Lesson Learned CIP Version 5 Transition Program CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date Draft Version: August 17, 2015 This document is designed to convey lessons learned from NERC’s various CIP version 5 transition activities. It is not intended to establish new requirements under NERC’s Reliability Standards, to modify the requirements in any existing reliability standards, nor provide an Interpretation under Section 7 of the Standard Processes Manual. Additionally, there may be other legitimate ways to fulfill the obligations of the requirements that are not expressed within this supporting document. Compliance will continue to be determined based on language in the NERC Reliability Standards as they may be amended from time to time. Implementation of this lesson learned is not a substitute for compliance with requirements in NERC’s Reliability Standards. Purpose The purpose of this Lesson Learned is to provide guidance on the compliance dates for impact rating criteria 2.3 and 2.6 notifications that occur prior to the enforcement date of April 1, 2016. Background Reliability Standard CIP-002-5 Requirement R1 requires responsible entities to identify their high, medium, and low impact BES Cyber Systems according to the criteria provided in Attachment 1. Specific to impact rating criteria 2.3 and 2.6, the notifications that have been sent out by Reliability Coordinators to Generator Owners designating certain generation units as critical to the derivation of IROLs per these impact rating criteria have created unplanned changes as defined in the Implementation Plan1. These notifications were sent out prior to the CIP version 5 Reliability Standards enforcement date of April 1, 2016. Guidance The Implementation Plan is silent on how to treat changes that occur prior to April 1, 2016. The ERO Enterprise, consistent with the timelines in the Scenario of Unplanned Changes After the Effective Date table of the Implementation Plan, will provide affected Responsible Entities 12 or 24 months from the Responsible Entity’s performance of their CIP-002-5.1, Requirement R2 assessment that follows a notification from a Reliability Coordinator, Planning Coordinator, or Transmission Planner.

1 Ref Implementation Plan for Version 5 CIP Cyber Security Standards: http://www.nerc.com/pa/Stand/CIP00251RD/Implementation_Plan_clean_4_(2012-1024-1352).pdf

3353 Peachtree Road NE Suite 600, North Tower

Atlanta, GA 30326 404-446-2560 | www.nerc.com

Lesson Learned CIP Version 5 Transition Program CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date Industry Comments Draft Posted August 18, 2015 September 22, 2015

Comments Received – CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date

Organization Comment NERC Response #

General Comments

EnergySec EnergySec supports the guidance in this document; however, we suggest that any final version posted should be issued consistent with the proposed compliance guidance as described in the recently issued Compliance Guidance Policy Paper. The “Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date Lesson Learned” document clearly provides direction to ERO Enterprise CMEP staff with respect to compliance and enforcement activities, rather than providing an example of how to implement the standard.Therefore, we suggest that this be issued as a CMEP Practice Guide rather than a Lessons Learned or Application Guidance.

1

EEI We appreciate this guidance provided by NERC on how the ERO will treat changes that occur prior to April 1, 2016; however we are concerned that a lessons learned document or Section 11 guidance document is not the appropriate vehicle for this clarification. Lesson learned documents provide an approach to meeting the reliability standards based on lessons learned from CIP version 5 transition activities. “The ERO…will provide affected Responsible Entities 12 or 24 months from the Responsible Entity’s performance of their CIP-002.5.1” sounds more like an interpretation.

2

CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date 2

Comments Received – CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date

Organization Comment NERC Response #

MidAmerican Energy Company

MidAmerican Energy Company supports the Edison Electric Institute comments on the lessons learned posted for comment August 19, 2015, with comments due September 18, 2015: • IRC 2.3 and 2.6 Compliance Dates Lesson Learned

3

Specific Comments

Burns & McDonnell

Under the Guidance section it indicates: “The ERO Enterprise, consistent with the timelines in the Scenario of Unplanned Changes After the Effective Date table of the Implementation Plan, will provide affected Responsible Entities 12 or 24 months from the Responsible Entity’s performance of their CIP-002-5.1, Requirement R1 assessment that follows a notification from a Reliability Coordinator, Planning Coordinator, or Transmission Planner.” Burns & McDonnell believes some clarification would be beneficial to the industry with the use of simple examples. We provide the following as suggestions based on what we believe is a correct understanding of the Lesson Learned. 1. Entity has not completed a CIP-002-5.1,

Requirement R1 assessment. Entity receives notification on January 15, 2016 from their RC, PC, or TP that part of their Generation Plant A and the associated BES Cyber Systems (BCS) must be identified as medium impact. Entities preliminary assessment of Generation Plant A was all BCS would be low impact. Final assessment was completed on February 1, 2016. The timeline for Generation Plant A would be: • Timeline for the Unplanned Change on the identified BCS (medium impact) will start on February 1, 2016 and will be 24-months since the

4

Comments Received – CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date

Organization Comment NERC Response #

Entity had not completed an assessment before the notification. • All other BCS (low impact) not covered by the notification will have to following the April 1, 2017 compliance date.

2. Entity completed a CIP-002-5.1, Requirement R1

assessment on July 1, 2015 which indicated that Generation Plant A only contained low impact BES Cyber Systems (BCS). On August 1, 2015, Entity’s RC, PC, or TP indicates that part of Generation Plant A must be identified as medium impact resulting in some BCS changing from low to medium impact. Entity has other generation facilities with at least one of them containing identified medium impact BCS. Timeline for Generation Plant A would be: • Timeline for the Unplanned Change on the identified BCS (medium impact) will start after the completion of the next CIP-002-5.1 Requirement R1 Assessment, which is scheduled for July 1, 2016. Since the Entity had identified medium impact BCS as part of the original assessment at other generation facilities and was working towards implementation of those medium impact requirements, the timeline for the Generation Plant A medium impact BCS would be 12-months from the next CIP-002-5.1 assessment (July 1, 2016). • All other BCS (low impact) at Generation Plant A not covered by the notification will follow the April 1, 2017 compliance dates.

If the suggested samples are incorrect, we request feedback from the V5 Transition Advisory Group (V5TAG) on what is the correct implementation schedule, so corrected examples can be developed for inclusion with the Lesson Learned.

Comments Received – CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date

Organization Comment NERC Response #

ACES ACES agrees that the effective date should be after that identified for CIP-002-5.1; however, the entity has to identify how to apply the 12 or 24 month criteria from the latest implementation plan. Registered Entities should not have to derive this information on their own. ACES asks NERC to identify the requirements requiring RCs, PCs, and TPs to notify GOs when their generation facilities are necessary to avoid an Adverse Reliability Impact in the planning horizon of more than one year. Furthermore, if the GO elects to dispute the designation, does that GO have any recourse and can delay the 12 or 24 month period until after the dispute is settled?

5

EPSA EPSA appreciates that the draft Lessons Learned begins to address the timing issues raised in our June 12 letter. Resolution of the compliance timing is critical to ensuring that complying entities know what is required of them and by when. However, the draft guidance language should be changed and expanded to provide a clearer understanding of the compliance timing for generators that have or will receive Impact Rating Criteria (“IRC”) 2.3 and 2.6 notifications. The Lessons Learned would be more useful by providing examples. For new standards where there has not been the opportunity to specifically “learn lessons” it would be valuable to lay out examples for industry stakeholders. Leaving stakeholders to compare language from Lessons Learned to the Standard is a legal exercise, rather than a reliability exercise. This exercise can create situations that can create the perception that the standard is either implicitly or explicitly being changed. Providing examples will take away the potential for such a perception. EPSA believes reliability should take precedence, and examples can best demonstrate practices from which complying

6

Comments Received – CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date

Organization Comment NERC Response #

entities can make compliance choices. Examples addressing timing, Interconnection Operating Limits (“IROL”) and Automatic Voltage Regulator (“AVR”) and Power System Stabilizer (“PSS”) status as well as, complying entity communication, would best serve CIP-002-5 compliance for reliability assurance. Importantly, the Lessons Learned only speaks to Requirement 1 but is silent on Requirement 2. EPSA believes the Lessons Learned should discuss both Requirements so that the interplay between the two Requirements and the Standard as a whole is clear. Understanding the interplay can play an integral role on how a generators can best comply with the standard appropriately documenting notification and responding to that notification, and making an assessment of impact rating for cyber assets. EPSA believes the draft incorrectly states that notifications sent by Reliability Coordinators (“RC”) to Generators Owners designated “generation units” are critical to the derivation of IROLs. This language assumes that RCs notified generating units are Bulk Electric System (“BES”) Cyber Systems. This further assumes that all notifications designate the generating unit, rather than specific equipment such as the AVR/PSS as the BES Cyber System. The Lessons Learned while not specifically addressing the “status” issue, assumes impact rating for entire units rather than leaving such decisions to the complying entity (RCs in this instance) as stated in the Standard. Additional specific points regarding the draft Lessons Learned: • The first sentence in the Background section suggests that Responsible Entities identify BES Cyber Systems for low-impact assets. Requirement 1.3

Comments Received – CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date

Organization Comment NERC Response #

expects a Responsible entity to identify low-impact assets, and specifically notes “a discrete list of low impact BES Cyber Systems is not required.” Per Requirements 1.1 and 1.2, only high and medium impact assets require the identification of BES Cyber Systems. • The draft presumes that a notification that is issued pursuant to Criteria 2.3 and 2.6, is binding upon the recipient prior to the enforceable date of the standard itself. EPSA believes that such a notification only becomes binding on or after the enforceable date of the standard. Additional points of note: i. Attachment A is incorporated by reference into R1. ii. R1 is not enforceable until April 1, 2016. iii. Both the standard and the Implementation Plan are silent on addressing an “unplanned event” (as defined in the Implementation Plan) that occurs prior to the enforcement date. • The receipt of a third-party notification does not directly constitute an unplanned event. The notification in this case acts as a trigger for the receiving entity to consider the impact of the notification in its subsequent assessment BES Cyber Systems. If a medium impact BES Cyber System is identified by that subsequent assessment, this constitutes an unplanned event, and triggers a 12 or 24 month compliance window. Many Responsible Entities have incorrectly believed that the receipt of a third-party notification itself triggers the additional 12 or 24 months compliance window. The LL should correct this misperception. While the draft Lessons Learned addresses in part some of the timing issues there are still other issues previously raised by EPSA that are not included in the Lessons Learned and as such remain unanswered. Below those issues are detailed again from the June 12, 2015 EPSA letter (below).

Comments Received – CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date

Organization Comment NERC Response #

Issues not addressed from EPSA June 12, 2015 Letter: IROL AVR/PSS Status and Voltage In spite of the NERC memorandum, there remains a compliance gap that can become a reliability gap. The derivation of the Interconnection Operating Limits (IROLs) relies on the “status” of a generator, not specifically the generation facility. That is, the IROL value changes with generator status. So arguably the security of the facility is not critical – however the status of the IROL may be. If the unit trips, the transmission operator decreases IROL loading to reflect the absence of the tripped generator and the protection against the loss of next contingency. There are also questions surrounding the status of the Automatic Voltage Regulator (AVR) and or Power System Stabilizer (PSS). The NERC memorandum addressed the derivation of IROLs but did not address the different facilities associated with IROL derivation. Consequently, the equipment identified at each site can be different. Therefore the derivation of the status of the AVR for the IROL can differ for the “unit” versus the “facility.” The memorandum does not address such determinations that play a part in the IROL derivation. The type of IROL is also important and has not been addressed by NERC or the ISOs. A megawatt (MW) based IROL encompasses most of the plant in almost all cases; a voltage-related IROL is dependent upon the exciter and AVR, not the whole plant. The standard language appears to assume the IROLs are MW based. The memorandum fails to address this issue. The voltage issues associated with IROLs are addressed and solved by another NERC standard (i.e. VAR-002). The NERC memo does not address this and through its reasoning raises conflicting compliance perspectives. It

Comments Received – CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date

Organization Comment NERC Response #

seems to suggest there is a family of security standards and a family of reliability operations standards and the two families should not meet. There should be only one set of reliability standards. Complying Entity Communication Another important issue that NERC could put out as guidance that would help not only generators but those complying entities identifying facilities under the Standard would be the suggestion of what and how complying entities can best specify what is causing the IROLs (of primary concern). On the third page of the NERC memorandum, NERC states: “In short, under Criterion 2.3, a Planning Coordinator or Transmission Planner may only designate a “generation facility.” EPSA believes that designation is one piece but that it is appropriate and should be encouraged that a Reliability Coordinator (RC), Planning Coordinator (PC) or Transmission Provider (TP) should add further information regarding what is causing the IROL. That clarification is important to the pertinence of the standard, generators otherwise will be left to speculate, rather than know what really needs to be protected. Finally, the NERC memorandum states “After receiving a third-party notification under Criteria 2.3 or 2.6, the responsible entity must categorize as medium all BES Cyber Systems associated with the designated generation Facility or the identified generation at a single plant location or transmission Facility at a single station or substation location, as applicable under CIP-002-5.1.” (Emphasis added.) This contradicts CIP-002-5.1, Requirement R1. The decision to categorize BES Cyber Systems is not automatically triggered by a notification. R1 requires that each Responsibility Entity to identify high, medium, and low impact BES Cyber Systems by “implementing a process.”

Comments Received – CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date

Organization Comment NERC Response #

EnergySec We believe additional clarity would be useful in two areas. First, although implied, it is not explicitly stated in the guidance that 3rd party notifications under Criterion 2.3 or 2.6 will be treated as unplanned changes with respect to the implementation plan. This should be clearly stated. Second, it remains unclear whether a 3rd party notification creates an obligation to perform a CIP-002-5.1 R1 assessment prior to the expiration of the 15 calendar month interval allowed by the standard. We believe that such should not be required, and we find no language that would support such a requirement; however, we believe there remains potential uncertainty in this regard. We suggest a statement be added that explicitly acknowledges that receipt of a 3rd party notification does not affect the timelines for performance of the CIP-002-5.1 R1 assessment.

7

EEI The following are more specific concerns on this lesson learned: 1. We suggest adding a reference to Requirement 2

because a Responsible Entity’s obligation is not completed until it is approved (per R2) by its “CIP Senior Manager or delegate.”

2. There appears to be an error in the first sentence in the Background section, which suggests that Responsible Entities should identify low impact BES Cyber Systems. Requirement 1.3 expects a Responsible Entity to identify low impact assets, and specifically notes “a discrete list of low impact BES Cyber Systems is not required.” Per Requirements 1.1 and 1.2, only high and medium impact assets require the identification of BES Cyber Systems.

3. The second sentence in the Background section references “generating units.” A notification issued to certain generators by an ISO referencing the

8

Comments Received – CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date

Organization Comment NERC Response #

applicability of Criterion 2.6 identified only the “…Automatic Voltage Regulator (AVR) and/or Power System Stabilizer… associated with the [listed generating units] are critical to the derivation of an IROL and its associated contingencies.” • Since these notifications were limited to equipment associated with generating units, we believe that there is still uncertainty regarding the scope of Criterion 2.6 (i.e., generating unit vs. limited generation equipment within a generating unit), and therefore, we recommend that NERC not use the phrase “generation units” which implies that NERC is issuing guidance on this topic.

4. The lesson learned presumes that a notification that is issued pursuant to Criteria 2.3 and 2.6, is binding upon the recipient prior to the enforceable date of the standard itself. We believe that such a notification only becomes binding on or after the enforceable date of the standard. Attachment A, Criteria 2.3 and 2.6 are incorporated by reference into R1 and R1 is not enforceable until April 1, 2016. Therefore Planning Coordinators, Transmission Planners, and Reliability Coordinators do not have the R1 authority to inform the generation owners or operators until the standard is enforceable (i.e., April 1, 2016).

5. The receipt of an R1 notification does not directly constitute an unplanned event. The notification in this case acts as a trigger for the receiving entity to consider the impact of the notification in its subsequent assessment BES Cyber Systems. If a medium impact BES Cyber System is identified by that subsequent assessment, this constitutes an unplanned event, and triggers a 12 or 24 month compliance window. Many Responsible Entities have incorrectly believed that the receipt of an R1 notification triggers the 12 or 24 months

Comments Received – CIP-002-5, Requirement R1: Compliance Dates for Impact Rating Criteria 2.3 and 2.6 Notifications Prior to Enforcement Date

Organization Comment NERC Response #

compliance window. The LL should clarify this misperception.