At their second in-person meeting of the year, held at Amazon’s headquarters in Seattle, members of NERC’s Standards Committee voted this week to reject a proposal to clarify the cyber systems to be addressed in an ongoing standards development project, while approving a separate standard authorization request involving the same project.
Both the accepted and rejected SAR relate to Project 2021-03 (CIP-002), which is working on five separate SARs involving revisions to CIP-002-5.1a (Cybersecurity — BES cyber system categorization). Committee Chair Todd Bennett of Associated Electric Cooperative acknowledged there are “a lot of things going on with this project,” which NERC staff have designated as one of 11 high-priority standards projects that must be completed by December. (See NERC Expecting Packed 2024 for Standards Actions.)
Introducing the first SAR, NERC Manager of Standards Development Alison Oswald explained that the project team “wanted to [list] the cyber assets that are going to be addressed” through altering one of the SARs attached to the project, “instead of using the umbrella term of ‘cyber assets.’” The assets to be named are electronic access control or monitoring systems, physical access control systems and protected cyber assets.
However, committee members wondered if the proposed changes still were necessary in light of changes in the ERO since the project began. Charlie Cook of Duke Energy observed that “we [in] the industry already have to provide a list of assets” as part of new audit procedures introduced by the regional entities since 2021 and suggested it was redundant to put the same specifications in the standard.
In response to Cook’s question, NERC Manager of Standards Development Latrice Harkness explained the SAR was intended as “a scoping mechanism to define what we are addressing” and to give the drafting team flexibility to discuss the topic if needed.
Cook then asked, “What gap are we trying to close [with this SAR] — is it a reliability gap, or is it simply a gap [that] makes the auditors’ job a little more difficult?”
Harkness replied again that the request was intended to ensure the specific terms would be included in the project’s scope, to which Cook responded that “there really didn’t seem to be a lot of support for this” proposal based on industry comments on the draft SAR.
Cook moved that the committee reject the SAR “for good cause” as provided for in NERC’s Standard Processes Manual, which passed with the required simple majority. The SAR will be sent back to the SDT for Project 2021-03 with a written explanation, which Bennett said he would work on with NERC staff.
The second SAR related to Project 2021-03 passed with no objections from committee members. This proposal was intended to revise CIP-002-5.1a and CIP-014-3 (Physical security) to provide consistency with changes introduced by Project 2015-09, which NERC’s Board of Trustees passed in 2021. (See “Approval and Standards Actions,” NERC Board of Trustees/MRC Briefs: May 13, 2021.) Oswald explained the proposed revisions to the standards were intended only to “clarify the functional entities responsible for” determining and communicating system operating limits.
The last two action items passed by the committee were to solicit nominations for drafting team members. In the first case, NERC staff requested members to supplement the team for Project 2021-01 (Modifications to MOD-025 and PRC-019). NERC Manager of Standards Development Jamie Calderon explained that the team has “a lot of modeling” experts and the ERO would like to “get more protection engineers” on board to address the project’s changing scope.
The second nominations item concerned creating a drafting team to address the Energy Assessments with Energy-constrained Resources in the Planning Time Horizon SAR, which the committee originally approved in 2022. Harkness explained that while the committee named a 15-member team to draft the SAR, that team now feels it would be best to split the work, with a new group tackling the long-term planning aspects of the project and the original team focusing on the near term.