedent showing this implementation period is reasonable. The Responsible Entity has a minimum of 2 years to become compliant with new Critical Cyber Assets. This period is consistent with the implementation plan for version 1 of the CIP Cyber Security


November 30, 2010 234


Standards and the implementation plan for Registered Entities identifying their first Critical Cyber Asset.


Yes



Response:


KAMO Power No In some cases there could be a significant outlay of financial and staff resources and current budgets are not going to allow start of implementation of a project until the following year. Therefore, it should be 12 months to identify Critical Assets and 36 months to complete implementing CIPs 003-009. This will provide entities enough time to request financing and the additional staffing that may be required to perform the new requirements of the CIP standards.

Response:


United Illumiinating No Although the proposed revisions to the implementation plan for newly identified CCAs and Responsible Entities reflect historical precedent in terms of FERC approval, we believe that with the exception of nuclear facilities discussed , it would be better to simply have a uniform18 month implementation deadline for newly identified CCAs and Responsible Entities, rather than different timelines for different requirements.

Response:

Thank you for your comment. Because FERC has already approved this plan, and due to the limited scope, the SDT is only making conforming changes at this time. The SDT believes the shorter timeframe for entities having Critical Cyber Assets in version 3 reflects the organizational knowledge and expertise in


November 30, 2010 235


implementing the cyber security requirements. Also, all entities have 24 months from regulatory approval to implement the requirements of the CIP Cyber Security Standards.


No I would suggest that it should not be assumed that an entity with an existing CIP program would require a shorter implementation period than an entity without existing Critical Cyber Asset. The period should be the same at 24 months.

Response:

Thank you for your comment. In the general case, a Responsible Entity has at least 6 months to comply with CIP-002-4 and 18 additional months to comply with CIP-003-4 through CIP-009-4. The SDT believes the additional specification is appropriate to provide Responsible Entities reasonable time to comply in the respective scenarios.



Response:


KAMO Electric Cooperative No In some cases there could be a significant outlay of financial and staff resources and current budgets are not going to allow start of implementation of a project until the following year. Therefore, it should be 12 months to identify Critical Assets and 36 months to complete implementing CIPs 003-009. This will provide entities enough time to request financing and the additional staffing that may be required to perform the new requirements of the CIP standards.

Response:



November 30, 2010 236




Response:




Response:



Yes



Response:

Thank you for your comments. The SDT believes there is precedent showing this implementation period is reasonable. The Responsible Entity has a minimum of 2 years to become compliant with new Critical Cyber Assets. This period is consistent with the implementation plan for version 1 of the CIP Cyber Security


November 30, 2010 237


Standards and the implementation plan for Registered Entities identifying their first Critical Cyber Asset.

SDG&E Yes

Central Lincoln No Central Lincoln supports the APPA Comments:

APPA’s review of the associated Implementation Plan for CIP-002-4 has identified a potential inconsistency between the Implementation Plan and the Reliability Standard. The Reliability Standard clearly provides that updates to the Critical Asset list will be made at the time of the annual review. However, the Implementation Plan is not as clear.

We would request modification to the Implementation Plan such that it reflects the intent of the Reliability Standard. The Implementation Plan does not adequately address when a “New Asset” that does meet the CIP-002-4 criteria for being a Critical Asset after its commissioning will need to be in compliance. APPA believes that the intent of the Reliability Standard indicates that the post-commissioned New Asset will become a Newly Identified Critical Asset upon the subsequent Annual Review and only at the time of this Annual Review. Further that the timeline associated with this Newly Identified Critical Asset starts with the date of the Annual Review.

Additional Central Lincoln Comments:

Central Lincoln notes that the APPA comment regarding commissioning new equipment is not the only path to new CCAs, since an existing cyber asset may become critical due to other system changes. Immediate non-compliance with all CIP requirements and resulting enforcement action is not a way to encourage compliance.

Response:


An existing cyber asset becoming critical due to other system changes would be a Category 2 Scenario if (i) the system change was not planned and (ii) the entity has an existing CIP Cyber Security program. If the system change were planned and implemented by the entity, then the Critical Cyber Asset implementation is part of the planning process.




November 30, 2010 238


Response:



No See answer to Question 5.

Response:

Thank you for your comments. Please refer to response to question 5.

Tampa Electric Yes

M&A Electric Power Cooperative No In some cases there could be a significant outlay of financial and staff resources and current budgets are not going to allow start of implementation of a project until the following year. Therefore, it should be 12 months to identify Critical Assets and 36 months to complete implementing CIPs 003-009. This will provide entities enough time to request financing and the additional staffing that may be required to perform the new requirements of the CIP standards.

Response:


MEAG Power No MEAG supports the APPA’s comments submitted to the NERC CIP standard drafting team.

Response:



No In some cases there could be a significant outlay of financial and staff resources and current budgets are not going to allow start of implementation of a project until the following year. Therefore, it should be 12 months to identify Critical Assets and 36 months to complete implementing CIPs 003-009. This will provide entities enough time to request financing and the additional staffing that may be required to perform the new


November 30, 2010 239


requirements of the CIP standards.

Response:




Response:


FirstEnergy Corp No See our Question 5 response.

Response:


Minnesota Power Yes

Manitoba Hydro No Suggest changing wording in the first sentence of the fifth paragraph of page 1 “...application of the Critical Asset identification...” to “ ... application of Critical Asset Criteria for the identification of Critical Assets...”.

Response:

Thank you for your comment. The SDT agrees to make that conforming change.


No Support EEI’s comment. Although the proposed revisions to the implementation plan for newly identified CCAs and Responsible Entities reflect historical precedent in terms of FERC approval, we believe that, with the exception of nuclear facilities, it would be better to simply have a uniform18 month implementation


November 30, 2010 240


deadline for newly identified CCAs and Responsible Entities, rather than different timelines for different requirements.

Response:


Ameren No This schedule is too aggressive and is also very confusing. In this regard, we suggest the following: The time frame for Entities to be compliant for Category 2 should be changed to 18 months for all periods instead of 6, 12, or 18 months. This would match the 18 month proposed period for the Version 4 implementation schedule which gives every requirement other than CIP-002 18 months instead of different time periods. This will also prevent requirements that are dependent on actions in other requirements to not have different time periods to be compliant, for example CIP-005 R1.5 and CIP-006 R2.2. Another example is CIP-004-4 R1 where an Entity will not know who needs on-going reinforcement in sound security practices if the Entity has not established a list of who has authorized cyber or physical access per the CIP-004-4 R4 requirement.

Should the Category 1 Milestone and Category 2 Milestone for CIP-003-4 R2 match to be either N/A or existing?

Response:

Thank you for your comments. The SDT believes the timeframes for Category 2 Critical Cyber Assets are appropriate given the preexisting cyber security program. Thank you for your comment. Because FERC has already approved this plan, and due to the limited scope, the SDT is only making conforming changes at this time. The SDT believes the shorter timeframe for entities having Critical Cyber Assets in version 3 reflects the organizational knowledge and expertise in implementing the cyber security requirements. Also, all entities have 24 months from regulatory approval to implement the requirements of the CIP Cyber Security Standards.

BGE No See specific comments below:- Terms “Responsible Entity and Responsibility Entity” are capitalized and is not defined throughout the Implementation Plan. If these are NERC terms, please put their definition in the NERC Glossary of Terms

- BGE believes that the difference in time in Milestone Category 1 and Milestone Category 2 in Table 2 should not exist as the implementation of developing an Electronic Security Perimeter and protecting new CCAs is equally as challenging for a company who already has CCAs that are protected.

- Time line given should be clearly labeled that it is ONLY if the FERC approves the standard in the first


November 30, 2010 241


quarter 2011.

- Remove the words EXAMPLE and SAMPLE to describe the Scenarios, in the table and in the text. Perhaps a statement that this list of scenarios is not “ALL INCLUSIVE” would be correct in this situation.

- Does the “Compliant upon Commissioning” make sense for new Cyber Assets never before in service?

- Is Scenario is used in the text and the table to mean different things. Please clarify.

Response:

Thank you for your comments. The term “Responsibility Entity” has been corrected. While “Responsible Entity” is not a NERC Glossary term, it is acceptable to use the term in the Implementation Plan corresponding to the applicable standard.

Because FERC has already approved this plan, and due to the limited scope, the SDT is only making conforming changes at this time. The SDT believes an entity that does not have existing CCAs must go through significantly more internal process changes and technical training than would an entity that already has an existing CIP Cyber Security Program.

Your suggested modifications to the guideline have been incorporated.

The SDT believes “Compliant upon Commissioning” makes sense for a new Cyber Asset which becomes a Critical Cyber Asset for an entity who has an existing CIP Cyber Security Program.

The implementation plan references scenarios for both newly registered entities and newly identified Critical Cyber Assets. The scenarios referenced in Table 1 of this document refer to Critical Cyber Assets.


No Without knowing the outcome of CIP-005-4, we cannot support the implementation plan.

Response:


We Energies No We believe that it would be better to simply have a uniform 18 month implementation deadline for newly identified CCAs rather than have different timelines for different requirements. This will simplify reporting and streamline efforts to become fully compliant. We understand that nuclear timelines are subject to NRC requirements and the necessity of accomplishing some tasks only during refueling outages appropriately dictates a separate schedule for them.


November 30, 2010 242


Response:


City Utilities of Springfield, MO No SPRM agrees with the comments from the APPA Task Force.

Response:


National Grid Yes


Response:



No Remove all references to the term "Auditably Compliant (AC)". FERC has held that the requirements are auditable and enforceable as of the Compliant (C) milestone date. The auditors are aware of the nuances of required data retention and other time-specific requirements and will seek evidence of compliance appropriately. The idea that entities have an entire year after the Compliant milestone date to actually become compliant has caused considerable issues with previous versions of the standard.

Response:

Thank you for your comments. The SDT agrees that Auditably Compliant is no longer relevant to version 4 of the CIP Cyber Security Standards and references have been removed.


Constellation Power Generation No Constellation Power Generation believes that 18 months to implement these requirements is not enough time. Based on the number of self reports and compliance issues regarding the CIP standards, it is evident that not enough time was given to entities in the implementation phase. Therefore, Constellation Power Generation


November 30, 2010 243


suggests that the SDT extend the implementation time to 24 months.

Response:



Yes

American Electric Power (AEP) Yes AEP suggests a less complex approach if possible.

Response:



Oglethorpe Power Corporation Yes


Midwest ISO No Many sections of the new identified CCAs and responsible entities still reflect the former risk-based assessment methodology. For example, in the Implementation Milestone Categories on page 4, there is a discussion regarding a change in power flows causing non-critical assets to become Critical Assets. Under the new criteria, there is no evaluation of power flows. A better example would be referencing criterion 1.3 in CIP-002-4 Attachment 1

- “When a PC or TP newly identifies a generation Facility that is required for reliability purposes.” In the section discussing mergers, there is discussion of how to combine Critical Asset identification processes. Again, this was written assuming entities needed to combine their risk-based assessment methodologies and resolve any differences. There is no need for discussion of combining these processes with bright line criteria. The paragraph from the merger section in 3 (a) that begins with “Registered Entities are encouraged when combining separate risk-based Critical Asset identification processes...” should be removed since there should be no reduction in Critical Assets from a merger with bright line criteria.For Table 3, how do we know which column applies? Is it based on category 1 and category 2 as shown in Table 2 and described in the


November 30, 2010 244


Implementation Milestone Categories and Schedules? If so, then column headings should be added to Table 3 to clarify.

Response:

The SDT agrees the text you reference still reflects the risk-based assessment methodology and have made those conforming changes.

Table 3 only applies to entities registered after the CIP-002-4 Effective Date. The column headings reflect 12 months and 24 months respectively after the date of registration.

Duke Energy No The implementation plan for newly identified Critical Cyber Assets is confusing. It appears that Critical Cyber Assets which are newly identified during the first 18 months following the Effective Date of CIP-002-4 must be compliant 18 months following the Effective Date of CIP-002-4 (or 6 months following refueling for items requiring a refueling outage to complete). However, if an entity identified a new Critical Cyber Asset near the end of the 18 month period, there might not be enough time left to achieve compliance. To allow for this possibility, the implementation plan for Critical Cyber Assets identified following the Effective Date of CIP-002-4 should require compliance at the latter of 18 months following the Effective Date of CIP-002-4, or the applicable Category 2 milestone date.

Response:



No See response to 5 above.

Response:


Progress Energy Yes

Orlando Utilities Commission



November 30, 2010 245


Cowlitz County PUD Yes


Kansas City Power & Light No The Implementation Plan does not adequately address when a “New Asset” that does meet the CIP-002-4 criteria for being a Critical Asset after its commissioning will need to be in compliance. APPA believes that the intent of the Reliability Standard indicates that the post-commissioned New Asset will become a Newly Identified Critical Asset upon the subsequent Annual Review and only at the time of this Annual Review. Further that the timeline associated with this Newly Identified Critical Asset starts with the date of the Annual Review.

Response:


END OF REPORT

consideration of comments on 1st draft of sar to revise cyber … · 2010. 11. 30. ·...

Documents