FERC rulemaking to advance cyber security for bulk electric system

The Federal Energy Regulatory has issued a proposed rulemaking to update Critical Infrastructure Protection Reliability Standards by expanding cyber security standards for the bulk electricity system, including hydroelectric projects.

The proposed rules (RM13-5), issued April 18, incorporate a proposal submitted to the commission in January by the North American Electric Reliability Corp., constituting Version 5 of the CIP Reliability Standards.

The proposal includes 12 requirements with new cyber security controls that address Electronic Security Perimeters, Systems Security Management, Incident Reporting and Response Planning, Recovery Plans for Bulk Electric System Cyber Systems, and Configuration Change Management and Vulnerability Assessments. It also would use a new, tiered approach to identifying and classifying bulk electric system cyber assets to apply CIP protections more comprehensively.

"We are essentially requiring private industry to support a national defense effort by contributing its time and money to protect the cyber security of the electric grid," Commissioner John Norris said. "To accomplish this massive undertaking, we must provide industry with the necessary tools. Frontline workers who will actually implement cyber security standards must have clearly defined requirements to help protect the grid from cyber attack."

Commissioner Cheryl LaFleur said the proposed Version 5 of the CIP standards is a significant improvement over the Version 3 standards, which she called "currently effective." She said Version 5 also is an improvement over Version 4 standards set to go into effect next April.

"Because we agree with NERC that this and other modifications represent a significant improvement over Versions 3 and 4, we propose to approve NERC's request to skip Version 4 and require compliance directly with Version 5," LaFleur said.

LaFleur compared the continual need to upgrade CIP standards to the iPhone.

"Just when you think you have the latest, greatest version, something new comes along -- something that has more coverage, a better user interface, or more features," she said. "... There is always room for improvement."

LaFleur said the commission still has some concerns about the change and requested comments from the public on certain elements.

"For example, language requiring entities to 'identify, assess, and correct' deficiencies may result in requirements that are unclear and difficult to audit or enforce," she said. "... We also seek comment on whether the two-year implementation period for Medium- and High-Impact assets and the three-year implementation period for Low-Impact assets are necessary, or can be accomplished more quickly."

Comments on the proposed rules are due to FERC 60 days after publication in the Federal Register.

Did You Like this Article? Get All the Energy Industry News Delivered to Your Inbox

Subscribe to an email newsletter today at no cost and receive the latest news and information.

 Subscribe Now

Whitepapers

Maximizing Operational Excellence

In a recent survey conducted by PennEnergy Research, 70% of surveyed energy industry professional...

Leveraging the Power of Information in the Energy Industry

Information Governance is about more than compliance. It’s about using your information to drive ...

Reduce Engineering Project Complexity

Engineering document management presents unique and complex challenges. A solution based in Enter...

Revolutionizing Asset Management in the Electric Power Industry

With the arrival of the Industrial Internet of Things, data is growing and becoming more accessib...

Latest PennEnergy Jobs

PennEnergy Oil & Gas Jobs