FERC Proposes Approval of Mandatory Cyber Security Standards

On July 20, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) proposing to approve eight Critical Infrastructure Protection (CIP) reliability standards and directing the North American Reliability Corporation (NERC) to modify certain standards to address specific concerns raised by FERC.¹  The proposed CIP reliability standards include seven cyber security standards and one physical security standard.  

Unlike other FERC-approved reliability standards which have been based on pre-existing voluntary standards,² the CIP reliability standards are not modeled on existing protocols.  Satisfying these new standards will entail significant operational changes and compliance efforts, including the direct involvement of senior management and significant investment in security upgrades. 

Proposal

The proposed CIP reliability standards include cyber security and physical security standards that require certain owners, operators and users of the bulk-power system to comply with specific requirements to safeguard critical cyber assets.  As an initial compliance step, each entity responsible for compliance with reliability standards would be required to identify critical cyber assets.  The extent to which an entity must comply with the requirements of the CIP reliability standards would depend on the entity’s application of a risk-based vulnerability assessment methodology to identify and prioritize such assets. 

FERC specifically seeks comment on its proposal to direct NERC to provide additional guidance as to the features and functionality of the methodology to be used in identifying critical cyber assets.  Currently, there is little guidance in the standard. 

FERC rejects language in the CIP reliability standards referring to “reasonable business judgment.”  FERC finds that it is unreasonable in the context of implementing  § 215 of the Federal Power Act to allow each user, owner or operator to determine compliance with the CIP reliability standards based on its own “business standards.” 

FERC also proposes to approve NERC’s implementation plan, which includes a four-stage schedule for implementing the proposed CIP reliability standards over a three year period.  According to the implementation plan, entities must “begin work” on compliance upon registration with NERC, must be “substantially compliant” within 12 months of registration, and must be “compliant” within 24 months of registration.  Entities must ultimately be “auditably compliant” by 2009 for certain requirements, and by 2010 for the remaining requirements. 

For the interim period before an entity achieves “auditably compliant” status, FERC proposes that NERC develop a self-certification process to assess the status of compliance and, if necessary, assist entities in achieving full compliance in a timely manner.  Further, FERC proposes to direct NERC to add a cyber security assessment to NERC’s existing readiness review process. 

For Additional Information

Comments on the NOPR are due 60 days after publication in the Federal Register. 

If you would like additional information on NERC’s proposed CIP reliability standards, or seek assistance in developing comments on the CIP reliability standards, please contact Gary Bachman, Cheryl Feik Ryan, Jay Ryan, Sheri Spang or any other member of our Electricity or Infrastructure Security practices at (202) 298-1800.