April 2017 Standard Changes
The more than 20 reliability standard changes scheduled for April 2017 were topics of last year's Fall Compliance Seminar. Quick Links at the bottom of this page offers easy access to the seminar's presentations and the Standards Subject to Future Enforcement page on the NERC website.
CIP Version 5
CIP Version 5 is the latest approved version of the CIP standards which will become effective on April 1, 2016. Version 5 provides increased security measures to help protect and secure the Bulk Electric System (BES). The most significant change is the BES tiered impact rating of high, medium, and low categories. These classifications mean that all Cyber Assets that could impact the BES will be in scope to receive some level of enhanced security measures. Other improvements include additional Standards to eliminate some complicated and intertwined Standards found in Version 3, redefined Requirements to make compliance efforts simpler for implementation and tracking, and increased flexibility with such things as grouping BES cyber systems and a reduction of Technical Feasibility Exceptions. There is also a noted shift in focus to risk. Internal controls by the registered entities that may help reduce risk exposure will receive a strong emphasis, and security approaches will be assessed instead of just an audit and enforcement focus on compliance with the Standard language.
Physical Security (CIP-014)
A new NERC Reliability Standard, CIP-014, has been approved and will become effective over a staggered implementation time frame which spans the next two years. CIP-014 deals specifically with physical security of transmission substations and specifies activities that must occur in order to assess the existing security posture and vulnerabilities. CIP-014 plans to provide higher security measures to guard against a physical attack. Internal risk assessments of each substation must be conducted by the substation owner and plans to mitigate the identified vulnerabilities must be created. The evaluation and proposed security plan must then be reviewed and corroborated by an independent and unaffiliated third party.