The basic difference between the two versions is that NERC CIP Version 4 is much more specific pertaining CIP 002 and the identification of Critical Assets. The result appears to be that control canters, substations, and generation facilities that utilities did not previously declare critical assets will be declared critical assets under version 4. This means that there will be an increase in scope as it relates to NERC CIP, because the critical assets which did not previously fall under NERC CIP will now be included in the scope of NERC CIP. This could conceivably be considered a part of a NERC strategic plan, as they get more and more assets into the scope of NERC CIP, in order to get utilities used to the idea of complying with the standards and getting programs into place. This would be in preparation for NERC CIP Version 5, which undoubtedly will bring most, if not all, utility control centers, substations and generation facilities into scope, in the context of the transmission system.
These changes also seem to imply that the critical assets can be identified by one utility by virtue of their plans and require other utilities who own them to facilitate their compliance with NERC CIP. This is a major impact, because a single utility will likely be unable to control what all of their critical assets are, and that is likely to force more collaboration amongst utilities.
Essentially, the security standards themselves are not really modified in the new version; the significant changes to the standards were only captured in CIP 002 . As a result, the scope of applicability to NERC CIP has changed what you have to do, but when you are included in that scope has not changed.
