On April 18, 2013, FERC issued a Notice of Proposed Rulemaking (“NOPR”) to approve the North American Electric Reliability Corporation, Inc.’s (“NERC”) Version 5 Critical Infrastructure Protection (“CIP”) Reliability Standards. The proposed CIP standards include 10 new or modified standards that implement various cyber security measures and will expand the type of facilities that must adhere to the CIP requirements. If approved, the new CIP standards will replace the Version 4 standards, which are scheduled to take effect in April 2014.
NERC originally submitted its proposed Version 5 CIP standards to FERC on January 31, 2013. The proposed standards revise CIP-002 through CIP-009 and create two new CIP standards, CIP-010-1 and CIP-011-1. Notably, the proposed standards create a new approach to classifying Bulk Electric System (“BES”) Cyber Systems and associated BES Cyber Assets – assets that would affect the reliable operation of the grid if out of operation – using an impact criteria rating. The rating system classifies BES Cyber Systems into three categories (“High Impact,” “Medium Impact,” and “Low Impact”) according to the amount of impact these systems would have on the grid if they were out of operation. The currently-effective CIP standards only require the identification of critical assets, not sub-designations of those assets, and do not cover facilities that would qualify as Low Impact Cyber Assets under the proposed Version 5 standards. Once a BES Cyber System is identified and grouped into one of the three categories, the facility must comply with the requirements detailed in its corresponding impact category.
In addition to the impact categories, the proposed CIP standards contain language throughout requiring entities to implement cyber policies in an approach to “identify, assess, and correct” cyber deficiencies. NERC stated that the “intent [of this language] is to change the basis of a violation in these requirements so that they are not focused on whether there is a deficiency, but on identifying, assessing and correcting deficiencies.” Lastly, because the Version 4 CIP standards will not become effective until April 2014, NERC requested a transition from the currently-effective Version 3 CIP standards directly to the Version 5 CIP standards.
While FERC proposed to approve the new CIP standards in the NOPR, FERC also requested comment on a number of issues. Specifically, FERC requested comment on the “identify, assess, and correct” language, which FERC stated was not sufficiently explained and unclear in regard to actual compliance and enforcement. Additionally, FERC stated it was concerned with the requirements that a Low Impact BES Cyber System must implement. FERC stated that under the proposed CIP standards, a Low Impact Cyber System is not required to implement any actual cyber security protections; instead, they are only required to have documented cyber security policies. FERC proposed to have NERC modify its proposal so that responsible entities adopt specific security controls, and sought comments on its proposal. Finally, in terms of NERC’s proposed transition from the Version 3 CIP standards to the Version 5 CIP standards, FERC stated that while it supported the transition, FERC requested comment on whether the proposed 24-36 month implementation period was necessary, and whether facilities could achieve compliance within a shorter timeframe.
A copy of the NOPR is available here.