“I recently wrote my longest post so far, describing how I would rewrite Version 5 of CIP-002 to change what I see as fatal imprecision in the language of that standard. However, I decided to leave part of the required changes for another post, since I wanted to think about them a little more before writing it. Here is […]
Tom Alrich’s Blog: Asset Identification in CIP Version 5
“A funny thing happened on the way to this blog post. After FERC’s NOPR on April 18, I decided I should do a series of blog posts that really tear into the details of CIP Version 5 – since very few people other than the SDT members can probably give you a good accounting of […]
Identity and Access Management and NERC CIP Compliance: So, What’s the Problem? Part 2 of 2
By Steve Hamburg, Encari Continuing with what was addressed in part one of this two-part article, “[Plain and simple: You cannot formulate an effective solution if you do not possess a sufficiently comprehensive understanding of the problem.”] Version 3 of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards poses significant identity […]
Tom Alrich’s Blog: Is CIP Version 5 “Un-Auditable”?
NESCO recently posted a paper written by Stephen Flanagan of FERC entitled “Self‐Correcting Cyber Policies: Pathway to Convergence of Compliance and Security?” Stephen’s primary point is this: NERC CIP Version 5 contains a number of requirements that would be impossible to audit. He is presumably recommending that the FERC commissioners either reject CIP Version 5 […]
Tom Alrich’s Blog: CIP Version 5: The Order 761 Problem
NERC’s recent filing of CIP Version 5 had to accomplish a number of objectives. One of the most important was to explain to FERC that NERC has complied with the directives for Version 5 that FERC gave in Order 761, issued last April. Indeed, the filing devotes ten pages to explaining why Version 5 does […]
Tom Alrich’s Blog: Will CIP Version 4 Ever Be Enforced?
“Crowning all of the Versions 4 and 5 concerns is this one: Will the industry have to comply with CIP Version 4 – now approved by FERC and scheduled to come into effect April 1, 2014 – or will Version 4 be bypassed in favor of Version 5, which now has NERC Board of Trustees […]
Tom Alrich’s Blog: When Do I Have to Comply with NERC CIP Version 4?
My last blog post was on the question whether NERC CIP Version 4 would ever be enforced. While I don’t know the answer to that question (and still don’t), I did point out that the odds are on the side of V4 coming into effect, followed by Version 5 a few years later. The point of […]
Tom Alrich’s Blog: Why the CIP Version 4 Compliance Date Needs to be Pushed Back
“In my previous post, I showed that all NERC entities have to be fully compliant with all standards in CIP Version 4 on April 1, 2014 – except those who are in the midst of becoming compliant for Critical Cyber Assets (CCAs) that were newly identified after the compliance date for CIP Version 3. So, […]