The U.S. Government is constantly working to improve its ability to respond to the growing threat of cyber-attacks facing the national power grid. Towards that end, the Federal Energy Regulatory Commission (FERC) approved the revised critical infrastructure protection reliability standards for cybersecurity management controls on April 19, 2018. The new standards took effect on June 25, 2018.

The purpose of the new, revised standard is to improve electronic access controls to low-impact Bulk Electronic Systems (BES), to mandate security controls for mobile devices and to develop modifications to critical infrastructure protection (CIP) reliability standards.

Work on the new standard began in October 2017 when FERC asked the North American Electric Reliability Corporation (NERC) to clarify electronic access controls, to adopt mandatory requirements for transient electronic devices and to require the creation of a response policy in case of a system threat.

According to Daniel Skees from Morgan Lewis, a law firm which represented NERC, CIP-003-7 pushes forward on FERC’s concern that even the less critical assets covered by these standards (referred to as low-impact facilities) present risks to the bulk electric system that need to be addressed. The fact that these changes are designed to boost security at low-impact BES is important since most energy facilities are networked together, creating a huge attack surface.

“Hackers can target smaller, less critical facilities, and when those attacks are successful, use them as the foundation of an attack into a more critical facility. CIP-003-7 reinforces FERC’s policy of minimizing the bulk electric system attack surface by ensuring every FERC-jurisdictional bulk electric system asset receives some minimal level of cybersecurity,” said Skees.

Criteria for Electronic Access Controls

The new standard requires utilities to implement electronic access controls to permit only necessary inbound and outbound access to low-impact BES Cyber Systems for (Read more...)