CIP Standards Workshop
August 19-20, 2009
Baltimore, MD
CIP Standards
Past, Present, Future
Larry Bugh
Chief Security Officer
CIP Stds – Past, Present, Future
 Past
 SMD NOPR/UA1200
 CIP version 1
 Present
 CIP version 1 – Compliance
 CIP version 2 – Pending
 VSLs and VRFs – V1 & V2
 Future
 Any guesses???
7/28/2017
2
CIP Standards – Past
SMD NOPR
 FERC’s Standard Market Design – Notice of
Proposed Rulemaking
FERC told NERC CIPC the NOPR would include
cyber security
NERC CIPC prepared Appendix G of SMD NOPR
NOPR failed but industry decided to move forward
Result – Urgent Action Standard 1200
7/28/2017
3
CIP Standards – Past
Urgent Action Standard 1200




Approved 5/2003, Effective 8/2003
Applicable to RCs, BA, TOPs
Compliant by Q1-2004
Extended until 8/2005
7/28/2017
4
CIP Standards – Past
CIP-002-1 – CIP-009-1
 Approved May 2006, effective June 2006
 Approved by FERC January 2008
 Phased implementation schedule
Table 1  RC, BA, TOP (UA1200)
Table 2  TP, NERC, RE, non-UA1200 RC, BA,
TOP
Table 3  TO, GO, GOP, LSE
Table 4  Entities registering in 2007 and beyond
7/28/2017
5
CIP Standards – Present
Compliance Enforcement for V1
 13 Req’s for Table 1 entities at Control
Centers now AC
 All Req’s Table 1 & 2 entities, July 2010
CIP version 2
 Approved by ballot body – 4/2009
 Approved by NERC Board – 5/2009
7/28/2017
6
CIP Standards – Present
VSLs and VRFs
 Version 1 approved and filed with FERC
 Version 2
posted for pre-ballot review (8/11-9/10)
Voting to follow soon after
7/28/2017
7
CIP Standards – Future
CIP V3 is being developed
 CIP-002 Concept paper
Posted for comment 7/21/2009 – 9/4/2009)
Proposes to, “. . . require a methodology that
categorizes BES subsystems and cyber systems
according to their impacts on reliability functions.”
7/28/2017
8
Beyond that. . .
7/28/2017
9
Larry Bugh
Chief Security Officer
ReliabilityFirst corporation
[email protected]
7/28/2017
10