NERC CIP-011, BCSI and the Information Protection Program

Overview:

BES Cyber System Information (BCSI) is information (e.g., IP addresses) that could be used to attack medium or high impact BES Cyber Systems. Requirement R1 of NERC standard CIP-011 requires the NERC entity with high or medium impact assets to develop an Information Protection Plan (IPP) for BCSI. Until 2024, that plan only needed to deal with BCSI stored on the NERC Entity’s premises. 

However, on January 1, 2024, a new version of CIP-011 Requirement R1, as well as a new CIP-004 Requirement R6, came into effect. CIP-011-3 R1.2 now implicitly requires the NERC entity to include protection of both “on-premise” and “off-premise” BCSI in their IPP. The latter includes protection of BCSI during its transmittal to, storage in and use by software running in the cloud (SaaS).

The new CIP-004-7 Requirement R6 requires protection of “provisioned access” to BCSI, including emergency access, by individuals not employed by the NERC entity. This includes access by employees of the SaaS provider or Platform Cloud Service Provider (CSP).

People who work for NERC entities and are concerned with these issues, as well as people who work for software companies that have customers subject to NERC CIP compliance, should take this course.

Why you should Attend:

The January 1, 2024, changes to the BCSI requirements raise two compliance concerns:

• The protections for BCSI used by a SaaS application will need to be appropriately documented in the NERC entity’s Information Protection Plan. More importantly, the protections described in the plan (perhaps encryption and key management) need to match what is described in the compliance documentation provided by the SaaS provider.
• If there is a possibility that a SaaS provider or Platform CSP employee will need provisioned access to the entity’s BCSI stored in the cloud, the NERC entity will need to have an agreement in place with the SaaS provider regarding which employees can be granted this access. The entity will also need to have compliance documentation from the SaaS provider showing they complied with the agreement.

This course will discuss the above compliance concerns and provide examples of IPP language and compliance documentation that might address those concerns.

Areas Covered in the Session:

• The definition of BCSI. 
• The three BCSI requirements: CIP-004-7 R6, CIP-011-3 R1 and CIP-011-3 R2.
• Working with your SaaS provider to document how they protect BCSI in transit, at rest, and in use. 
• Updating your Information Protection Plan to include the SaaS provider’s controls.
• NERC guidance and guidelines on BCSI protection.
• The meaning of “provisioned access” in CIP-004-7 R6. When provisioned access might be necessary. 
• Negotiating a policy for provisioned access with the Saas provider, if needed.

Who Will Benefit:

• CISO and staff, Training Department, NERC Compliance Department, T&D Operations, and other departments in target companies who are concerned with operational security and compliance.
• Sales and Technical Support Departments (for vendors to the power industry)
• Individual employees who know NERC CIP is important to the company and want to learn about it to further their career. 

People who work in other industries (or for consulting organizations), who would like to hear what lessons can be learned from the power industry’s experience with CIP.