CIP-003-8: Exceptional Circumstances

CIP-003
Written By Jim Sheldon

(Originally posted on October 3, 2019)

90 days until CIP-003-7 becomes effective

What’s New?

We’ve updated our blog post format to make it easier to read and to combine it with our newsletter. We will still write blog posts but the newsletters will contain the same content as the blog posts.

In our last blog post we mentioned that CIP-003-8 was approved and becomes effective in April 1, 2020. From this point forward Version 8 will be our primary focus for CIP-003.

Version 2.0 of our CIP Low Impact Compliance Software (CLICS) is available. What will it do for you?

·         Automatically generate CIP Low Impact policies and plans.

·         Stoplight indicators provide quick visuals on upcoming requirements and timelines.

·         Storage and archiving locations for CIP evidence.

Low Impact Exceptional Circumstances

Exceptional Circumstances was introduced to Low Impact in CIP-003-7 R1.2.6. This requirement has a 15 month CIP Senior Manager review cycle, similar to the other Low Impact requirements.

The verbiage for R1.2.6 is shown below.

·         R1.2.6 Declaring and responding to CIP Exceptional Circumstances.

If that’s not anti-climatic I don’t know what is.

The entire requirement is for the responsible entity to include Exceptional Circumstances in their cyber security policies.

Processes must be documented to:

·         declare CIP Exceptional Circumstances, for example:

o    A total loss of power in the data center for more than 15 minutes.

o    Any event at the discretion of the CIP Senior Manager.

·         respond to CIP Exceptional Circumstances, for example:

o    Notify the incident Response Team.

o    Any response at the discretion of the CIP Senior Manager.

The processes can be simple or complicated. There are not any length or talking point requirements mandated by NERC. In fact, the standard does not define CIP Exceptional Circumstances.

The definition can be found in NERC’s Glossary of Terms here and is listed below.

CIP Exceptional Circumstance: A situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or BES reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.

To meet the requirement, document the processes that work best for your company and culture.

Just remember that the processes need to be reviewed by the CIP senior manager every 15 months.

Jim Sheldon
Previous

CIP Low Impact Standards: It's Go Time!
Next

CIP-003: The New Stuff - Part 4 - Transient Cyber Assets and Removable Media