On January 18, 2008, the Federal Energy Regulatory Commission ("FERC") issued a final rule that adopted eight mandatory Critical Infrastructure Protection ("CIP") Reliability Standards developed by the North American Electric Reliability Corporation ("NERC") to protect the country’s bulk-power system from potential disruption from cyber attacks. Although implementation will occur over a three-year period and specific implementation issues remain unresolved at this time, each entity registered with NERC shall bear ultimate responsibility to identify its applicable "critical cyber assets" pursuant to its own risk-based assessment methodology and comply with each specific CIP Reliability Standard. Compliance with such standards shall be enforced by the eight regional reliability entities ("Regional Entity"), NERC and/or FERC under Section 215 of the Federal Power Act and non-compliance would implicate potential enforcement action and penalties.
The CIP Reliability Standards require bulk-power system users, owners and operators (i.e., NERC registered entities) to establish a risk-based assessment methodology to identify and prioritize critical cyber assets. Once these assets are identified, the standards require the responsible entities to establish plans, protocols and controls to safeguard physical and electronic access, train personnel on security matters, report security incidents and be prepared for recovery actions. With respect to the concern that certain entities not registered with NERC, such as owners of smaller facilities, may weaken the security of the system, FERC opted to rely on NERC and the Regional Entities to assure that the owner or operator of important assets, such as blackstart units, regardless of the size of the facility, is registered with NERC.
One of the most important aspects of these standards is the determination of whether an asset is deemed to be a "critical cyber asset," and thus subject to the CIP Reliability Standards, pursuant to an entity’s risk-based assessment methodology. NERC defines "critical cyber assets" as "cyber assets essential to the reliable operation of critical assets" and defines "critical assets" as "facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System." FERC adopted NERC’s proposal that each responsible entity should develop its own risk-based assessment methodology to identify its critical assets. However, after receiving many comments on this issue, FERC required that NERC provide additional guidance on the development of the assessment methodology and identified certain issues that NERC should consider when developing its guidance. An analysis of these CIP Reliability Standards, as modified by this order, and NERC’s future assessment methodology guidance should be a critical part of each responsible entity’s consideration, especially since FERC explicitly denied requests for blanket waivers or "safe harbors" for good faith compliance.
To the extent a responsible entity uses a third-party vendor for services, it is incumbent upon that entity to assure that its vendor also acts in compliance with the CIP Reliability Standards. These compliance issues, as well as the allocation of risks and liabilities through indemnification and other provisions, should be addressed in the entity’s contract with the vendor. Such contractual issues are important because the ultimate responsibility for compliance with the CIP Reliability Standards rests with the NERC registered entity regardless of the culpability of a third-party vendor resulting in a violation of a standard.
The order also focused on the parameters of "technical feasibility exceptions" which may apply to an entity to the extent existing equipment or facility configurations would render compliance unfeasible. FERC approved technical feasibility exceptions as long as the responsible entity (i) has developed, documented and implemented a mitigation plan that achieves a comparable level of security to the particular requirement at issue, (ii) has developed and implemented a remediation plan and timeline to eliminate the exception and (iii) has obtained written approval of these prior steps by the entity’s senior manager responsible for CIP Reliability Standards compliance. FERC clarified that the term "technical feasibility" should be interpreted narrowly, should not include considerations of "reasonable business judgment," but should include operational and safety considerations. FERC also directed NERC to develop the conditions or criteria that an entity must follow when relying on technical feasibility exceptions. In addition, FERC required that any exceptions should be reported and justified to the relevant Regional Entity and be subject to approval by NERC on an ex post facto basis during the compliance audit process. It is unclear what enforcement steps would be taken should there be a determination that an exception was unjustified after-the-fact.
The three-year CIP Reliability Standards implementation plan includes a timeline and milestones that identify when a responsible entity must "begin work" and be "substantially compliant," in "compliance" and "auditably compliant" with certain CIP Reliability Standard requirements. Certain entities must be "auditably compliant" with specific requirements in 2009 or 2010. The order will be effective 60 days after its publication in the Federal Register.
For More Information
Click here for the complete order (PDF)