FAA Clarifies UAV Rule, Paves Way for Larger Fields of OperationIn recent years, the engineering and construction industries has started to see progress on the expanded use of unmanned aerial vehicles (UAVs) for commercial applications. On June 21, the Federal Aviation Administration (FAA) approved expanded regulations on permissible UAV altitudes to include objects higher than 400 feet, as long as the operator remains within 400 feet of the object. Along with these altitude limits, the FAA has also defined UAV speed limits to no more than 100 mph.

On Thursday, June 29, the new set of regulations were finally published in the Federal Register and will take effect on August 29, 60 days after the rule was officially published.

Burns & McDonnell has been operating UAVs for nearly two years now under the special Section 333 exemption for such things as gas pipelines, power lines and transmission towers, vegetation, and wildlife inspections. The recently published rules are similar to many of the restrictions we’ve previously operated under, but with this step Burns & McDonnell will be able to apply for nighttime and beyond-visual-line-of-sight (BVLOS) operation waivers.

The most notable regulatory changes brought on by this ruling are the modifications made to the pilot certification requirements, the ability to hand-off operational controls, and the removal of the observer requirement. Currently, Burns & McDonnell has to maintain visual contact with the ten UAVs we operate. Now that the new rules are enacted and BVLOS waivers are available, Burns & McDonnell will be able to greatly expand safely operating our UAVs into significantly more remote areas while also operating fewer flights from greater distances. Traditionally many of these operations have been difficult, and often dangerous, for manned aircrafts and ground-based inspectors. Burns & McDonnell is optimistic that the FAA’s ruling is a sign that the agency is embracing the idea of using UAVs as a productive part of the national airspace for commercial use.

Burns & McDonnell is proud to have been one of the first engineering and construction firms to use UAVs for survey and inspection work, especially since so many of our projects are in remote, mountainous and forested areas. We’ve been able to use the aerial photographs taken by UAVs to create 3-D point clouds and establish data sets that can be translated into 3-D models back on the ground. The cost savings, safety advantages and engineering design benefits are clear to our clients and with the clarification of the BVLOS rule, Burns & McDonnell looks forward to a future where the use of UAVs is a routine part of every project.

As the department manager for geospatial services at Burns & McDonnell, Steve Santovasi brings more than 25 years of experience in geospatial solutions specializing in geographic information systems, mobile mapping, Web mapping, high-accuracy GPS locational services, 3-D drone mapping and UAV solutions.


NERC CIP Low Impact Requirements — Security Awareness & Incident ResponseIn this fifth blog installment on successfully implementing the NERC CIP Low Impact BES Cyber Systems (BCS) requirements, I’ll cover the two requirements that must be fully implemented by April 1, 2017.

Cyber Security Awareness

For Entities with an existing High/Medium Impact BCS CIP Program, use of that program’s Security Awareness processes will cover the Low Impact requirements with few modifications. While High/Medium awareness programs have quarterly execution requirements, Low Impact BCS only require the execution process once every 15 months. Burns & McDonnell has recommended that Entities follow the quarterly performance to maintain consistency across the enterprise and gain the greatest benefits from regularly presenting the material to employees.

For entities without an existing CIP program, there are several methods available for establishing an awareness program. First, determine if there is an existing related program outside of CIP that the rest of organization is already using, one that could be reused as is or modified slightly to meet CIP requirements. If no program exists, there are many packages and programs available that Entities can purchase to help meet requirements. Or an Entity can build its own awareness program using a variety of available information.

For Entities with only Low Impact BCS, Burns & McDonnell continues to advise that awareness material be distributed in quarterly performance intervals in order to gain the most benefit and demonstrate to the Region an Entity’s commitment to a secure environment.

Stay tuned for upcoming installments that will provide additional details on security awareness, including methods for delivery.

Cyber Security Incident Response

As noted for Cyber Security Awareness, if an Entity has an existing High/Medium Impact BCS program, use of the CIP-008-5 Cyber Security Incident Response Plan will cover the Low Impact requirements. There are some differences between the High/Medium and Low Impact requirements that should be reviewed and understood, but Burns & McDonnell recommends that those for the Low Impact Plan mirror the High/Medium Impact Plan performance requirements to maintain consistency across the enterprise. The existing CIP-008-5 Plan should be updated to clearly reference the Low Impact requirements and how they are handled by that plan, or create a specific Low Impact Plan that details the Low Impact requirements to the CIP-008-5 Plan processes in order to help audit teams understand how the Low Impact CIP-003-6 requirements are handled.

There are several approaches that Entities without existing CIP programs can take to establish an incident response plan. First, determine if there is a related plan already in place for the rest of organization that can be repurposed as is, or modified as necessary to meet the requirements. If an existing plan is not available, peer Registered Entities may be willing to share their plan, insurance carriers may have plans available that can be a starting point, packages can be purchased and made to meet the requirements, or an Entity can build their own using freely available information.

Keep an eye out for upcoming blog posts that will highlight details on incident response including the six Low Impact requirements and how they can map the processes in a High/Medium Impact plan.


As noted in the first and third articles in this series, the Low Impact Cyber Security Awareness and Cyber Security Incident Response Plans must be in place April 1, 2017. It is recommended the first awareness information be delivered to in-scope personnel, and testing of the incident response plan be completed before April 1, 2017.


If you have any questions on how to approach the Low Impact Cyber Security Awareness and Cyber Security Incident Response requirements, Burns & McDonnell recommends Entities contact internal company resources who might have processes that can be reused, peer Registered Entities, or view the information shown in the Additional Information section. Burns & McDonnell is also capable of assisting Entities, backed by our years of experience, with CIP Standards and helping Entities with the High, Medium and Low Impact BCS CIP Program implementations.

Additional Information

The following information may be of assistance in your Low Impact BCS research and implementation efforts:

Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.


Designing Food Processing Plants of the Future

by Wayne Young June 17, 2016

Few industries evolve quite as quickly as the food industry. Just think about it; the low-fat and carb-free fads from 10-20 years ago gave way to today’s “real food” movement, where consumers increasingly want locally sourced, fresh products with a focus on niche or specialty foods. These ever-changing trends can present some serious challenges for […]

Read the full article →

NERC CIP Low Impact Requirements — Inventory or Not?

by Michael C. Johnson June 16, 2016

In this fourth blog installment on implementing NERC CIP Low Impact BES Cyber Systems (BCS) requirements, I’ll dive into the prerequisite Standard CIP-002-5.1 for determining if Low Impact BCS are present at a Bulk Energy System (BES) facility and if an inventory should be created. No List Required? CIP-002-5.1 Requirement R1, Part 1.3 and CIP-003-6 […]

Read the full article →

NERC CIP Low Impact Requirements — Policy, Plans, Processes, Procedures

by Michael C. Johnson June 8, 2016

In this third installment on successfully implementing the NERC CIP Low Impact BES Cyber Systems (BCS) requirements, I’ll cover the different administrative parts of the Standards: policies, plans, processes and procedures. Policy, Plans, Process and Procedures Definitions used by the Regional Entities for Policy, Plan, Process, and Procedure are included in Section 6, titled “Background,” […]

Read the full article →

Embracing Energy Change at IDEA 2016

by Josh Foerschler June 6, 2016

I’m headed to St. Paul, Minnesota, June 20-23 for the 107th Annual International District Energy Association (IDEA) Conference & Trade Show to explore emerging technologies, to innovative policies and to connect with global leaders advancing a new energy paradigm for cities, communities and campuses across the globe. With this year’s focus on “Embracing Change,” IDEA […]

Read the full article →