Subscribe to Email Updates

Low-Impact Requirements: Counting Down to Enforcement of CIP-003-6

low-impact requirements for physical security controls

Sept. 1, 2017, marked the start of the one-year countdown to enforcement of the CIP-003-6 low-impact requirements covering Physical Security Controls and Electronic Access Controls. While an entire year might seem like a long time, meeting that deadline still could be a challenge for some.

Existing physical access controls have, for the most part, met the Standards Requirements, only requiring the creation of documentation of those controls. Meanwhile, the implementation of Electronic Access Controls has proved to be more of a challenge, especially for entities with existing routable communications. In many cases, these routable communications have been in place for years and were originally managed using router technology for the express purpose of routing traffic into the facility without a focus on enhanced filtering.

With CIP-003-6 and the updated CIP-003-7 Electronic Access Controls submitted for Federal Energy Regulatory Commission (FERC) approval, documentation will be required to track the inbound and outbound communications the Responsible Entity “deems necessary.” For that documentation, there have been many questions on what is required, with the most common question being, “Isn’t the Access Control List sufficient documentation?” The answer is a resounding no.

Regional Entities have indicated they are looking for documentation similar to what is expected for CIP-005-5, Requirement R1, Part 1.3 — technical and operational justification for the allowed communications. The technical information has been, for the most part, easy to determine; however, the operational information has been more of a challenge. Several tools, such as Wireshark, are available to collect the information necessary to assist in determining the operational information, and in many cases, can identify communication traffic that should not be allowed.

Failure to provide the necessary documentation to the Regional Entities puts Responsible Entities in a position that may not satisfy the requirements. This could result in a minimum of an Area of Concern and, at the most, a Potential Violation.

Leave a comment

Jerome Farquharson
Written by Jerome Farquharson

Related posts

Understand and Prepare for Advanced Persistent Threats in Cybersecurity
Understand and Prepare for Advanced Persistent Threats in Cybersecurity

Advanced persistent threats (APT) are long-term attacks focused on a specific entity or industry. They include a set of covert...

Control Center Communication Networks and CIP-012-1
Control Center Communication Networks and CIP-012-1

The NERC Urgent Action (UA) 1200 Standard, a temporary standard developed by the North American Electric Reliability Corp....