On January 21, 2016, the Federal Energy Regulatory Commission (FERC) issued a final rule adopting seven revised critical infrastructure protection (CIP) Reliability Standards addressing cybersecurity of the electric grid, as initially proposed in July 2015. The revised standards were developed by the North American Electric Reliability Corporation (NERC), the FERC-certified Electric Reliability Organization, in response to FERC Order No. 791.
The revised standards, effective on July 1, 2016, are:
- CIP-003-6 (Security Management Controls), specifying security management controls that establish responsibility and accountability to protect grid cyber systems against compromise;
- CIP-004-6 (Personnel and Training), requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting grid cyber systems;
- CIP-006-6 (Physical Security of BES Cyber Systems), specifying a physical security plan to manage physical access to grid cyber systems;
- CIP-007-6 (Systems Security Management), specifying select technical, operational, and procedural requirements to manage system security by;
- CIP-009-6 (Recovery Plans for BES Cyber Systems), specifying recovery plan requirements in support of the continued stability, operability, and reliability;
- CIP-010-2 (Configuration Change Management and Vulnerability Assessments), specifying configuration change management and vulnerability assessment requirements to prevent and detect unauthorized changes to grid cyber systems; and
- CIP-011-2 (Information Protection), specifying information protection requirements to prevent unauthorized access to grid cyber systems information.
The final rule also includes a number of directives for NERC intended to facilitate enhanced protection of information and the physical security of cyber systems. The final rule also announces a FERC staff-led technical conference on January 28, 2016 to address the development by NERC of requirements for supply chain management for control system hardware, software and service.