On September 15, 2011, FERC issued a Notice of Proposed Rulemaking (“NOPR”) proposing to approve revisions to eight critical infrastructure protection (“CIP”) reliability standards, CIP-002-4 through CIP-009-4, which were developed and submitted to the Commission by the North American Electric Reliability Corporation (“NERC”).
The proposed “Version 4” CIP Standards provide a new framework for the identification and protection of Critical Cyber Assets that support the Bulk-Power System. The new Version 4 CIP Standards would replace the currently-effective Version 3 CIP Standards.
FERC stated that the proposed Version 4 CIP standards would provide three general changes: (1) Version 4 will result in the identification of certain types of Critical Assets that may not be identified under the current approach; (2) Version 4 eliminates Responsible Entities’ discretion in identifying Critical Assets by requiring the use of the 17 bright line criteria to identify Critical Assets; and (3) Version 4 provides a level of consistency and clarity regarding the identification of Critical Assets.
The NOPR proposes to modify CIP-002-4 to include 17 “bright line” criteria for the identification of Critical Assets, instead of using the current risk-based assessment methodology in CIP-002-3. Specifically, proposed Reliability Standard CIP-002-4 contains three requirements:
- Requirement R1 provides that each Responsible Entity must annually develop a list of its identified Critical Assets using 17 specified criteria;
- Requirement R2 provides that each Responsible Entities must develop a list of Critical Cyber Assets associated with the Critical Assets identified pursuant to R1. The proposed R2 does not change the qualifications of a Critical Cyber Asset. However, in the context of generating units at a single plant location, R2 limits the designation of Critical Cyber Assets only to Cyber Assets shared by a combination of generating units whose compromise within 15 minutes result in the loss of generation capability equal to or higher than 1,500 MW; and
- Requirement R3 provides that a senior manager or delegate for each responsible entity approve annually the list of Critical Assets and the list of Critical Cyber Assets, even if the lists contain no elements.
Proposed Reliability Standards CIP-003-4 through CIP-009-4 contain only changes to conform with CIP-002-4.
The Commission also proposed to approve Violation Risk Factors (“VRF”) and Violation Severity Levels (“VSL”) with modifications. The Commission proposed to direct NERC to modify the proposed VSLs for CIP-002-4, Requirements R1 and R2, to address a failure of a Responsible Entity to identify either Critical Assets or Critical Cyber Assets. This would include a failure to identify a Critical Asset, whether inadvertently or through misapplication of the bright line criteria.
The Commission proposed to adopt NERC’s implementation plan and effective date for full compliance with the Version 4 CIP Standards of the first day of the eighth calendar quarter after applicable regulatory approvals have been received. The Commission stated that the Version 4 CIP Standards are an interim step, and directed the electric industry and NERC to develop an approach to cybersecurity to ensure that the electric grid can withstand a cybersecurity incident.
Comments on the NOPR are due 60 days after publication in the Federal Register.
A copy of the NOPR is available here.