There are many things that are still fuzzy when thinking ahead to CIPv5, what is clear is that you can't simply take your past V3 experience and apply it forward. NERC and industry have taken a big step forward in designing a set of cybersecurity standards that focus on protecting against cyber compromises that could lead to "misoperation or instability" of the North American Bulk Electric System.
NERC, anticipating the material nature of the enhancement, initiated a program to help industry transition directly from CIP Version 3 to CIP Version 5. There is a combination of challenges that makes it a necessary and significant investment:
- The new approach moves from a binary decision of items to be protected to a graduated system (low, medium, high) with specific guidance based on the properties of the power system element and potential impact if the associated cyber systems were negatively impacted
- There are a number of new technical security requirements and first-time definitions
- Implementation study participants found existing processes made solid starting point, but that all existing documentation had to be revised
- Uncertainty regarding key regulatory stances, definitions, and scope
It is healthy to ask yourself "am I basing my approach off of assumptions that relate back to my CIPv3 experiences?" If CIPv5 is not your father's cybersecurity standard then it is a good idea to consider how its material changes shape your approach for achieving compliance. Does that make me and a few other folks (for example, Tim Conway the self described old timer) grandpas?
A recognized industrial control system and energy security expert, Michael has served in leadership positions in government and industry. Mr. Assante is currently leading the SANS ICS curriculum and recently held the position of Vice President and Chief Security Officer at NERC and oversaw the implementation of cyber security standards across the North American electric power industry. He also held notable positions at Idaho National Labs, was Vice President and Chief Security Officer for American Electric Power, and served as a US Navy Intelligence Officer.