FERC issues final rule on CIP reliability standards, minus supply chain management

A final rule on critical infrastructure protection (CIP) reliability standards approved by FERC Jan. 21 may be more relevant for what it does not contain than for what is in the final rule.

After hearing from a large contingent in the power sector that NERC should not be tasked with developing reliability standards on supply chain management for power grid equipment – which FERC included in a notice of proposed rulemaking (NOPR) – the final rule stripped that element out and approved other CIP standards addressing cybersecurity issues contained in the NOPR.

FERC staff said at the Jan. 21 meeting that FERC will address supply chain management issues following a Jan. 28 technical conference that had previously been scheduled to take place based on industry comments and concerns about the NOPR.

Commissioners at the meeting praised FERC staff and others working on cybersecurity reliability standards, emphasizing that the work is continuous due to the evolving nature of cybersecurity protections. FERC Chairman Norman Bay said that the final rule highlights the importance of cybersecurity and that FERC continues to make progress improving CIP standards.

The final rule (Docket No. RM15-14) adopts revisions to seven CIP standards proposed in a July 16, 2015, NOPR, including requirements for personnel and training, physical security of the bulk electric system’s (BES) cyber systems and information protection, FERC said in a Jan. 21 statement.

The final rule also directs NERC to develop modifications to reliability standards proposed in the NOPR to address protections for communication network components between control centers and protection of transient electronic devices used at low-impact BES cyber systems. The final rule also calls for NERC to refine the definition for low-impact external routable connectivity, FERC said in the statement.

The transient electronic devices in the directive for NERC include “thumb drives” or laptop computers, FERC staff noted at the meeting.

In the NOPR, reliability standard CIP-010-2, for instance, called for entities to document and implement a plan for managing and protecting transient cyber assets and removable media in order to protect cyber systems from the risks associated with transient devices.

The final rule also calls for NERC to submit a study on the effectiveness of CIP remote access controls, the risks posed by remote access-related threats and vulnerabilities and appropriate mitigating controls, FERC said in the statement.

FERC Commissioner Cheryl LaFleur praised those who crafted the final rule for allowing the CIP reliability standards to emphasize grid protection based on the risk presented by different situations, since some risks are more of a priority for the power industry.

NERC and the power industry have made grid security a priority, NERC said in a Jan. 21 statement, adding that it appreciates the steps FERC took on revising the CIP reliability standards.

The actions addressed in the final rule “represent significant progress toward mitigating cyber risks to the bulk power system by addressing vulnerability assessments, security management controls, personnel and training, electronic security perimeters, incident reporting and response planning and recovery of cyber systems,” NERC said.

The issue of supply chain management was addressed in the NOPR, with FERC directing NERC to develop reliability standards on the issue, asserting that equipment made by vendors for use on the power grid presented a gap in reliability that needed to be addressed. In the NOPR, FERC said that there is a vulnerability in supply chain management as recent malware campaigns targeting vendors are based on injecting malware while a product or service remains in the control of a hardware or software vendor, prior to delivery to a customer, such as a utility or independent system operator (ISO).

Power industry trade groups raised red flags about the NOPR and did not agree that a reliability gap exists on supply chain management. Utilities and others told FERC that vendors providing hardware and software equipment and services are part of a global supply network that is subject to best practices on security and grid reliability, and that business relationships that utilities and ISOs have with suppliers are not covered under FERC’s authority on reliability.

Among those filing comments were the ISO/RTO Council, the Edison Electric Institute, the American Public Power Association, the National Rural Electric Cooperative Association, the Electric Power Supply Association, the Electricity Consumers Resource Council, the Transmission Access Policy Study Group and the Large Public Power Council.

After reviewing comments on the NOPR, FERC in October scheduled the technical conference on supply chain management for Jan. 28.

The final rule takes effect 65 days after publication in the Federal Register, FERC said.