On January 21, 2016, the Commission approved revisions to seven Critical Infrastructure Protection (“CIP”) Reliability Standards developed and submitted by the North American Electric Reliability Corporation (“NERC”), all of which were previously proposed for approval in a July 16, 2015 FERC Notice of Proposed Rulemaking (“NOPR”). According to the Commission, the revised Reliability Standards are “designed to mitigate cybersecurity risks to bulk electric system facilities, systems, and equipment, which, if destroyed, degraded, or otherwise rendered unavailable as a result of a cybersecurity incident, would affect the reliable operation of the Bulk-Power System.”
The revised CIP Reliability Standards were developed and submitted by NERC in response to Order No. 791, which approved version 5 of the CIP Reliability Standards, but ordered NERC to submit a compliance filing addressing a number of directives (see March 24, 2014 edition of the WER).
In its January 21, 2016 order, the Commission concluded that the revised Reliability Standards sufficiently satisfied the directives from Order No. 791. However, the Commission further directed NERC to: (i) address, in an appropriately tailored manner, the risks posed by transient electronic devices (e.g. thumb drives, laptop computers) to Low Impact BES Cyber Systems; (ii) modify Reliability Standard CIP-006-6 to require protections for communication network components and data communicated between all bulk electric system Control Centers, according to the risk posed to the bulk electric system; (iii) modify the definition of Low Impact External Routable Connectivity in order to eliminate ambiguities in the language; and (iv) conduct a study that identifies the strength of the CIP version 5 remote access controls, the risks posed by remote access-related threats and vulnerabilities, and appropriate mitigating controls.
The Commission also noted that in the July 16, 2015 NOPR, the Commission previously proposed to direct NERC to develop requirements relating to supply chain management for industrial control system hardware, software, and services. The Commission stated in its order that it would not issue such a directive, but would instead determine the appropriate course of action after a January 28, 2016 technical conference on the issue.
The approved revised CIP Reliability Standards are: (i) CIP-003-6 (Security Management Controls); (ii) CIP-004-6 (Personnel and Training); (iii) CIP-006-6 (Physical Security of BES Cyber Systems); (iv) CIP-007-6 (Systems Security Management); (v) CIP-009-6 (Recovery Plans for BES Cyber Systems); (vi) CIP-010-2 (Configuration Change Management and Vulnerability Assessments); and (vii) CIP-011-2 (Information Protection).
In addition to approving the revised CIP Reliability Standards, the Commission also approved NERC’s proposed: (i) implementation plan; (ii) violation risk factor and violation severity level assignments; and (iii) new or revised definitions for inclusion in the NERC Glossary of Terms Used in Reliability Standards, subject to modification of the term “Low Impact External Routable Connectivity,” as noted above.
A copy of the Commission’s order can be found here.