NERC CIP Version ‘Free’

Much buzz as been flying around the air waves this past month regarding NERC’s release of CIP version 4. Most of this discussion is centered on two major concepts I have seen with nearly every security standard. One involves the concern over meeting requirements of one version of the standard with an expectation to turn around and meet the next version shortly afterward. This causes additional and often unnecessary financial strains to meet security requirements. The second involves determining the scope of affected components. During conversations with clients, the biggest concern regarding the changes from Version 3 to 5 is focused on CIP-002, asset classification. The following graphic provides a very high level overview of what guidance is provided for system scoping and identification from Version 3 to Version 4 and Version 4 to Version 5.
Continue reading