Security Awareness Blog

... One Giant Leap for CIP Kind

Editor's Note: This is a guest Blog Post from Tim Conway, Technical Director for the ICS and SCADA programs at SANS. Below Tim shares his thoughts on CIP v5.

It is the time of year to sit for a moment and consider what must get done and how little time you have to do it!

Electric utilities throughout North America wrap up all of their CIP V 5 facility assessment projects from last year, review their list of 2015 CIP capital projects, and start holding project kickoff meetings in an effort to finish all necessary CIP V5 projects before the compliance date of April 1, 2016. But, if you listen closely you will hear a buzz of activity that has been underway for a little over a year and has already achieved an approved CIP V 6 set of Standards and has an open industry ballot closing on Jan 9 that will move three of the standards up another Version to 7 with some of the brand new Standards to Version 3. It should be pointed out that the V5 to V6 and V6 to V7 moves are all small steps for CIP kind while the Version 3 to Version 5 move is a Giant leap. I would recommend looking at the whole set of Standards that will be a mix of V3, V5, V5.1, V6, and V7 as V5 plus. Like going from a 2000 Toyota Camry to a 2014 Camry and then adding rust protectant, fabric protectant, turbo kit, and VIN etching.

This is a time filled with opportunity and excitement, just as it was when CIP V1 (UAR ? 1200 ? 1300 ? CIP) was being implemented, there was an uncertainty and many camps began to form either focused on compliance, process, and controls, while opposing camps formed on operations reliability, and security. Over time most organizations who faced CIP head on, found balance and implemented some cutting edge systems that added to system reliability and contained active policy enforcement capabilities that helped in ensuring controls were in place. Over time the industry learned and improved through the days of CIP V1 ? V3. The industry saw the coming and going of many challenges and together the asset owners and the regulators developed a model environment for other critical infrastructure to follow.

As CIP V5 works its way into the operations of entities, there are many of the same challenges that will be faced by industry?. "What is meant by this requirement?." "What are the other utilities doing?.." "How will the auditors interpret this?.." "How much is enough?."

We have the opportunity to once again take another giant leap in the right direction and continue to push the electric sector to the front of the class. The industry as a whole is moving this challenge forward; vendors, integrators, asset owners, reliability coordinators, regions, auditors, and regulators each doing their part.

As for me and my role at SANS I am excited for the year ahead and the great opportunities I have to continue to contribute to this industry and work with some amazing people. Also, as a personal goal it seemed we had finally achieved more CIP versions than there were Rocky Movies, however there is a plan to release the 7th movie in the Rocky Series in September of 2016, so we will need to move to CIP V8 (the healthy CIP) sometime in late 2016 or early 2017 if we want to regain the lead.

Tim Conway is the Technical Director for the ICS and SCADA programs at SANS. He is responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. Formerly, he was the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO). Responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric. Previously, he was an EMS Computer Systems Engineer at NIPSCO for eight years, with responsibility over the control system servers and the supporting network infrastructure. He is the Former Chair of the RFC CIPC, current Chair of the NERC CIP Interpretation Drafting Team, member of the NESCO advisory board, current Chair of the NERC CIPC GridEx Working Group, and Chair of the NBISE Smart Grid Cyber Security panel.