As a result of federal legislation enacted after the large Northeast/Midwest blackout in 2003, electric utilities and other electric market participants in the United States are subject to mandatory reliability standards developed through stakeholder processes by the North American Electric Reliability Corporation (NERC) and enforced by the Federal Energy Regulatory Commission (FERC) with substantial financial penalties of up to US$1million per day for each standard violation.
Among the categories of mandatory electric reliability standards are Critical Infrastructure Protection (CIP) standards that were first adopted in 2008. Those standards required owners and operators of “Critical Cyber Assets” (CCA)1 to develop, maintain, and implement cybersecurity policies that cover, among other things, training and access restrictions for personnel with access to CCAs, procedures for managing electronic and physical security perimeters, software security, incident reporting and response planning, and recovery plans to restore CCAs following an incident.
In 2013, NERC proposed and FERC approved version 5 of the CIP standards, a wholesale revision and significant change in approach under the standards. The new standards will be phased in, starting on 1 July 2016. The most significant change in the version 5 standards is the methodology to be used and the requirements for identifying assets subject to the standards, as described below for standard CIP-002-5. The scope of the new standards are significantly broader than the prior version and owners and operators of smaller electric generation and transmission facilities and generation control centers will now be subject to the CIP standards for the first time.
The version 5 CIP standards (in some cases updated to version 6 to reflect clarifying changes ordered by FERC) include the following new and revised requirements:
This standard adopts a new category of assets subject to the CIP standards: BES Cyber Systems, which are defined as one or more “BES Cyber Assets”2 logically grouped by a responsible entity to perform one or more tasks for a functional entity. BES Cyber Systems are to be characterized as High, Medium, or Low Impact.
- High Impact are associated with large generation, transmission or electric system control centers.
- Medium Impact are associated with large or critical generation facilities, higher voltage transmission facilities, and smaller control centers.
- Low Impact are assets associated with smaller generation facilities, lower voltage transmission substations and lines, and control centers controlling less than 1500 MW of generation.
Any entity that owns or operates any of these types of facilities will need to undertake a comprehensive review of the criteria for identifying BES Cyber Systems. The new standards for High and Medium Impact BES Cyber Systems went into effect on 1 July 2016, but mandatory compliance for owners or operators of Low Impact BES Cyber Systems will not begin until 1 April 2017.
Requires each responsible entity to develop cybersecurity policies covering all of the requirements set out in all of the other CIP standards (for High and Medium Impact BES Cyber Systems) and covering cybersecurity awareness, physical and electronic security controls, and cybersecurity incident response (for Low Impact BES Cyber Systems).
Requires adoption of programs for security awareness, cybersecurity training, personnel risk assessment, and access management.
Requires implementation of specified security procedures to protect electronic security perimeters for High and Medium Impact BES Cyber Systems.
Requires implementation of specified security procedures to protect physical security of High and Medium Impact BES Cyber Systems.
Requires implementation of specified technical, operational, and procedural system security requirements to protect High and Medium Impact BES Cyber Systems.
Requires documentation, testing, and implementation of cybersecurity incident reporting and response plans for High and Medium Impact BES Cyber Systems.
Requires development and implementation of incident recovery plans for High Impact and certain Medium Impact BES Cyber systems
Requires development and implementation of change management and vulnerability assessments for High Impact and Medium Impact BES Cyber Systems.
Requires development and implementation of information protection programs for High Impact and Medium Impact BES Cyber Systems.
Requires owners and operators of large transmission lines and substations to perform physical security risk assessments for their facilities.