Subscribe to Email Updates

Order 843 and CIP-003-7: How They Will Impact Low Sites

Order 843 and CIP-003-7: How They Will Impact Low Sites

On April 25, 2018, the Federal Energy Regulatory Commission (FERC) published Order 843, effectively approving CIP-003-7 standards. An issued effective date of Jan. 1, 2020, has been released. So you might be wondering, “How do the new standards affect my current low sites?”

The first thing to point out is that the enforcement date for the CIP-003-6 (critical infrastructure protection) Requirements for Electronic Access Controls (Attachment 1, Section 3) and Physical Security Control’s (Attachment 1, Section 2), which previously was Sept. 1, 2018, has been delayed until Jan. 1, 2020, to coincide with the CIP-003-7 standards.

The language for Electronic Access Controls has been modified and no longer includes any refences to the terms Low Impact External Routable Connectivity (LERC) and Low Impact Bulk Electric System (BES) Cyber System Electronic Access Point (LEAP). The new language now includes the statement “Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity.” Additionally, entities will still need to document the access that is deemed necessary.

CIP-003-7 also introduces Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation (found in Attachment 1, Section 5). Entities will be required to “mitigate the risk of the introduction of malicious code to low-impact BES Cyber Systems (BCS) through the use of Transient Cyber Assets or Removable Media.” All transient cyber assets will be required to have updated anti-virus software, application whitelisting or other methods in place to mitigate the introduction of malicious code. Additionally, these mitigating measures are required on all removable media and a process must be in place to ensure malicious code is detected and mitigated prior to connection to a low-impact BCS.

Leave a comment

Jeffrey Macre
Written by Jeffrey Macre
Jeffrey Macre is a project manager in security and risk consulting at 1898 & Co., part of Burns & McDonnell. As an experienced leader specializing in information technology security, compliance implementation, infrastructure management and systems administration, he helps clients design and implement standards, procedures and processes that improve their business efficiency. He has a bachelor's degree in business technology management from Herzing University and a Master of Business Administration in entrepreneurship from the Keller Graduate School of Management.

Related posts

Extending the Life of Hydroelectric Facilities
Extending the Life of Hydroelectric Facilities

As populations grow and regulations tighten, owners and operators of utilities feel the pressure and work to keep pace. When...

Understanding Aging Infrastructure Conditions With Modern Technology
Understanding Aging Infrastructure Conditions With Modern Technology

Approaching a plant retrofit without first understanding the condition of the plant’s assets is like buying a 50-year-old...