FERC Adopts Improvements to Critical Infrastructure Protection Standards

The Federal Energy Regulatory Commission (FERC) acted last week to improve the cyber security of the bulk electric system by approving revisions to seven critical infrastructure protection (CIP) Reliability Standards, including requirements for personnel and training, physical security of the bulk electric system’s cyber systems and information protection.

This final rule adopts revisions proposed in a July 16, 2015, Notice of Proposed Rulemaking (NOPR). It also directs the North American Electric Reliability Corporation (NERC), the Commission-certified electric reliability organization, to develop modifications to address:

• Protection of transient electronic devices used at low-impact bulk electric system cyber systems;
• Protections for communication network components between control centers; and
• Refinement of the definition for low-impact external routable connectivity.

Further, NERC must conduct a study that assesses the effectiveness of the CIP remote access controls, the risks posed by remote access-related threats and vulnerabilities, and appropriate mitigating controls.

The rule does not address a proposal in the NOPR directing NERC to develop requirements for supply chain management for control system hardware, software and services. That proposal will be the subject of a January 28, 2016, staff-led technical conference, after which the Commission will determine the appropriate next step.

The final rule takes effect 65 days after publication in the Federal Register.