On April 18, 2013, the Federal Energy Regulatory Commission (“FERC”) issued a notice of proposed rulemaking (the “NOPR”) stating that it intends to approve Version 5 of the Critical Infrastructure Protection (“CIP”) Reliability Standards submitted by the North American Electric Reliability Corporation (“NERC”), which pertain to the cyber security of the bulk electric system.
The proposed CIP Version 5 Reliability Standards include ten new or modified Reliability Standards to address Bulk Electric System (“BES”) Cyber System Categorization, Security Management Controls, Personnel and Training, Electronic Security Perimeters, Physical Security of BES Cyber Systems, Systems Security Management, Incident Reporting and Response Planning, Recovery Plans for BES Cyber Systems, Configuration Change Management and Vulnerability Assessments, and Information Protection. In connection with the Version 5 CIP Reliability Standards, FERC had directed NERC to monitor the development of the National Institute of Standards and Technology (“NIST”) standards. Consistent with the NIST Risk Management Framework, the CIP Version 5 Reliability Standards provide for low, medium, and high categorization. While the NIST Risk Management Framework utilizes a categorization process based on the loss of confidentiality, integrity, and availability of systems, however, the CIP-002-5 categorizes assets based on reliability impact. While FERC stated that it would accept NERC’s approach at this time, it indicated that it may revisit the categorization of assets under the CIP Reliability Standards in the future.
NERC also proposed definitions for “BES Cyber Asset” and “BES Cyber System,” to which the CIP Version 5 Reliability Standards would apply. Importantly, the CIP Version 5 Reliability Standards apply a minimum classification of “Low Impact” for all BES Cyber Systems, and the Low, Medium, or High Impact classifications serve to establish the applicable set of requirements under the CIP Version 5 Reliability Standards with which a responsible entity must comply.
The NOPR further provides that FERC intends to accept NERC’s proposal to allow responsible entities to transition directly from compliance with the currently-effective CIP Version 3 standards to the Version 5 standards, meaning that the CIP Version 4 standards would be retired prior to the April 1, 2014 mandatory compliance deadline for such standards.
FERC has requested comments on a number of issues identified in the NOPR, including, among other things, whether the requirements imposed on responsible entities are vague and/or ambiguous, whether the implementation periods proposed by NERC are necessary, and whether certain new or revised definitions proposed by NERC for inclusion in the NERC Reliability Standards are appropriate. FERC also identified communications security and the use of cryptography, remote access, and adoption of certain aspects of the NIST Risk Management Framework as three areas in which the CIP Version 5 Reliability Standards could be improved and invited comments on these topics as well. Comments on the NOPR are due on June 24, 2013.