On April 25, 2018, the Federal Energy Regulatory Commission (FERC) published Order 843, effectively approving CIP-003-7 standards. An issued effective date of Jan. 1, 2020, has been released. So you might be wondering, “How do the new standards affect my current low sites?”
The first thing to point out is that the enforcement date for the CIP-003-6 (critical infrastructure protection) Requirements for Electronic Access Controls (Attachment 1, Section 3) and Physical Security Control’s (Attachment 1, Section 2), which previously was Sept. 1, 2018, has been delayed until Jan. 1, 2020, to coincide with the CIP-003-7 standards.
The language for Electronic Access Controls has been modified and no longer includes any refences to the terms Low Impact External Routable Connectivity (LERC) and Low Impact Bulk Electric System (BES) Cyber System Electronic Access Point (LEAP). The new language now includes the statement “Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity.” Additionally, entities will still need to document the access that is deemed necessary.
CIP-003-7 also introduces Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation (found in Attachment 1, Section 5). Entities will be required to “mitigate the risk of the introduction of malicious code to low-impact BES Cyber Systems (BCS) through the use of Transient Cyber Assets or Removable Media.” All transient cyber assets will be required to have updated anti-virus software, application whitelisting or other methods in place to mitigate the introduction of malicious code. Additionally, these mitigating measures are required on all removable media and a process must be in place to ensure malicious code is detected and mitigated prior to connection to a low-impact BCS.