In its April Open Meeting, FERC issued a final rule approving a cybersecurity Critical Infrastructure Protection (CIP) Reliability Standard. The rule focuses on low impact Bulk Electric System (BES) Cyber Systems and transient electronic devices. “Low impact” is the default classification for all Cyber Systems not rated as High or Medium Impact, and transient electronic devices include thumb drives, laptops, and other portable electronics that can connect to a Cyber System.
In response to a FERC directive, the North American Electric Reliability Corporation (NERC) sought approval in March 2017 of a Reliability Standard on “Cyber Security—Security Management Controls.” This Reliability Standard would (1) clarify obligations related to electronic access control for low impact BES Cyber Systems; and (2) adopt mandatory security controls for transient electronic devices. Although FERC had not directed it to do so, NERC also proposed to require responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems.
In October 2017, FERC proposed adopting this Reliability Standard. However, it proposed two modifications to what NERC had submitted. First, it proposed requiring that the standard “provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems.” Second, it proposed that the standard “address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices.”
In its final rule, FERC adopted the Reliability Standard proposed by NERC, including the modification to mitigate the risk of malicious code from transient electronic devices. Although commenters agreed that there was already an implicit obligation to guard against such risks, FERC concluded that an explicit requirement was needed to ensure that entities develop and implement adequate compliance plans.
Although FERC had proposed to direct NERC to develop objective criteria for electronic access controls for low impact BES Cyber Systems, it declined to do so in its final rule. NERC and other commenters argued that existing standards provided a sufficiently clear security objective while at the same time providing responsible entities with the flexibility required to address the wide range of low impact BES Cyber Systems. FERC stated that it was satisfied with this explanation, although it did direct NERC to conduct a study of what electronic access controls entities choose to implement and whether they are effective. NERC must file this study by October 25, 2019.