Subscribe to Email Updates

Low-Impact Requirements: Counting Down to Enforcement of CIP-003-6

low-impact requirements for physical security controls

Sept. 1, 2017, marked the start of the one-year countdown to enforcement of the CIP-003-6 low-impact requirements covering Physical Security Controls and Electronic Access Controls. While an entire year might seem like a long time, meeting that deadline still could be a challenge for some.

Existing physical access controls have, for the most part, met the Standards Requirements, only requiring the creation of documentation of those controls. Meanwhile, the implementation of Electronic Access Controls has proved to be more of a challenge, especially for entities with existing routable communications. In many cases, these routable communications have been in place for years and were originally managed using router technology for the express purpose of routing traffic into the facility without a focus on enhanced filtering.

With CIP-003-6 and the updated CIP-003-7 Electronic Access Controls submitted for Federal Energy Regulatory Commission (FERC) approval, documentation will be required to track the inbound and outbound communications the Responsible Entity “deems necessary.” For that documentation, there have been many questions on what is required, with the most common question being, “Isn’t the Access Control List sufficient documentation?” The answer is a resounding no.

Regional Entities have indicated they are looking for documentation similar to what is expected for CIP-005-5, Requirement R1, Part 1.3 — technical and operational justification for the allowed communications. The technical information has been, for the most part, easy to determine; however, the operational information has been more of a challenge. Several tools, such as Wireshark, are available to collect the information necessary to assist in determining the operational information, and in many cases, can identify communication traffic that should not be allowed.

Failure to provide the necessary documentation to the Regional Entities puts Responsible Entities in a position that may not satisfy the requirements. This could result in a minimum of an Area of Concern and, at the most, a Potential Violation.

Leave a comment

Jerome Farquharson
Written by Jerome Farquharson
Jerome Farquharson is a regional practice manager at Burns & McDonnell. He has experience implementing internal compliance programs, evaluating security architectures and risk assessments for medium- and large-sized investor-owned utility (IOU), municipality and cooperative environments.

Related posts

Extending the Life of Hydroelectric Facilities
Extending the Life of Hydroelectric Facilities

As populations grow and regulations tighten, owners and operators of utilities feel the pressure and work to keep pace. When...

Understanding Aging Infrastructure Conditions With Modern Technology
Understanding Aging Infrastructure Conditions With Modern Technology

Approaching a plant retrofit without first understanding the condition of the plant’s assets is like buying a 50-year-old...