On March 21, 2013, FERC issued an order disagreeing with the North American Electric Reliability Corporation’s (“NERC”) proposed interpretation of the Critical Infrastructure Protection (“CIP”) Reliability Standard dealing with identification of Critical Cyber Assets, CIP-002. FERC found that NERC’s proposed interpretation and petition did not provide “adequate justification” for leaving unprotected certain cyber assets that are “essential to the operation of associated Critical Assets.” The Commission’s order remands the interpretation to NERC for further consideration to address the Commission’s concern.
As the certified Electric Reliability Organization, NERC is required to respond to requests for interpretations of Reliability Standards. If the interpretation survives industry balloting and review by the NERC Board of Trustees, it is added to the Reliability Standard and filed with FERC for approval. NERC received a request for an interpretation regarding Requirement R3 of CIP-002-4, dealing with Critical Cyber Asset Identification. NERC had been asked to respond to two questions: (1) is the phrase “Examples at control centers and backup control centers include system and facilities…..” meant to be prescriptive?; and (2) what is the meaning of the phrase “essential to the operation of Critical Asset?” The phrase “essential to the operation of Critical Asset” is contained within Requirement R2 of CIP-002-4, and requires the Responsible Entity to develop a list of Critical Cyber Assets “essential to the operation of the Critical Asset.”
NERC’s interpretation regarding the first question was that the examples of Critical Cyber Assets cited in Requirement R3 are “illustrative and not prescriptive” and are not intended to be an exhaustive list of the types of Critical Cyber Assets. As to the second question, NERC responded that a Cyber Asset that “may” be used – but is not “required” – for the operation of a Critical Asset is not “essential to the operation of the Critical Asset” under CIP-002-4, Requirement R3.
In its March 21 order, FERC agreed with NERC’s interpretation in response to the first question concerning an illustrative list. However, FERC disagreed with NERC’s proposed interpretation of “essential to the operation” of a Critical Asset. Specifically, FERC found that distinguishing between an asset that “may” be used but is not “required” fails to consider items such as laptops, which are “inherent to or necessary for the operation of a Critical Asset.” FERC stated that NERC’s interpretation of “essential” could compromise certain cyber assets that affect the operation of related Critical Assets. Furthermore, FERC expressed concern with remote access to Critical Cyber Assets and cited the “Identifying Critical Cyber Assets” developed by NERC in response to FERC’s Order No. 706 for support that a laptop computer, connected to an EMS network through the Internet that is used to “supervise, control, optimize, and manage generation and transmission systems” would be considered essential.
FERC concluded that because NERC’s proposed interpretation did not otherwise justify leaving certain cyber assets essential to the operation of associated Critical Assets (such as laptops) unprotected, NERC’s proposed interpretation needed to be remanded. In addition, even though FERC agreed with the first part of NERC’s interpretation, the two responses were approved by the NERC Board of Trustees as a single interpretation, and therefore FERC remanded the entire interpretation.
A copy of FERC’s order is available here.