The AESO is initiating Stakeholder engagement and seeking an initial round of comments from Stakeholders on the CIP-013 and Supporting Standards.
Prioritization of CIP Standards
The AESO and Stakeholders have agreed that aligning the Critical Infrastructure Protection (“CIP”) standards to the latest NERC versions is a top priority for industry. Increasing and evolving cyber threats are a high risk to the Alberta interconnected electric system (“AIES”), requiring the AESO and market participants to keep pace with security baselines and the latest technologies integrated in the updated CIP standards.
Through the ARS Program Enhancement Initiative, the AESO is currently undertaking significant enhancements to the ARS Program Lifecycle. To bridge the gap between current state and future state, the AESO is using the CIP standards to pilot aspects of the proposed risk-based approach and proposed enhancements to the ARS Program Lifecycle. The intent is to identify the methods that streamline the development and implementation of reliability standards through a “test and learn” approach and seek continuous feedback from Stakeholders as the consultation evolves.
At its November 21, 2022 Stakeholder session, the AESO shared its three-phase approach to new and upgraded CIP standard development:
- Phase 1: CIP-013 pilot incorporating dependent standards (CIP-003, CIP-005, CIP-010).
- Phase 2: CIP-004 and CIP-011;
- Phase 3: Align remaining CIP standards with latest NERC versions.
CIP-013-AB-2 and the Supporting Standards
The CIP-013 and Supporting Standards are focused on addressing new cyber security challenges facing the AIES:
- CIP-013-AB-2 introduces supply chain security. This reliability standard will mitigate cyber security risks to the reliable operation of the bulk electric system (“BES”) by implementing security controls for supply chain risk management of BES Cyber Systems.
- CIP-003-AB-8, CIP-005-AB-7, and CIP-010-AB-4 each have associated changes that support supply chain security:
- CIP-003-AB-8 changes specify consistent and sustainable security management controls that establish responsibility and accountability for the protection of BES Cyber Systems;
- CIP-005-AB-7 changes manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems; and
- CIP-010-AB-4 changes seek to prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems.
Together, these four reliability standards will require all Responsible Entities with high-, medium-, and low-impact BES cyber systems to implement supply chain security.
The deadline for Stakeholders to provide comments to email@example.com, is February 1, 2023. When submitting comments to the AESO, Stakeholders should ensure that comments provided represent all interests within their organization. The AESO will publish all Stakeholder comments received by the deadline.
Visit the CIP-013-AB-2, CIP-003-AB-8, CIP-005-AB-7 & CIP-010-AB-4 page for more information on this consultation.
- Date & time February 1, 2023, 12:00 AM, MST