Low-impact assets and NERC CIP-003-9: Should dos vs must dos – Combined Cycle Journal

Low-impact assets and NERC CIP-003-9: Should dos vs must dos

/ Best Practices, CCUG, Controls / By

Perhaps the best way to think about how to respond to NERC-CIP-9, which seeks to protect the bulk electric system from a coordinated attack on smaller, low-impact assets which can result in a catastrophic event on the interconnected system, is this: Rather than think in terms of complying with the new standard, think about defending yourself in court after a malicious attack through your facility.

The panel of specialists in the second of three NAES webinars on the subject put it a bit more gingerly: What you should do vs what you must do. Example: Regarding remote access by vendors, a site must determine who, how, and where vendors access devices and have a program to document its methodology for remote access controls. What should you do? Suggests the panel, automate the detection of vendor access, alarm occurrences of such access (to the control room, for example), and long and record all sessions in which vendors made changes to the system.

That might not sound so terrible until you realize that some of your primary vendors might have fifty people authorized to access equipment on your site remotely.

Here’s another example: A site must have procedures to disable access to the network boundary (not the device) and physical or electronic methods for removing access. What you should do is:

  • Have granular controls per vendor
  • Test and validate controls per vendor and cyber-asset
  • Have methods for terminating a previously authorized session (even mid-session)
  • Form a global access management team with a two-man rule

There are several of these examples available in the recording of the webinar.

The panel concedes that some of the key language in the draft is fuzzy, but NERC will be making modifications during the 18 months owner/operators have to comply. The term asset, for example, is not explicitly defined in 003 (unlike in 002); thus, it is difficult to define the scope a site implementation. Another term, the asset boundary, which experts call a “term of art,” is not a NERC-defined term.

What should sites do know? That’s difficult to say, but be prepared for today’s “shoulds” to become tomorrow’s “musts.”

Access CCJ recaps and recordings of the three webinars here:

Categories

 

INDEPENDENT VOICE OF THE GAS-TURBINE-BASED GENERATION SECTOR

Copyright 2024-2025

perihoki perihoki perihoki perihoki perihoki duta76 duta76 duta76 duta76 duta76 zeus gates of olympus rtp gacor bikin happy pemain di perihoki perihoki beri kejutan scatter manis wild west gold dalam semalam kesempatan emas pgsoft mahjong ways perihoki menggila hari ini tak sangka bisa menang sebesar itu di mahjong ways 2 pgsoft perihoki putar otomatis mahjong wins 3 saldo pemain perihoki auto naik temanin teman main dapat maxwin olympus duta76 starlight princess x1000 duta76 ungkap jam lagi gacor rtp pgsoft 98 persen mahjong duta76 gacor banget rtp live gacor khusus mahjong ways 2 rekomendasi duta76 gak nyangka mahjong wins 3 duta76 kasih jackpot tengah malam Delapan spin mahjong menghadirkan scatter legendaris Irama spin mengubah modal kecil jadi hujan cuan Jalan menuju jackpot dibuka lewat spin yang tepat Jalan sunyi menuju scatter yang jarang diketahui Kantong pas pasan ke jackpot fantastis Irama putaran mengubah peluang hingga menang terus Kombinasi spin dan timing jackpot tanpa hambatan Memaksimalkan putaran demi scatter hitam spesial Memanfaatkan spin panjang pendek secara tepat Membidik scatter lewat momentum putaran tepat Hadiah mengalir deras berkat putaran singkat Langkah berani mengantar pemain hujan cuan Langkah berani pemain surabaya menuju kemenangan 200juta Menaklukan mahjong ways pgsoft Menembus sistem mahjong scatter hitam
Scroll to Top