Critical Infrastructure Protection Standard Sought

July 24, 2016 by Jeff Shepard

The Federal Energy Regulatory Commission (FERC) acted last week to improve the cyber security of the bulk electric system by directing the North American Electric Reliability Corporation (NERC) to develop a new supply chain risk management standard that addresses risks to information systems and related bulk electric system assets.

In the new rule, FERC directed NERC to develop a forward-looking, objective-based Critical Infrastructure Protection (CIP) Reliability Standard that requires each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.

The new or modified Reliability Standard should address software integrity and authenticity; vendor remote access; information system planning; and vendor risk management and procurement controls. There is no requirement for any specific controls, nor does FERC require any “one-size-fits-all” requirements. The new or modified Reliability Standard should instead require responsible entities to develop a plan to meet the four objectives while providing flexibility to responsible entities as to how to meet those objectives. NERC is required to submit the new or modified Reliability Standard within one year of the effective date of the final rule. The final rule will take effect 60 days after publication in the Federal Register.

Also, FERC issued a Notice of Inquiry (NOI) into modifying CIP standards regarding the protection of control centers that are used to monitor and control the bulk electric system in real-time. Cyber systems are used extensively to operate and maintain interconnected transmission networks. The 2015 cyberattack on the electric grid in Ukraine is an example of how cyber systems used to operate and maintain interconnected networks more efficiently can have the unintended effect of creating cyber vulnerabilities.

In this case, the Commission is seeking comment on possible modifications, and any potential impacts they may have on the operation of the Bulk-Power System, to address separation between the internet and the cyber systems in control centers that perform transmission operator functions, and computer administration practices that prevent unauthorized programs from running, known as “application whitelisting,” for cyber systems in control centers. Comments on the NOI are due 60 days after publication in the Federal Register.