FERC Approves Deferment of 3 CIP standards

Just a couple of weeks back I posted to The State of Security an article titled “Finally Some Good News: NERC Proposes Deferment of 3 CIP standards,” and, as suspected, the Federal Energy Regulatory Commission (FERC) approved the extension officially on April, 17^th with this order. Having approved NERC’s petition submitted on April 6^th, FERC officially pushes back the original July 1, 2020 implementation deadline for CIP-005-6, CIP-010-3, and CIP-013-1 until October 1, 2020, giving registered entities an additional 3 months. FERC cited safety and reliability of the grid as the primary reasons for approving the petition, stemming from the impacts of the pandemic.

What did FERC state in their order?

In the order, FERC does imply that utilities should have already taken steps to properly implement the new and revised requirements, stating:

“The Reliability Standards that are the subject of this order are important for ensuring the security and reliability of the grid. We recognize that registered entities have likely already taken significant steps to ensure the effective and timely implementation of these Reliability Standards, and we encourage them to continue doing so.”

The order goes on to imply that entities should use this extension to ensure that their efforts to implement the new standards are fully compliant at the time they become enforceable.

Protest filed by the public

The public can file a response to any NERC filing and four responses - three in support and one in protest - were filed. The one in protest, according to the order, was filed late by an organization called “Protect Our Power,” who according to their website is an organization “[…] comprised of experts from industry, the physical and cyber defense communities as well as finance and government. The nonpartisan advisory panel has a single focus of strengthening the nation’s electrical power grid.” The organization’s response proposed a shorter extension of CIP-013 due to the “critical nature of the utility industry supply chain and that many or most utilities may already be prepared to comply by the current July 1 deadline.” Thinking back to my time spent implementing the v5 standards at a utility, I certainly appreciated the unprecedented delay then, and there was definitely no pandemic adversely impacting my team’s productivity to compete with.

What's next?

So now that FERC has blessed the extension, I’ll re-post my list of ideas on how to spend all your newly acquired free time.

1. Implement the new Tripwire Enterprise Ransomware Protection Rules, details can be found here.
2. Brush up on your policies and procedures that cover the CIP Exceptional Circumstances, you know, just in case. Here’s a quick refresher on the subject from the NERC Glossary of terms:

“A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.”

3. Check out the Tripwire Private Energy Group on the Tripwire Forums. Email us here if you’d like to request access (must be a Tripwire electric utility customer).
4. Check out Travis Smith’s series on the MITRE ATT&CK Framework and follow that up with a short read on the new Industrial Control Systems MITRE ATT&CK Framework.
5. Exercise your CIP-008 Incident Response Plan. What better time than when there’s not an actual incident occurring? Don’t forget to take credit for your exercise by documenting the 15 month test requirement identified in CIP-008- R2.1.
6. Lastly, make sure your backups are working, and test a restore. Also, like the item above, don’t forget to take credit for CIP-009-5 requirement 2.1 to test recovery plans at least once every 15 calendar months.