Subscribe to Email Updates

Low-Impact Requirements: Counting Down to Enforcement of CIP-003-6

low-impact requirements for physical security controls

Sept. 1, 2017, marked the start of the one-year countdown to enforcement of the CIP-003-6 low-impact requirements covering Physical Security Controls and Electronic Access Controls. While an entire year might seem like a long time, meeting that deadline still could be a challenge for some.

Existing physical access controls have, for the most part, met the Standards Requirements, only requiring the creation of documentation of those controls. Meanwhile, the implementation of Electronic Access Controls has proved to be more of a challenge, especially for entities with existing routable communications. In many cases, these routable communications have been in place for years and were originally managed using router technology for the express purpose of routing traffic into the facility without a focus on enhanced filtering.

With CIP-003-6 and the updated CIP-003-7 Electronic Access Controls submitted for Federal Energy Regulatory Commission (FERC) approval, documentation will be required to track the inbound and outbound communications the Responsible Entity “deems necessary.” For that documentation, there have been many questions on what is required, with the most common question being, “Isn’t the Access Control List sufficient documentation?” The answer is a resounding no.

Regional Entities have indicated they are looking for documentation similar to what is expected for CIP-005-5, Requirement R1, Part 1.3 — technical and operational justification for the allowed communications. The technical information has been, for the most part, easy to determine; however, the operational information has been more of a challenge. Several tools, such as Wireshark, are available to collect the information necessary to assist in determining the operational information, and in many cases, can identify communication traffic that should not be allowed.

Failure to provide the necessary documentation to the Regional Entities puts Responsible Entities in a position that may not satisfy the requirements. This could result in a minimum of an Area of Concern and, at the most, a Potential Violation.

Leave a comment

Jerome Farquharson
Written by Jerome Farquharson
Jerome Farquharson is the regional practice manager for the Burns & McDonnell Compliance & Critical Information Protection Group. The group provides regulatory risk management services, including NERC and FERC compliance, to generation and transmission and distribution entities.

Related posts

FERC Issues Final Rule on Protection System Coordination, Personnel Training in Order 847
FERC Issues Final Rule on Protection System Coordination, Personnel Training in Order 847

On June 7, 2018, FERC issued Order 847, a final rule for “Coordination of Protection Systems for Performance During Faults and...

Corporate Networks Prove Highly Vulnerable to Attacks
Corporate Networks Prove Highly Vulnerable to Attacks

According to a recent report by an enterprise security solution provider, corporate networks are highly vulnerable to attacks...