Market Participant Comment and Rationale Form AESO AUTHORITATIVE DOCUMENT PROCESS
by user
Comments
Transcript
Market Participant Comment and Rationale Form AESO AUTHORITATIVE DOCUMENT PROCESS
Market Participant Comment and Rationale Form AESO AUTHORITATIVE DOCUMENT PROCESS Market Participant Consultation Draft 2013-12-12 Consultation on Proposed New Critical Infrastructure Protection (“CIP”) Alberta Reliability Standard: CIP-007-AB-5 Systems Security Management (“CIP-007-AB-5”) Date of Request for Comment [yyyy/mm/dd]: Period of Consultation [yyyy/mm/dd]: 2014/02/07 2013/12/12 Comments From: Syncrude Canada Ltd. Date [yyyy/mm/dd]: 2014/02/07 through 2014/02/07 Contact: Christine Tran Phone: (780) 790-4412 E-mail: [email protected] Listed below is the summary description for the proposed new sections of the Alberta reliability standards. Please refer back to the Consultation Letter under the “Attachments” section to view the actual proposed content to the Alberta reliability standards. Please place your comments/reasons for position underneath (if any). 1. CIP-007-AB-5 a) New The AESO is seeking comments from market participants with regard to the following matters: Market Participant Comments and/or Alternative Proposal Comment # 1: Insert Comments / Reason for Position (if any) AESO Replies AESO Reply # 1: AESO to provide 1. Are there any requirements contained in CIP-007-AB-5 that are not clearly articulated? If yes, please indicate the specific section of CIP-007-AB-5, describe the concern and suggest alternative language. 2. Do market participants have any concerns that CIP-007-AB-5 is not capable of being applied in Alberta? If appropriate, please indicate the specific section of CIP-007-AB-5 and describe the concern. 3. Do market participants disagree with any CIP-007-AB-5 Alberta variances that are contained in CIP-007-AB-5? If appropriate, please indicate the specific section of CIP-007-AB-5, describe the concern and suggest alternative language. Issued for Market Participant Consultation: 2013-12-12 Page 1 of 2 b) Other [Note to Market Participants: please copy and paste the section of CIP-007-AB-5 being commented on here] CIP-007-AB-5 Table R2 Part 2.1: Requirement: A patch management process for tracking, evaluating, and installing cyber security patches for applicable cyber assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable cyber assets that are updateable and for which a patching source exists. Table R5 Part 5.1: Requirement: Have a method to enforce authentication of interactive user access, where technically feasible. Comment # 1: Insert Comments / Reason for Position (if any) AESO Reply # 1: AESO to provide Syncrude would like to request AESO to provide clarification in the case of a turnkey control system computer provided by a automation vendor which uses the Windows operating system. Is the patch source in this case the automation vendor or Microsoft? Experience indicates that the safety & operational risks to require an operator to authenticate on an attended (24 x 7) console panel far exceed the security risk In addition, please clarify applicability of R5.1 for systems that control physical security access systems. Issued for Market Participant Consultation: 2013-12-12 Page 2 of 2