On March 16, 2023, FERC approved a new cybersecurity reliability standard, CIP-003-9 (along with associated violation risk factors and violation security levels), proposed by the North American Electric Reliability Corporation (“NERC”).  CIP-003-9 focuses on supply chain risk management for low impact Bulk Electric System (“BES”) Cyber Systems and requires: (1) responsible entities to include the topic of “vendor electronic remote access security controls” in their cyber security policies; (2) entities with low impact BES facilities to have methods for identifying and disabling vendor remote access; and (3) entities with low impact BES facilities to have methods for detecting malicious communications for vendor remote access.  The new standard aims to prevent compromises to cyber systems in the event of a known or suspected malicious communication and will become effective 36 months after FERC’s approval.

NERC explained that it originally issued reliability standards for medium and high impact BES systems and concurrently directed further study of supply chain risks associated with low impact BES Cyber Systems.  NERC’s 2019 NERC Supply Chain Risk Assessment found that although  assets associated with low impact BES Cyber Systems pose a lower risk if compromised, low impact assets can also pose a threat to reliability. For example, there is a potential for greater security risks if multiple low impact assets are simultaneously compromised through remote access, or if a medium or high impact asset is accessed through a low impact asset.  A coordinated attack on multiple low impact assets with remote access connectivity could result in an event with interconnection-wide impact on the bulk electric system.

In light of this, on December 6, 2022, NERC proposed the revised cybersecurity reliability standard CIP-003-9 to focus on supply chain risk management for low impact BES Cyber Systems and enhance reliability controls that grant responsible entities additional visibility into threats. NERC emphasized that the proposal would limit the ability of hackers to infiltrate assets by leveraging trusted vendors.

FERC approved the new cybersecurity reliability standard, associated violation risk factors, and violation severity level assignments.  FERC agreed with NERC that the new standard will improve existing protections for the reliable operation of the bulk-power system by providing greater visibility into electronic communication between low-impact BES Cyber Systems and vendors. FERC also approved NERC’s implementation plan requiring the standard to become effective 36 months after FERC’s approval.  FERC explained that the implementation plan strikes an appropriate balance between the urgency to implement, the high number of assets containing low impact BES Cyber Systems, and supply chain constraints for equipment necessary to implement the new standard. Lastly, FERC approved the retirement of the currently effective cybersecurity reliability standard immediately prior to the effective date of the new reliability standard.

A copy of the order, issued in Docket No. RD23-3, can be found here.