On October 18, 2018, in Order No. 850, the Commission approved new Critical Infrastructure Protection (“CIP”) Reliability Standards submitted by the North American Electric Reliability Corporation (“NERC”) in response to the Commission’s directive in Order No. 829. The new CIP Reliability Standards require responsible entities to take additional actions to address cybersecurity risks associated with the supply chain for Bulk Electric System (“BES”) Cyber Systems. FERC directed NERC to submit modifications to the new CIP Reliability Standards within 24 months of the effective date of its order, which is 60 days after the order’s publication in the Federal Register.
In Order No. 829, the Commission required NERC to develop new or modified reliability standards to address supply chain risk management for industrial control system hardware, software, and computing and networking services (see July 26, 2016 edition of the WER). The Commission specified in Order No. 829, that the Reliability Standards should focus on the following four security objectives: (1) software integrity and authenticity; (2) vendor remote access protections; (3) information system planning; and (4) vendor risk management and procurement controls. On September 26, 2017, NERC submitted for Commission approval proposed Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3. NERC explained that the new CIP Reliability Standards, which apply only to medium and high-impact BES cyber systems, are designed to augment currently-effective CIP Reliability Standards that mitigate supply chain risks. In January 2018, the Commission issued a Notice of Proposed Rulemaking (“NOPR”) proposing to approve the three CIP Reliability Standards (CIP-013-1, CIP-005-6, and CIP-010-3) upon determining that the standards are consistent with the objectives of Order No. 829 (see January 24, 2018 edition of the WER).
The Commission approved the new CIP Reliability Standards upon determining that they sufficiently satisfied the directives from Order No. 829. The approved revised CIP Reliability Standards are: (i) CIP-013-1 (Cyber Security – Supply Chain Risk Management); (ii) CIP-005-6 (Cyber Security – Electronic Security Perimeter(s)); and (iii) CIP-010-3 (Cyber Security – Configuration Change Management and Vulnerability Assessments). However, the Commission concluded that there remains a significant cybersecurity risk associated with the supply chain for medium and high impact BES Cyber Systems because the approved CIP Reliability Standards do not address Electronic Access Control and Monitoring Systems (“EACMS”). Therefore, the Commission directed NERC to develop modifications to include EACMS associated with medium and high impact BES Cyber Systems within the scope of the supply chain risk management Reliability Standards.
In addition to approving the revised CIP Reliability Standards, the Commission also approved NERC’s proposed: (i) implementation plan whereby the supply chain risk management Reliability Standards will be effective on the first day of the first calendar quarter that is 18 months following the effective date of this order; and (ii) violation risk factor and violation severity level assignments.
A copy of the Commission’s order is available here.