There are a lot of changes coming from NERC (and FERC).
There are new requirements – for example, tightened security requirements for remote access into critical networks (electronic communication into an ESP from outside the ESP) are now part of the NERC CIP standards.
The standards are organized more effectively, with much of what used to be jokingly referred to as “spaghetti standards” getting a significant, and much needed, overhaul.
Other compliance/security frameworks like NIST (National Institute of Standards and Technology) have been scrutinized to help chart the strongest reliability course for NERC CIP. This has resulted in a mindset shift being put into play, moving NERC compliance from an after-the-fact evidentiary focus to a continuous state of audit readiness. This is perhaps best captured in the RAI (Reliability Assurance Initiative) that has now become an important part of the NERC CIP standards.
Fines are likely to be affected, with greater tolerance granted to those who are proactively detecting and resolving issues compared to less tolerance for those who don’t.
Perhaps the biggest change in CIP Version 5 is the RBAM (Role Based Assessment Methodology, not Risk-Based Assessment Methodology like in version 3).
The CIP Version 5 RBAM yields impact ratings of High, Medium and Low where version 3 only rated assets as Critical or Non-Critical. As a general rule, the assets that were evaluated under version 3 (both critical and non-critical) will now fit into one of the impact categories of High, Medium or Low under version 5.
So CIP Version 5 is not an “E.L.E” (Extinction Level Event) like the meteor in the movie Deep Impact but it is a significant change that will affect the majority of Utilities in North America.
However, the most challenging part of CIP version 5 is the Low Impact category because it applies to a lot of assets, and people, that have not dealt with the CIP standards before.
Did you miss our other blog articles about CIP Version 5?
- Webinar: NERC CIP Version 5 Low Impact Rating – February 5th
- CIP Version 5 Approved – What’s Next
- Looking Ahead with SigmaFlow – Simplifying CIP Version 5 Compliance
- CIP Version 5 – Impact Confusion
- CIP Version 5 – Are You Ready for CIP?
For even more insight on CIP Version 5, check out the video recording of the NERC CIP Version 5 Low Impact Rating Webinar which took place on February 5th.