CIP Version 5
CIP V5 is the latest approved Version of the CIP standards which will become effective on April 1, 2016. Version 5 provides increased security measures to help protect and secure the Bulk Electric System (BES). The most significant change is the tiered impact rating for Bulk Electric Systems into High, Medium, and Low categories. These classifications mean that all Cyber Assets that could impact the BES will be in scope to receive some level of enhanced security measures. Other improvements include additional Standards to eliminate some complicated and intertwined Standards found in Version 3, redefined Requirements to make Compliance efforts simpler for implementation and tracking, and increased flexibility with such things as grouping BES Cyber systems and a reduction of TFEs. There is also a noted shift in focus to Risk. Internal Controls by the entities that may help reduce risk exposure will receive a strong emphasis, and security approaches will be assessed instead of just an Audit and Enforcement focus on Compliance to the Standard language.
Physical Security (CIP-014)
A new Standard, CIP-014, has been approved and will become effective over a staggered implementation time frame which spans the next two years. CIP-014 deals specifically with physical security of transmission substations, and specifies activities that must occur in order to assess the existing security posture and vulnerabilities, and plans to provide higher security measures to guard against a physical attack. Internal risk assessments of each substation must be conducted by the substation owner, and plans to mitigate the identified vulnerabilities must be created. The evaluation and proposed security plan must then be reviewed and corroborated by an independent and unaffiliated third party.