CIP-012-1 – Cyber Security – Communications between Control Centers

Purpose
To protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers.

Applicability
4.1. Functional Entities: The requirements in this standard apply to the following functional entities, referred to as “Responsible Entities,” that own or operate a Control Center.

4.1.1. Balancing Authority
4.1.2. Generator Operator
4.1.3. Generator Owner
4.1.4. Reliability Coordinator
4.1.5. Transmission Operator
4.1.6. Transmission Owner

4.2. Exemptions: The following are exempt from Reliability Standard CIP-012-1:

4.2.1. Cyber Assets at Facilities regulated by the Canadian Nuclear Safety Commission.
4.2.2. The systems, structures, and components that are regulated by the Nuclear Regulatory Commission under a cyber security plan pursuant to 10 C.F.R. Section 73.54.
4.2.3. A Control Center that transmits to another Control Center Real-time Assessment or Real-time monitoring data pertaining only to the generation resource or Transmission station or substation co-located with the transmitting Control Center.

Effective Date
See Implementation Plan for CIP-012-1.

Requirements and Measures
R1. The Responsible Entity shall implement, except under CIP Exceptional Circumstances, one or more documented plan(s) to mitigate the risks posed by unauthorized disclosure and unauthorized modification of Real-time Assessment and Real-time monitoring data while being transmitted between any applicable Control Centers. The Responsible Entity is not required to include oral communications in its plan. The plan shall include: [Violation Risk Factor: Medium] [Time Horizon: Operations Planning]

1.1. Identification of security protection used to mitigate the risks posed by unauthorized disclosure and unauthorized modification of Real-time Assessment and Real-time monitoring data while being transmitted between Control Centers;
1.2. Identification of where the Responsible Entity applied security protection for transmitting Real-time Assessment and Real-time monitoring data between Control Centers; and
1.3. If the Control Centers are owned or operated by different Responsible Entities, identification of the responsibilities of each Responsible Entity for applying security protection to the transmission of Real-time Assessment and Real-time monitoring data between those Control Centers.

M1. Evidence may include, but is not limited to, documented plan(s) that meet the security objective of Requirement R1 and documentation demonstrating the implementation of the plan(s).