On April 19, 2012, FERC approved the North American Electric Reliability Corporation’s (“NERC”) revised standards for identifying assets subject to NERC’s critical infrastructure program (“CIP”). The revised standards replace NERC’s former risk-based approach with 17 uniform “bright-line” criteria. The new criteria are designed to indentify critical assets that may not have been identified by the former standards. The new criteria included control centers, transmission facilities, generating facilities, flexible AC transmission systems and special protection systems (a complete list of the critical asset criteria is available here).
FERC’s ruling, Order 761, is in furtherance of Order 706, requiring NERC to develop new CIP reliability standards for industry compliance. In addition, Order 706 required NERC to modify the risk-based methodology used to indentify critical cyber assets.
In response, NERC proposed the current “bright-line” criteria as an interim measure. While the new criteria do not satisfy all of Order 706, FERC accepted the revisions noting, “[it] is a step towards full compliance with Order 706.”
In accepting the new criteria, FERC offered guidance on how NERC can achieve full compliance with Order 706. The suggestions included eliminating the blanket exemption for nonroutable connected cyber systems and adopting a mutual distrust posture.
NERC stated that it plans to file another set of revised criteria by the third quarter of 2012. In response, FERC established a deadline for NERC to submit CIP reliability standards that are fully compliant with Order 706 six months from the end of the third quarter of 2012 (March 31, 2013). FERC also mandated that NERC submit quarterly progress reports on the status of its CIP efforts.
Order 761 will take effect on June 25, 2012.
A copy of Order 761 is available here. A copy of Order 706 is available here.