Subscribe to Email Updates

Low-Impact Requirements: Counting Down to Enforcement of CIP-003-6

low-impact requirements for physical security controls

Sept. 1, 2017, marked the start of the one-year countdown to enforcement of the CIP-003-6 low-impact requirements covering Physical Security Controls and Electronic Access Controls. While an entire year might seem like a long time, meeting that deadline still could be a challenge for some.

Existing physical access controls have, for the most part, met the Standards Requirements, only requiring the creation of documentation of those controls. Meanwhile, the implementation of Electronic Access Controls has proved to be more of a challenge, especially for entities with existing routable communications. In many cases, these routable communications have been in place for years and were originally managed using router technology for the express purpose of routing traffic into the facility without a focus on enhanced filtering.

With CIP-003-6 and the updated CIP-003-7 Electronic Access Controls submitted for Federal Energy Regulatory Commission (FERC) approval, documentation will be required to track the inbound and outbound communications the Responsible Entity “deems necessary.” For that documentation, there have been many questions on what is required, with the most common question being, “Isn’t the Access Control List sufficient documentation?” The answer is a resounding no.

Regional Entities have indicated they are looking for documentation similar to what is expected for CIP-005-5, Requirement R1, Part 1.3 — technical and operational justification for the allowed communications. The technical information has been, for the most part, easy to determine; however, the operational information has been more of a challenge. Several tools, such as Wireshark, are available to collect the information necessary to assist in determining the operational information, and in many cases, can identify communication traffic that should not be allowed.

Failure to provide the necessary documentation to the Regional Entities puts Responsible Entities in a position that may not satisfy the requirements. This could result in a minimum of an Area of Concern and, at the most, a Potential Violation.

Leave a comment

Jerome Farquharson
Written by Jerome Farquharson
Jerome Farquharson is senior managing director of critical infrastructure cybersecurity, risk and reliability at 1898 & Co., part of Burns & McDonnell. He is an innovative technology executive and consultant with an entrepreneurial approach and a multidisciplinary background encompassing highly complex areas such as cybersecurity, physical security, infrastructure protection, regulatory compliance, strategic business advising and information systems management. He earned his Bachelor of Science and Master of Science degrees in computer science from Clark Atlanta University.

Related posts

Safety Is First: Best Practices for Safely Returning to the Workplace
Safety Is First: Best Practices for Safely Returning to the Workplace

After months of self-isolation and uncertainty caused by the coronavirus pandemic, the country is now looking for ways to make...

Surviving Another Ride on the Solar Coaster
Surviving Another Ride on the Solar Coaster

The effects of mass isolation resulting from the COVID-19 pandemic have been far-reaching, causing a general downturn in the...