This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out security gaps, ambiguities, and areas that could prove challenging to audit. The purpose of the posts is to highlight areas for future improvement, and to draw attention to issues for which entities may wish to apply greater diligence than is currently required by regulation.

In this simulpost between from the Anfield Group, Stacy Bresler discusses the differences between the Information Protection Program in CIP Version 3 and the new IPP in Version 5. Stacy maintains that some of the language will be confusing in an audit, and that should be looked at carefully while the Version 5 transition is going on. – MHT

Stacy BreslerThe Anfield Group

A bit of history (but not a history lesson)

The requirement to establish an Information Protection Program (or something similar) has existed in the CIP standards from the very beginning. When I say very beginning, I mean since FERC’s Standard Market Design (SMD) Notice of Proposed Rulemaking (NOPR) Appendix G (called the Cyber Security Standards for Electric Wholesale Market Operations Participants) where it had a single sentence that stated:

Critical electric facilities shall restrict the distribution of maps, floor plans and equipment layouts pertaining to those facilities, and restrict the use of signage indicating critical facility locations.

Since that NOPR failed, Urgent Action Standard 1200 was created in 2003 and had this to say about information protection (1210):

Read more at theAnfieldGroup.com.

title image by by itjournalist