United States: FERC Approves New CIP Reliability Standards Despite Concern Over Ambiguity In Multiple Areas

On April 18, 2013, the Federal Energy Regulatory Commission issued a Notice of Proposed Rulemaking recommending approval of the Version 5 Critical Infrastructure Protection Reliability Standards proposed by the North American Electric Reliability Corporation. In addition to approving the NERC proposal, FERC also is seeking comments on a number of identified areas of concern, and has ordered NERC to make one modification to the proposed standards.

What Are the New CIP Standards?

CIP Reliability Standards relate to cyber security of the bulk electric system. The Version 5 standards propose a new approach to identifying and classifying "BES Cyber Systems" as having potential for Low, Medium, or High Impact to the bulk electric system. Significantly, for registered entities with assets that will fall under the Low Impact category of BES Cyber Systems—the category under which the most assets will fall—FERC expressed concern regarding the proposed obligations under CIP-003-5, Requirement R2, the only requirement applicable to Low Impact systems. Requirement R2 compels entities to have documented cyber security policies for Low Impact systems, but does not require entities to implement actual cyber security protections. Concerned with the lack of specific protections for Low Impact BES Cyber Systems, FERC directed NERC to modify the requirement to "require responsible entities to adopt specific, technically-supported cyber security controls."

FERC Questions Implementation Plan

FERC has called into question the proposed implementation plan. FERC proposes to approve the transition from Version 3 of the CIP Reliability Standards directly to Version 5 of the CIP Reliability Standards, effectively retiring the Version 4 standards before they become effective. FERC, however, questioned the proposed 24-month implementation period for High and Medium Impact systems as well as the 36-month implementation period for Low Impact systems, and seeks comment on the justification for the length of the implementation periods and whether shorter implementation periods would be feasible.

Why Is This important?

The Version 5 CIP Reliability Standards mark an important change in compliance obligations for entities on the NERC Registry with cyber assets, and the final resolution of both the requirements for Low Impacts BES Cyber Systems and the implementation schedule will be important for many NERC registered entities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.