In a Notice of Proposed Rulemaking (NOPR) issued on April 18, 2019,  the Federal Energy Regulatory Commission (FERC or Commission) requested comments on proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-012-1 (CIP-012-1), a new cybersecurity rule requiring responsible entities to harden communication links and secure certain types of data transmitted between the Control Centers that operate the bulk electric system. Responsible entities include balancing authorities, generator operators, reliability coordinators, transmission operators and transmission owners that own or operate a Control Center. Conceived in response to the Commission’s directive in Order No. 822, proposed CIP-012-1 envisions a tiered data security framework with data security measures to be implemented based on an assessment of risk levels (low, medium, and high) associated with various aspects of responsible entities’ Control Centers. 

In the NOPR, the Commission states that it generally supports adoption of CIP-012-1, but that it would like to also see NERC propose modifications to clarify requirements concerning Control Center communication links and the Control Center data that would be subject to the proposed rule.

The Commission invites stakeholders to submit comments on the Commission’s NOPR regarding CIP-012-1 in FERC Docket No. RM15-14-000 by June 24, 2019.

The CIP Reliability Standards are designed “to mitigate the cybersecurity risks to bulk electric system facilities, systems, and equipment, which, if destroyed, degraded, or otherwise rendered unavailable as a result of a cybersecurity incident, would affect the reliable operation of the Bulk-Power System.”  In Order No. 822, the Commission directed NERC to modify the CIP Reliability Standards “to require responsible entities to implement controls to protect . . . communication links and sensitive bulk electric system data communicated between bulk electric system Control Centers in a manner that is appropriately tailored to address the risks posed to the bulk electric system by the assets being protected.”  The Commission also instructed NERC to “consider the differing attributes of bulk electric system data as it assesses the development of appropriate controls.”

NERC proposed CIP-012-1, a new CIP Reliability Standard, in response to the Commission’s directive in Order No. 822.  Proposed CIP-012-1 requires responsible entities to implement protocols that address the unauthorized disclosure and modification of Real-time Assessment and Real-time Monitoring data that are transmitted between Control Centers.  The protocols must include specific, identified security protections and, for situations that involve communications between Control Centers operated by different responsible entities, an allocation of responsibilities as between or among the entities involved.

The Commission’s NOPR proposes to approve proposed CIP-012-1; however, the Commission recommends that NERC revisit proposed CIP-012-1 to: 

  • address availability of communication links between Control Centers more specifically, especially as necessary to communicate monitoring, operational, and system planning data;
  • establish clearer controls required for secure transmission and storage of critical Control Center data; and
  • provide clear definitions of the “Real-time Assessment” and “Real-time Monitoring” data that is specifically addressed by the proposed Rule. 

What this means for responsible entities:

These proposed security measures will require responsible entities to focus even more on the transfer and exchange of Control Center data. Balancing authorities, generator operators, reliability coordinators, transmission operators, and transmission owners that own or operate a Control Center should consider carefully the changes to existing systems that will be required with this new Reliability Standard, both as written and as it may be modified based on FERC’s request for comments.  Those tasked with implementing system changes to meet the dictates of CIP-012-1 once adopted and the responsible entities that must comply with CIP-012-1 should seriously consider this opportunity to provide input to the Commission on practical, actionable changes that will enhance the security of the bulk electric system by submitting comments in response to the Commission’s NOPR. 

Comments on the Commission’s NOPR proposing modifications to CIP-012-1 are due June 24, 2019.