FERC Proposes Adoption of New Cybersecurity Standards

The Federal Energy Regulatory Commission (FERC) last week proposed a rule that it says could strengthen cybersecurity for the bulk electric system. The rule intended to improve the security posture of responsible entities was submitted in January 2013 by the North American Electric Reliability Corp. (NERC), and it constitutes version 5 of the Critical Infrastructure Protection (CIP) Reliability Standards.

The 78-page proposal essentially includes 12 requirements with new cybersecurity controls that address Electronic Security Perimeters, Systems Security Management, Incident Reporting and Response Planning, Recovery Plans for BES Cyber Systems, and Configuration Change Management and Vulnerability Assessments. It also would use a "new, tiered approach to identifying and classifying bulk electric system cyber assets that is a step toward applying CIP protections more comprehensively to better assure protection of the bulk electric system," FERC said.

The proposal from NERC, the FERC-certified reliability organization for the North American bulk electric system, is said to represent an "improvement" of current commission-approved CIP reliability standards, but FERC expressed concern that "limited aspects of the proposed CIP version 5 Standards are potentially ambiguous and, ultimately, raise questions regarding the enforceability of the standards."

FERC specifically identified 17 requirements in the new suite of CIP standards that had language that required the responsible entity to "implement the requirement in a manner to ‘identify, assess, and correct’ deficiencies. This language is unclear with respect to the compliance obligations it places on regulated entities, and it is too vague to audit and enforce compliance, FERC cautioned. "For example, it is unclear whether the inclusion of the ’identify, assess and correct‘ language in the requirements imposes one obligation on the responsible entity (i.e., to ensure the entity has a process in place to identify, assess and correct a violation) or two obligations (i.e., to (1) ensure the entity has a process in place to identify, assess and correct a violation and (2) to ensure that the underlying substantive requirement is not violated)."

FERC said it was seeking public comment (closing in 60 days from publication in the Federal Register) on the ambiguous language to alleviate those concerns. It said that depending on comments and explanations received, it would direct NERC to modify the proposal or remove the language.

FERC said that otherwise, it would recommend approval of NERC’s proposed CIP version 5 standards, saying they should assist in a more robust cybersecurity posture for the industry.

"The Commission recognizes the ongoing challenge of developing and maintaining meaningful cyber security requirements that set a baseline for protection of the nation’s bulk electric system from cyber vulnerabilities," it said. "Users, owners and operators of the bulk electric system must adapt to changing threats and cyber technologies to assure the ongoing security of the nation’s critical infrastructure."

Sources: POWERnews, FERC

—Sonal Patel, Senior Writer (@POWERmagazine, @sonalcpatel)

NOTE: This story was originally published on April 24