Similarly, on April 18, 2013, the Federal Energy Regulatory Commission (Commission or FERC) issued a Notice of Proposed Rulemaking (NOPR) to approve Version 5 of the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Reliability Standards, a group of mandatory cybersecurity regulations applicable to much of the electric industry. Version 5 features bright-line criteria identifying systems critical to the reliability of the electric grid and introduces risk-based categorization of these systems.
In the NOPR, the Commission states that the Version 5 CIP Standards will improve the currently-approved CIP Reliability Standards but expresses significant concern regarding the enforceability of a new and much lauded feature of Version 5 - the so-called “identify, assess, and correct” requirements - which emphasize continuous monitoring and improvement of various cybersecurity programs instead of penalization for all compliance violations. The Commission also expresses concern regarding the sufficiency of protections for “low impact” cyber systems. Specifically, the Commission asks whether it should direct NERC to provide further detail regarding the required content of cybersecurity policies and procedures applicable to low impact systems. Comments on the NOPR are due Monday, June 24, 2013.