United States: FERC Proposes New Cybersecurity Controls For Bulk Electric System

The Federal Energy Regulatory Commission ("FERC") proposed to approve new cybersecurity management standards submitted by North American Electric Reliability Corporation ("NERC"). The new standards are intended to improve the reliability and resiliency of the U.S. bulk electric system.

FERC determined that the NERC-proposed reliability standards represents an "improvement" over the current reliability standard. Specifically, the proposal would (i) clarify the obligations pertaining to electronic access control for low-impact cyber systems, (ii) require mandatory security controls for transient electronic devices used at low-impact cyber systems (such as thumb drives and laptops), and (iii) require responsible entities to have policies for declaring and responding to CIP Exceptional Circumstances related to low-impact cyber systems.

In addition, FERC proposed that NERC develop certain modifications to the reliability standard. Specifically, FERC proposed that NERC (i) provide clear, objective criteria for electronic access controls for low-impact cyber systems and (ii) address the need to mitigate the risk of malicious code from third-party transient electronic devices. Further, FERC proposed to accept two violation risk factors and two violation severity levels associated with the new reliability standard.

FERC also accepted NERC's proposed effective date of the "first day of the first calendar quarter that is eighteen months after the effective date of [FERC's] order approving the proposed reliability standard."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.