On April 18, 2013, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) to approve, subject to certain modifications, Version 5 of the Critical Infrastructure Protection Reliability Standards (CIP Standards) proposed by the North American Electric Reliability Corporation (NERC). Version 5 of the CIP Standards contains new requirements that address cybersecurity controls and expand the scope of systems subject to the requirements. In light of this proposal, FERC is proposing to skip the implementation of Version 4 of the CIP Standards entirely and move straight to implementing Version 5. Version 4 of the standards was approved only last year and was scheduled to go into effect in April 2014. Comments on the NOPR will be due 60 days after publication in the Federal Register, likely around June 20, 2013.
Overview of the requirements
As proposed, Version 5 of the CIP Standards includes 12 requirements for new cybersecurity controls. These requirements address Electronic Security Perimeters, Systems Security Management, Incident Reporting and Response Planning, Recovery Plans for Bulk Electric Cyber Systems, Configuration Change Management and Vulnerability Assessments. In addition, Version 5 adopts a new approach for identifying bulk electric system (BES) Cyber Systems and then categorizing those systems as Low, Medium, or High Impact on the reliable operation of the BES. This new approach would require, at minimum, all BES Cyber Systems to be categorized as Low Impact. Once categorized, the responsible entity would be obligated to implement the requirements associated with that impact category.
Potential modifications to proposed requirements
FERC is evaluating whether to require modification of 17 proposed requirements that may be too vague to audit and enforce. In particular, FERC is considering whether requirements with an obligation to “identify, assess, and correct” deficiencies are specific enough to be enforceable. Accordingly, FERC is soliciting comments regarding whether modifications to more clearly describe the implementation and compliance obligations are appropriate.
In addition, FERC is proposing to require modification of CIP-003-5, Requirement 2. As proposed, this requirement calls for responsible entities to implement documented cybersecurity policies for Low Impact BES Cyber Systems that collectively address cybersecurity awareness, physical controls, electronic access controls, and incident response to a cybersecurity incident. Because the requirement mandates only that entities have policies in place, and does not require any specific protective measures, FERC is proposing to direct NERC to modify this requirement to include specific, technically-supported cybersecurity controls for these Low Impact assets.
Retirement of Version 4 of the CIP standards
Although Version 3 of the standards is currently effective, FERC had approved the implementation of a new version of the standards, Version 4, last year. Version 4 was set to become effective on April 1, 2014. Now, with the proposed adoption of Version 5, NERC is proposing to bypass the implementation of Version 4 in favor of Version 5. Under this proposal, Version 3 would remain effective until Version 5 is implemented. For the Version 5 requirements, NERC is proposing a 24-month implementation period for High and Medium Impact Cyber Assets and a 36-month implementation period for Low Impact Cyber Assets. FERC agrees with NERC’s proposal to transition directly from Version 3 to Version 5 of the standards. FERC is soliciting comments, however, regarding whether NERC’s proposed implementation periods are necessary or whether registered entities could achieve compliance in a shorter period of time.