Introduction to NERC’s Requirements
Are you undertaking the development of a new power plant? This information gives you an idea of NERC compliance timing for new BES Generating Facilities.
NERC has a number of requirements that must be addressed. Some are pre-Commercial Operation Date (COD) and others like MOD-025, MOD-026 and MOD-027 standards have a compliance date that is 12 months after COD. Most of the emphasis however is on the PRC standards.
Below are listed the key NERC standards that pertain to new plant requirements:
Below are listed just the NERC CIP compliance requirements (R) for a new plant: These are mostly required prior to the Commercial Operation Date (COD).
- R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:
- Control Centers and backup Control Centers.
- Transmission stations and substations.
- R1.1. Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset.
- R1.2. Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset.
- R1.3. Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required).
- R2 The Responsible Entity shall:
- R2.1. Review the identifications in Requirement R1 and its parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1
- R2.2. Have its CIP Senior Manager or delegate approve the identifications required by Requirement R1 at least once every 15 calendar months, even it if has no identified items in Requirement R1.
- R1. Once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics:
- R1.2 For its assets identified in CIP-002 containing low impact BES Cyber Systems, if any:
- R1.2.1 Cyber security awareness.
- R1.2.2. Physical Security Controls.
- R1.2.3. Electronic access controls.
- R1.2.4. Cyber Security Incident response.
- R1.2.5. Transient Cyber Assets and Removable Media malicious code risk mitigation.
- R1.2.6. Declaring and responding to CIP Exceptional Circumstances.
- R2. Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30 calendar days of the change.
- R3. Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30 calendar days of the change.
- R4. The Responsible Entity shall implement a documented process to delegate authority unless no delegations are used. Where allowed by the CIP Standards, the CIP Senior Manager may delegate authority for specific actions to a delegate or delegates. These delegations shall be documented, including the name or title of the delegate, the specific actions delegated, and the date of the delegation; approved by the CIP Senior Manager; and updated within 30 days of any change to the delegation. Delegation changes do not need to be reinstated with a change to the delegator.