With an eye on preventing malicious code from infiltrating the nation's electric grid through less-critical assets, the Federal Energy Regulatory Commission has signed off on improvements to security management controls for electronic devices.
In 2018, FERC gave the nod to stronger protections for portable electronic devices, such as thumb drives and laptops used at low-impact cyber systems on the bulk electric system, or BES. But the commission also identified a reliability gap concerning third-party devices that are frequently connected to and disconnected from the grid.
In a letter order on July 31, the commission approved the North American Electric Reliability Corp.'s proposal (FERC docket RD19-5) to explicitly require responsible entities to take steps to mitigate the introduction of malicious code on low-impact cyber systems from devices managed by vendors, contractors and other third parties.
Responsible entities include transmission owners and operators, balancing authorities, reliability coordinators, distribution providers and generator owners and operators. The revised critical infrastructure protection standard (CIP-003-8) will become mandatory and enforceable on April 1, 2020.
NERC, when it proposed the revisions in May, said the new standard "provides an additional level of security for low-impact BES cyber systems and dispels any confusion over what actions a responsible entity must take," in line with FERC's April 2018 directive. (RM17-11)
According to the May proposal, "the responsible entity must determine which actions, if any, are necessary based on a review of the third party's mitigation practices," and those actions must be implemented "before connecting the transient cyber asset to its low impact BES cyber system."
NERC said in its May 21 filing with FERC that the new requirements would help utilities ensure that "third-party cyber security practices are on par with their own."
The July 31 order also approves updates to the CIP standard's violation severity levels, which offer guidance on how NERC will enforce the new requirements, and violation risk factors that assess the impact to reliability of violating those requirements.
Entities are currently complying with CIP-003-6 approved in 2016. That iteration of the standard established security management controls to protect electricity cyber systems against compromise that could lead to mis-operation or instability in the bulk electric system.
FERC's April 2018 order approved updates, creating CIP-003-7 and adding requirements to put mandatory security controls in place to protect transient electronic devices used at low-impact cyber systems from malware. CIP-003-7 is slated to become effective Jan. 1, 2020, and overtake the currently enforced standard.
The implementation plan for CIP-003-8 includes retiring CIP-003-7 immediately prior to the new standard going into effect. The April 1, 2020, effective date for CIP-003-8, NERC said, gives "responsible entities time to incorporate the updated requirements into their processes while balancing the need for expeditious implementation" of the standard.
Jasmin Melvin is a reporter for S&P Global Platts. S&P Global Market Intelligence and S&P Global Platts are owned by S&P Global Inc.