Privacy & Information Security Law Blog

On July 16, 2015, the Federal Energy Regulatory Commission (“FERC”) issued a new Notice of Proposed Rulemaking (“NOPR”) addressing the critical infrastructure protection (“CIP”) reliability standards. The NOPR proposes to accept with limited modifications seven updated CIP cybersecurity standards. The NOPR also proposes that new requirements be added to the CIP standards to protect supply chain vendors against evolving malware threats and addresses risks to utility communications networks.

The CIP standards govern the cyber and physical security of the bulk electric system. They are mandatory and enforceable. Utilities that violate them are potentially subject to substantial financial penalties. CIP standards are developed, administered, and enforced by the North American Electric Reliability Corporation (“NERC”) subject to FERC’s oversight.

The NOPR identifies malware campaigns targeting supply chain vendors as a serious security threat that is not addressed by existing CIP standards. It therefore proposes to direct NERC to develop CIP requirements relating to supply chain management for industrial control system hardware, software and services. It offers specific guidance as to the elements that FERC believes such standards should have, including that they be forward-looking, objective-driven, and consistent with guidance offered in the National Institute of Standards and Technology (NIST SP 800-161).

In addition, the NOPR builds on earlier FERC orders conditionally accepting “version 5” of the CIP standards. Version 5 made various incremental improvements to earlier iterations of the CIP standards. FERC directed NERC to further revise the version 5 requirements to make them clearer, more specific, and more readily enforceable. It also instructed NERC to develop: (1) enhanced security controls for “low impact” assets; (2) controls to address the risks posed by “transient” electronic devices (e.g., thumb drives and laptops); and (3) a clearer definition of the term “communications networks.”

In response, NERC proposed seven updated “version 6” CIP standards in February that incorporated FERC’s directives. The new NOPR proposes to largely accept version 6 but requires NERC to broaden the scope of communications network protections from a limited group of control centers to “communication network components and data communicated between all bulk electric system Control Centers.” FERC also specifically seeks comments on the sufficiency of existing CIP controls regarding remote access used in relation to bulk electric system communications.

FERC’s actions are consistent with its history of continuously urging NERC to improve, and to broaden the scope of, the CIP standards. But the NOPR is also only the third time that FERC has proposed to use its authority to require NERC to propose a new reliability standard, highlighting the close attention that FERC has devoted to cybersecurity threats generally and its concern about evolving malware vulnerabilities in particular.

Written comments on the NOPR will be due 60 days after its publication in the Federal Register. If the proposed version 6 CIP standards are accepted they would supersede the not yet implemented version 5 standards and become effective no earlier than April 2016.