2. Speaker Intro: Bryan Carr
• Joined WECC in August 2012
• a.k.a Dr. TFE (Emeritus)
• Former CIP Program Manager
• Project manager
• 3:37 Marathoner – BQ 3:10
• Donut enthusiast
Western Electricity Coordinating Council
2
3. Agenda
• 2015 Audit Recap & Observations
• Q&A
• Distribution Providers
Western Electricity Coordinating Council
3
5. 2015 Audit Recap - Observations
• Many hesitant to leverage NERC v5 transition
guidance.
• Implementation delays due to interpretations,
waiting on Lessons Learned & FAQ.
• Entities who regularly reach out to audit team
and attend outreach were better prepared.
Western Electricity Coordinating Council
5
6. CIP-002-5.1 Entity Q&A
• Sources include email, audit, ERO-wide auditor
workshops/distribution lists, etc.
• Q&A sanitized to protect the innocent.
• All entities appearing in this presentation are
fictitious. Any resemblance to real entities, living
or dead, is purely coincidental.
Western Electricity Coordinating Council
6
7. Q1
• We plan to associate BCAs (including SPS/RAS)
with the operating voltage of the high side of the
transformer, as well as any BCA associated with
both the high and low side of the transformer
(e.g. bank differential relays). Is this a valid
approach?
Western Electricity Coordinating Council
7
8. A1
• Protect BCS associated with SPS/RAS at the
highest applicable impact rating.
• IRC 2.9 may bring in some BCS that would
normally be Low into scope as Medium BCS.
• Each SPS/RAS BCS should be evaluated
independently as you apply the IRC.
Western Electricity Coordinating Council
8
9. Q2
• In counting the number of lines coming into a
substation, should a bus bar with a tie-circuit
breaker be considered a line?
Western Electricity Coordinating Council
9
10. A2
• Normally a tie bus would not be considered a
transmission "line" as it does not typically
cross substation boundaries.
• If, however, the tie bus in question crosses
substation boundaries, a strict interpretation
of IRC2.5 would indicate that would qualify as
a "line" coming in and/or out of the
substation.
Western Electricity Coordinating Council
10
11. Q3
• For jointly owned locations – is
documentation required for who is
performing the compliance
obligations?
Slide 11
Western Electricity Coordinating Council
12. A3
• Yes, if a single entity is responsible for performing the
compliance obligations at a jointly owned Facility,
that should be clarified in the operating agreement,
through a memorandum, or other binding document
in which these obligations are clearly defined and
assigned to a single party.
• Without a binding document defining compliance
responsibility, WECC will look to the owner of each
applicable BCS to fulfill the compliance obligations.
Slide 12
Western Electricity Coordinating Council
13. Q4
Western Electricity Coordinating Council
13
• We will have only Low Impact BCS under CIP
v5, therefore we have nothing to do (no
compliance obligations) until April 1, 2017. Is
this correct?
14. A4
• Not quite. CIP-002-5.1 R1 & R2 and CIP-003-6 R3
& R4 must be complete (documented and
approved) by April 1, 2016 for ALL applicable
entities, including those with only Low Impact
BCS.
• Low Impact requirements in CIP-003-6 R1.2, R2,
Attachment 1 – Sections 1 & 4 must be complete
by April 1, 2017.
• Low Impact requirements in CIP-003-6 R2
Attachment 3 & 4 must be complete by
September 1, 2018.
Slide 14
Western Electricity Coordinating Council
15. Q5
• Should meters be considered BCA?
15
Western Electricity Coordinating Council
16. A5
• Certain meters may be considered BCA. For
example, tie-line (aka interchange) meters
providing data for ACE calculations are required
to have an update interval of no greater than 6
seconds (BAL-005-0.2b R8), those Cyber Assets
come into scope as real-time Cyber Assets that
support one or more BROS and should be
identified as BCA, grouped into one or more
appropriate BCS, and afforded the full protections
of the CIPv5 Standards, as applicable, based on
the impact rating of their host Facilities.
Slide 16
Western Electricity Coordinating Council
17. Q6
• We were just notified by PEAK that we’re now
part of an IROL, which will raise the the
impact rating of a couple of our facilities from
Low to Medium. The implementation plan
allows for 12-24 months, but when does that
clock start ticking?
Slide 17
Western Electricity Coordinating Council
18. A6
• The IRC 2.3 and 2.6 Lesson Learned document recently
posted on NERC’s website adds an implementation
period for Medium BCS identified prior to April 1,
2016, and extends CIP compliance for newly identified
BCS under these two IRC by 12-24 months.
• The clock starts ticking upon completion of the R1
Assessment following an IRC 2.3 or 2.6 notification, not
the date of notification itself. Should such notification
occur between now and April 1, 2016, WECC expects
re-evaluation of R1 be completed on or before April 1,
2016, at which point the implementation period would
begin.
Slide 18
Western Electricity Coordinating Council
19. Q7
• Our low impact substation has a backup EMS
server which is part of our High Impact
Control Center. The EMS server and Low BCS
(protection equipment) are physically located
in the same building, but are logically
separate. Does this mean the entire facility
must be treated as High Impact, or can we
separate the two somehow?
Slide 19
Western Electricity Coordinating Council
20. A7
• The impact rating of the facility could remain
Low under certain conditions, however the
High Impact BCS would need to be afforded all
the physical and logical protections specified
in the CIP Standards.
• Options to consider:
1. Create a separate PSP around just the High
Impact BCS.
2. Treat the entire building as a High PSP.
Slide 20
Western Electricity Coordinating Council
21. I’m a DP, is CIP v5 Applicable to Me?
• All DPs should implement a CIP-002-5.1 process to
evaluate their system to rule out anything that might
be applicable under the Impact Rating Criteria [IRC]
and Section 4.2.1.
• If the DP can demonstrate that NONE of its system are
applicable under this section, then they should
document the evaluation and its results.
• Under an abundance of caution, a best practice would
be to document a null list for R1.1, R1.2, and R1.3, then
apply its process at least every 15 calendar months to
ensure that no systems changed to the extent that they
came into scope under Section 4.2.1.
Slide 21
Western Electricity Coordinating Council
22. What if I have a UFLS/UVLS?
• If you have an applicable UFLS/UVLS under
section 4.2.1 (NERC, 2012 Nov 22, CIP-002-
5.1, p. 1), these BCS should be evaluated as
Low-impact under IRC 3.6 and, therefore, the
Facilities containing them should be listed as
Low-impact BES [R1.3].
• Any specific DP UFLS/UVLS has to meet both
conditions of Section 4.2.1.1 to come into
scope as Low-impact.
Slide 22
Western Electricity Coordinating Council
23. What About Blackstart Units?
• Black-start resources and their associated cranking paths
can come into scope under CIPv5 as Low-impact BES Assets
under two conditions:
– IRC 3.4: Systems and facilities critical to system restoration,
including Blackstart Resources and Cranking Paths and initial
switching requirements (CIP-002-5.1, p. 16), or
– Section 4.1.2.4: Each Cranking Path and group of Elements
meeting the initial switching requirements from a Blackstart
Resource up to and including the first interconnection point of
the starting station service of the next generation unit(s) to be
started (CIP-002-5.1, p. 1).
• You may have a small non-BES Generation unit and/or
cranking path facility that are included in a Restoration
plan. Talk to your RC and TOP to make sure that you do not.
Slide 23
Western Electricity Coordinating Council
24. Evaluation Results
• A prudent DP will evaluate its systems, at a
minimum, against IRC 3.4, 3.6, and Section 4.2.1
and document that it either has no applicable
systems or it has provided the appropriate
protections to its applicable systems.
• A DP with applicable systems that come into
scope under CIPv5 will generally have approved
null R1.1 and R1.2 lists, and a relatively short R1.3
list.
• A DP that does not have applicable systems
should have null lists for all three categories.
Slide 24
Western Electricity Coordinating Council
25. Summary
• A DP should not just assume it has no applicable
systems, implement the R1 process anyway.
• This approach is effectively no different from the LSE or
other Registered Entity that applied its RBAM every
year under CIPv3 to ensure its null lists of CAs and CCAs
were still valid.
• WECC’s compliance monitoring approach for DPs will
seek evidence that the DP implemented the process
required by CIP-002-5.1 and documented the results of
the evaluation of its systems to demonstrate
compliance with the CIPv5 Standards.
Slide 25
Western Electricity Coordinating Council