Subscribe to Email Updates

Order 843 and CIP-003-7: How They Will Impact Low Sites

Order 843 and CIP-003-7: How They Will Impact Low Sites

On April 25, 2018, the Federal Energy Regulatory Commission (FERC) published Order 843, effectively approving CIP-003-7 standards. An issued effective date of Jan. 1, 2020, has been released. So you might be wondering, “How do the new standards affect my current low sites?”

The first thing to point out is that the enforcement date for the CIP-003-6 (critical infrastructure protection) Requirements for Electronic Access Controls (Attachment 1, Section 3) and Physical Security Control’s (Attachment 1, Section 2), which previously was Sept. 1, 2018, has been delayed until Jan. 1, 2020, to coincide with the CIP-003-7 standards.

The language for Electronic Access Controls has been modified and no longer includes any refences to the terms Low Impact External Routable Connectivity (LERC) and Low Impact Bulk Electric System (BES) Cyber System Electronic Access Point (LEAP). The new language now includes the statement “Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity.” Additionally, entities will still need to document the access that is deemed necessary.

CIP-003-7 also introduces Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation (found in Attachment 1, Section 5). Entities will be required to “mitigate the risk of the introduction of malicious code to low-impact BES Cyber Systems (BCS) through the use of Transient Cyber Assets or Removable Media.” All transient cyber assets will be required to have updated anti-virus software, application whitelisting or other methods in place to mitigate the introduction of malicious code. Additionally, these mitigating measures are required on all removable media and a process must be in place to ensure malicious code is detected and mitigated prior to connection to a low-impact BCS.

Leave a comment

Jeffrey Macre
Written by Jeffrey Macre
Jeffrey Macre is a senior cybersecurity specialist for Burns & McDonnell. As an experienced leader specializing in information technology security, compliance implementation, infrastructure management, and systems administration, he helps clients design and implement standards, procedures and processes that improve their business efficiency.

Related posts

FERC Issues Final Rule on Protection System Coordination, Personnel Training in Order 847
FERC Issues Final Rule on Protection System Coordination, Personnel Training in Order 847

On June 7, 2018, FERC issued Order 847, a final rule for “Coordination of Protection Systems for Performance During Faults and...

Corporate Networks Prove Highly Vulnerable to Attacks
Corporate Networks Prove Highly Vulnerable to Attacks

According to a recent report by an enterprise security solution provider, corporate networks are highly vulnerable to attacks...