CIP V5 Modifications Approved

Update 2/5/2016: On Feb. 4, 2016, the Trade Associations filed a motion with FERC to delay the enforcement date for CIP Version 5 modifications approved under Order 791 from April 1, 2016 to July 1, 2016 to coincide with the enforcement date of the Version 5 modifications approved under order 822.  If FERC approves this request – and we believe they will – the Version 5 standards CIP-003-5, CIP-004-5, CIP-006-5, CIP-007-5, CIP-009-5, CIP-010-1, and CIP-011-1 will be retired without ever going into effect, being replaced with the version approved under Order 822. The administrative burden to the industry of having two CIP Standards going into effect within three (3) months of each other will be avoided.

We’ve been keeping close tabs on the latest developments involving modifications to the Critical Infrastructure Protection (CIP) Version 5 Standards. And on Jan. 21, 2016, the Federal Energy Regulatory Commission (FERC) issued its final ruling (Order 822) on the Notice of Proposed Rulemaking (NOPR) for the modifications to CIP V5. Here’s a quick look at what was approved and what we expect to happen next:

FERC approved modifications to seven standards: Security Management Controls (CIP-003-6), Personnel and Training (CIP-004-6), Physical Security of BES Cyber Systems (CIP-006-6), Systems Security Management (CIP-007-6), Recovery Plans for BES Cyber Systems (CIP-009-6), Configuration Change Management and Vulnerability Assessments (CIP-010-2), and Information Protection (CIP-011-2). The approval also included the implementation plan, violation risk factor and violation severity level assessments.

At the same time, FERC directed the North American Electric Reliability Corp. (NERC) to:

  • Develop modifications to implement mandatory protection of transient cyberassets at Low Impact BES Cyber Systems (BCS) based on risks to the reliability of the bulk electric system (BES).
  • Develop modifications to implement protections on the communications and sensitive bulk electric system data between all BES intra (same Entity) and inter (different Entities) Control Centers (high, medium and low) according to the risk posed to the BES under CIP-006.
  • Develop modifications to the definition of Low Impact External Routable Connectivity (LERC) to reflect the commentary in the CIP-003-6 Guidance and Technical Basis section.
  • Conduct a comprehensive study that identifies the strengths of the CIP Version 5 remote access controls and risks posed by remote access-related threats and vulnerabilities.

Supply Chain Management

FERC deferred any decision on Supply Chain Management controls, as noted in the July 2015 NOPR, until after the technical conference, which recently wrapped up. I’ll update you on this as I learn more.

Implementation Dates

Timing for the modifications and study on Order 822 indicates the remote access control study should be provided to FERC within one year of the implementation of the CIP V5 standards for High and Medium Impact BCS (April 1, 2017), and modification to the definition of LERC should be provided within one year of the effective date of Order 822. No date was specified for the modifications to Low Impact BCS transient cyberassets and protection of communications between Control Centers.

Per the approved implementation plan, most standards go into effect July 1, 2016, with a few exceptions:

  • CIP-006-6 Requirement R1, Part 1.10 will be effective April 1, 2017.
  • Low Impact BCS covered under CIP-003-6 Requirement R1, Part 1.2 and Requirement R2 will start April 1, 2017.
  • CIP-003-6 Attachment 1 Sections 2 and 3 will begin Sept. 1, 2018.

What’s Next?

One thing that could potentially affect the implementation dates is that Order 822 gives interested parties the option to submit a request to align the implementation dates of certain CIP Reliability Standards. Footnote 82 of the document suggests this could be done to lessen the burden of implementing two versions of the CIP Reliability Standards within a short period of time. This could result in two possible scenarios: The current April 1, 2016 date (for the Standards previously approved under Order 791) could be pushed back to July 1. Or Order 822 could be enforceable on April 1, 2016.

This is a topic that continues to unfold, so be sure to stay tuned in to the blog for the latest developments as they occur. And in the meantime, if you have specific questions about the approved modifications or cybersecurity in general, I’d be happy to talk with you. Comment below or connect with me on LinkedIn.

Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.


Rooftop SolarCalifornia regulators have once again signaled they are serious about encouraging consumers to install more rooftop solar units throughout the state. In a 3-2 decision Jan. 28, the California Public Utilities Commission (CPUC) voted in favor of the Net Energy Metering rule — also known as NEM 2.0 — to preserve a previous retail net metering rule that allows solar customers to receive payments for energy they sell back to the grid.

A group of California electric utilities had proposed lowering retail rates and adding monthly fixed fees and demand charges for rooftop sousers. The utilities had suggested that the fees and demand charges were necessary to offset the continuing fixed costs of maintaining grid connections for retail customers. The CPUC decision (PDF) also rejected the fees and demand charges.

The decision also makes time-of-use (TOU) rates mandatory for all new solar rooftop customers of Pacific Gas & Electric and Southern California Edison.

The latest NEM 2.0 decision follows two noteworthy rooftop solar decisions late last year in which regulators reverted to wholesale rates. In Hawaii, regulators eliminated NEM reimbursement programs for residential solar customers in favor of two new remuneration options. And in Nevada, regulators also cut back net metering rates for new and existing solar systems.

The ruling in California is a major win for the state’s photovoltaic solar industry, whose representatives have estimated that California solar users could see $1.6 billion in annual benefits.

In announcing the decision, the CPUC said the aim was to give consumers more energy options and was not intended to favor the solar industry over utilities.

To learn more about the California decision, check out this article from Utility Dive. And if you’d like to learn more about how this decision will affect utilities, comment below or reach out on LinkedIn and I’d be happy to chat.

Robert Healy leads the Business & Technology Services Group of Burns & McDonnell in Phoenix. He has more than 20 years of experience in the energy industry, with a focus on renewables.

Photo Credit: Edmund Tse via Compfight cc


Emerging UAV Technology Simplifies Pipeline Permitting Process

by Steve Santovasi January 28, 2016

Unmanned aerial vehicles (UAVs) — more commonly called drones — are changing the world as we know it. Not since the Internet or cell phones has a technology been so quickly adopted and used for multiple applications across such a wide range of industries. And nowhere is that more true than in the world of […]

Read the full article →

New Regulations in Canada May Bring Major Changes to Alberta’s Energy Sector

by James Amato January 27, 2016

With abundant natural resources, Canada is an energy-intensive country. It ranks fifth globally for energy production, trailing only China, the United States, Russia and Saudi Arabia. With the exception of Alberta, most of the electricity sector is controlled by Crown corporations — government-owned public utilities. The goal of Alberta’s free market is to encourage investment […]

Read the full article →

Supreme Court Upholds FERC Order 745

by Mike Beehler January 26, 2016

A Supreme Court decision on Monday, Jan. 25, has clarified one of the murkier recent developments in the world of electricity demand-response programs. In a 6-2 decision authored by Justice Elena Kagan, the court ruled that FERC’s Order 745 was a correct application of FERC’s powers under the Federal Power Act (FPA) and does not […]

Read the full article →

Are You Man Enough to be a Girl Scout?

by Julee Koncak January 25, 2016

Are you man enough to be a Girl Scout? Our CEO Greg Graves is — and he joins a cast of 13 other Kansas City leaders in a fun new campaign by Girl Scouts of Northeast Kansas and Northwest Missouri. The Man Enough to be a Girl Scout campaign showcases men who are committed to […]

Read the full article →