On November 21, 2013, FERC approved, with modifications, the North American Electric Reliability Corporation’s (“NERC”) Version 5 Critical Infrastructure Protection (“CIP”) Reliability Standards, CIP-002-5 through CIP-011-1 (see April 22, 2013 edition of the WER). In addition to approving the Version 5 CIP Reliability Standards, FERC also approved 19 new or revised definitions for inclusion in the Glossary of Terms used in NERC Reliability Standards. FERC also ordered NERC to further revise the Version 5 Standards, and submit an informational filing one year from the effective date of the final rule. The order allows entities to transition from compliance with the currently-effective Version 3 CIP Standards to the new Version 5 CIP Standards, allowing Version 3 to remain effective and skipping over Version 4 CIP Standards.
The new Version 5 CIP Standards differ from the previously effective Standards because, for the first time, all cyber assets must now be categorized as Low, Medium, or High Impact assets. These designations mean that all cyber assets in the bulk electric system will now have some level of protection, based on the impact the cyber assets have on the gird. The Version 5 CIP Standards also include 12 new requirements with new cyber security controls.
While FERC approved the Version 5 CIP Standards, FERC directed NERC to make some modifications to the Standards. Specifically, FERC directed NERC to remove the language that required CIP Standards to be implemented in a manner that “identifies, assesses, and corrects” deficiencies. FERC stated that this requirement is ambiguous and conflicts with previous FERC statements regarding the enforceability and consistent application of this requirement. Also, FERC directed NERC to develop objective criteria which FERC and NERC can use to evaluate entities’ cyber protection for low impact cyber assets. This directive does not require NERC to develop a list of specific controls for low impact cyber assets, but NERC is free to do so if it desires.
FERC also directed NERC to develop requirements for transient devices (e.g., thumb drives, laptop computers, etc.) that are not included in the in the new definition of Bulk Electric System Cyber Asset – assets that if compromised, would within 15 minutes of its assigned operation or non-operation, adversely impact one or more facilities. In addition, FERC directed NERC to conduct a survey to determine the number and type of assets that fall outside the 15-minute parameter.
FERC also approved NERC’s revised definition of Cyber Asset – programmable electronic devices, including the hardware, software, and data in those devices – by removing the phrase “communication network.” However, FERC directed NERC to define “communication networks” and develop or modify Standards to address any potential reliability gaps created by deleting the phrase from the definition of Cyber Asset.
Finally, FERC approved the 24-month implementation period for High and Medium Impact assets and the 36-month implementation period for Low Impact assets. The Version 5 CIP Standards will become effective on the first day of the eighth calendar quarter after the Final Rule is issued.
A copy of the order is available here.