On April 18, 2013, the Federal Energy Regulatory Commission (“FERC” or “Commission”) issued a Notice of Proposed Rulemaking (“NOPR”), in Docket No. RM13-5-000, in which it proposed to approve the North American Electric Reliability Corporation’s (“NERC’s”) proposed Critical Infrastructure Protection (“CIP”) Standards, CIP-002-5 through CIP-011-1, submitted by NERC for Commission approval on January 31, 2013 (“NERC’s Petition”). The Commission noted that NERC’s proposed Version 5 CIP Standards “represent an improvement over the current Commission-approved CIP Reliability Standards as they adopt new cyber security controls and extend the scope of the systems that are protected by the CIP Reliability Standards.”
Effect on Implementation of CIP Version 4 Standards
Importantly, the Commission proposed to approve NERC’s recommendation to transition directly from the current CIP Version 3 Standards to the CIP Version 5 Standards, thereby bypassing the implementation of the CIP Version 4 Standards that were to become effective on April 1, 2014. FERC proposed that, upon its issuance of the Final Rule approving the CIP Version 5 Standards, “CIP-002-4 through CIP-009-4 would not become effective, and CIP-002-3 through CIP-009-3 would remain in effect and would not be retired until the effective date of the CIP Version 5 Standards.”
Overview of New Requirements
FERC’s NOPR, and NERC’s Petition, proposed eight modified standards (CIP-002-5 through CIP-009-5) and two new standards (CIP-010-1 and CIP-011-1). The CIP Version 5 Standards contain twelve requirements with new cyber controls regarding the following areas: Electronic Security Perimeters (CIP-005-5), Systems Security Management (CIP-007-5), Incident Reporting and Response Planning (CIP-008-5), Recovery Plans for BES Cyber Systems (CIP-009- 5), and Configuration Change Management and Vulnerability Assessments (CIP-010-1).
CIP-002-5 requires that responsible entities identify and categorize Bulk Electric System (“BES”) Cyber Systems, a term proposed by NERC which FERC has proposed to approve, according to specific criteria commensurate with the potential adverse impact that loss, compromise, or misuse of such systems could have on the BES. The three categories of BES Cyber Systems include: i) High Impact, which covers large Control Centers; ii) Medium Impact, which covers generation and transmission facilities; and iii) Low Impact, which covers all other BES Cyber Systems.
This sub-categorization of Cyber Assets is new in the CIP Version 5 Standards as such categorization is not required in the CIP Version 4 Standards. Furthermore, certain assets deemed to be Low Impact under the proposed CIP-002-5, such as restoration facilities, are subject to all CIP-related compliance responsibilities, unlike in the CIP Version 4 Standards which only included those Cyber Assets with routable connectivity that are essential to restoration. If an entity does not identify any BES Cyber Systems, however, it does not have compliance responsibilities under the remaining proposed CIP Version 5 Standards (i.e., CIP-003-5 through CIP-011-1).
The Commission’s Directives to NERC
The Commission is concerned that certain provisions in the CIP Version 5 Standards are “potentially ambiguous” and may raise enforceability questions. Seventeen requirements in the CIP Version 5 Standards require entities to implement the requirement in a manner to “identify, assess, and correct” deficiencies. The Commission seeks comments on the meaning of such provisions, and how such provisions can be implemented and enforced. FERC notes that, depending on the comments it receives, it may determine that it is appropriate to direct NERC to modify the applicable standards.
The Commission is also concerned about the ambiguity of CIP-003-5 Requirement 2, which is the sole compliance obligation with respect to “Low Impact” BES Cyber Systems. This requirement requires responsible entities to “implement ... documented cyber security policies that collectively address ...” topics such as cyber security awareness, physical security controls and electronic access controls. FERC is concerned that this requirement does not provide enough guidance to responsible entities regarding how to comply with the standard and how to protect “Low Impact” BES Cyber Systems. FERC proposed to direct NERC to modify this requirement to require that such entities adopt “specific, technically-supported cyber security controls” for these “Low Impact” assets.
The Commission proposed to approve NERC’s 19 new or revised definitions associated with the CIP Version 5 Standards, although it seeks comments on certain aspects of the proposed definitions. The Commission also proposed to approve all but two of NERC’s proposed Violation Risk Factors (“VRFs”), with the Commission proposing to increase the VRFs of two requirements. Furthermore, FERC proposed to direct NERC to modify the Violation Severity Levels (“VSLs”) for the CIP Version 5 Standards because of inconsistencies with previous Commission orders and various typographical errors in the content of the VSLs.
Lastly, FERC seeks comment on whether NERC’s proposed implementation period of 24-months after the effective date with respect to “High Impact” and “Medium Impact” BES Cyber Systems and 36-months after the effective date with respect to “Low Impact” BES Cyber Systems is justified and whether entities can feasibly comply with the CIP Version 5 Standards in a shorter implementation period. FERC noted that if the comments do not provide reasonable justification for NERC’s proposed implementation periods, it will direct NERC to make appropriate modifications.
The Commission, as NERC requested, acted on NERC’s Petition for the CIP Version 5 Standards in a prompt fashion, thereby reducing the uncertainty of responsible entities with respect to transitioning from Version 3 to Version 5 of the CIP Standards. However, bypassing the CIP Version 4 Standards could have a substantial impact on responsible entities that have been preparing to be in compliance with such standards as of the April 1, 2014 effective date. It could also lead to an accelerated implementation period for the CIP Version 5 Standards, which are vastly different than the currently-effective CIP Version 3 Standards, and disrupt the CIP compliance plans of responsible entities.
Comments to the Commission’s NOPR are due by June 24, 2013 (i.e., 60 days after the NOPR’s April 24, 2013 publication in the Federal Register).