On October 19, 2017, FERC issued a Notice of Proposed Rulemaking (“NOPR”) proposing to direct the North American Electric Reliability Corporation (“NERC”) to modify the Critical Infrastructure Protection (“CIP”) Reliability Standard, CIP-003-7 (Cyber Security – Security Management Controls), which is intended to mitigate cyber security risks posed by malware from ‘transient electronic devices’ (such as laptops and thumb drives) used at low-impact cyber systems. FERC stated in the NOPR that, once those modifications have been made, it plans to make the new reliability standard effective approximately 18 months after FERC approval.
As background, on January 21, 2016, in Order No. 822, FERC approved seven CIP Reliability Standards that addressed the risks presented by transient electronic devices, such as laptops and thumb drives, used at high- and medium-impact cyber systems. At that time, FERC also directed NERC to modify the CIP Reliability Standards to provide similar protection for similar transient electronic devices used at low-impact cyber systems. On March 3, 2017, NERC submitted the proposed Reliability Standard CIP-003-7 to address low-impact cyber systems.
In its October 19 NOPR, FERC proposed to approve NERC’s Reliability Standard CIP-003-7 and related proposals pending NERC’s modifications to the standard. While FERC determined that the proposed standard improved upon the current FERC-approved CIP Reliability Standards, FERC redirected NERC to make additional modifications to CIP-003-7. Specifically, FERC ordered NERC to (1) develop criteria regarding electronic access controls for low-impact cyber systems and (2) address the mitigation of risks posed by third-party transient electronic devices.
Comments on FERC’s NOPR are due sixty (60) days after publication in the Federal Register. A copy of the order may be found here.