The Federal Energy Regulatory has issued a proposed rulemaking to update Critical Infrastructure Protection Reliability Standards by expanding cyber security standards for the bulk electricity system, including hydroelectric projects.
The proposed rules (RM13-5), issued April 18, incorporate a proposal submitted to the commission in January by the North American Electric Reliability Corp., constituting Version 5 of the CIP Reliability Standards.
The proposal includes 12 requirements with new cyber security controls that address Electronic Security Perimeters, Systems Security Management, Incident Reporting and Response Planning, Recovery Plans for Bulk Electric System Cyber Systems, and Configuration Change Management and Vulnerability Assessments. It also would use a new, tiered approach to identifying and classifying bulk electric system cyber assets to apply CIP protections more comprehensively.
"We are essentially requiring private industry to support a national defense effort by contributing its time and money to protect the cyber security of the electric grid," Commissioner John Norris said. "To accomplish this massive undertaking, we must provide industry with the necessary tools. Frontline workers who will actually implement cyber security standards must have clearly defined requirements to help protect the grid from cyber attack."
Commissioner Cheryl LaFleur said the proposed Version 5 of the CIP standards is a significant improvement over the Version 3 standards, which she called "currently effective." She said Version 5 also is an improvement over Version 4 standards set to go into effect next April.
"Because we agree with NERC that this and other modifications represent a significant improvement over Versions 3 and 4, we propose to approve NERC's request to skip Version 4 and require compliance directly with Version 5," LaFleur said.
LaFleur compared the continual need to upgrade CIP standards to the iPhone.
"Just when you think you have the latest, greatest version, something new comes along -- something that has more coverage, a better user interface, or more features," she said. "... There is always room for improvement."
LaFleur said the commission still has some concerns about the change and requested comments from the public on certain elements.
"For example, language requiring entities to 'identify, assess, and correct' deficiencies may result in requirements that are unclear and difficult to audit or enforce," she said. "... We also seek comment on whether the two-year implementation period for Medium- and High-Impact assets and the three-year implementation period for Low-Impact assets are necessary, or can be accomplished more quickly."
Comments on the proposed rules are due to FERC 60 days after publication in the Federal Register.