In an effort to address the growing threat of cyber-attacks to the national power grid, the Federal Energy Regulatory Commission (FERC) approved revised reliability standards for cybersecurity management controls.
The Critical Infrastructure Protection standards, developed by the North American Electric Reliability Corporation (NERC), were first proposed in October 2017. As threats to critical infrastructure increase, the government moves to improve its ability to respond to cybersecurity attacks.
The revised Critical Infrastructure Protection (CIP-003-07) requires responsible entities to have a policy for declaring and responding to CIP exceptional circumstances and clarifies electronic access control for low-impact BES Cyber Systems.
An exceptional circumstance, as defined in the NERC glossary, is "a situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or bulk electric system reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability."
Recognizing the need to mitigate the risk a cybersecurity incident resulting from malicious code delivered through external devices such as laptops or USBs, the standards commission directed NERC "to conduct a study to assess the implementation of Reliability Standard CIP-003-7 to determine whether the electronic access controls adopted by responsible entities provide adequate security."
The findings of NERC's study must be submitted within 18 months of the revised standards effective date.
"Because most electric utilities were likely planning to implement electronic and physical access controls for low-impact BES Cyber Systems by September 1, 2018, FERC’s recent rule should provide them with more clarity about exactly what sort of electronic access needs to be protected," said Daniel Skees, partner, Morgan Lewis.
“Low-impact” facilities are far more numerous than high- and medium-impact facilities and include the oldest technology in a utility’s infrastructure. According to Skees, "The biggest challenge will be in identifying which facilities need to be compliant and mapping all of the electronic access into and out of those facilities so that appropriate electronic access controls can be applied."
Only after that analysis and cataloging process is complete can utilities implement the new controls.
In practice, the revised standards will present some challenges. Employees operating largely independently will be required to follow these processes correctly, often without supervision, said Skees. "Failures can be subject to significant fines, but any process requiring human controls is almost inherently going to have occasional failures."
The revised standards also include changes to the NERC glossary that either retire or clarify terms and aid to avoid ambiguity and simplify the electronic access control requirements.