trending Market Intelligence /marketintelligence/en/news-insights/trending/xQLqC3Fg3utOpMHuQA2v0g2 content
Log in to other products

Login to Market Intelligence Platform

 /


Looking for more?

Contact Us

Request a Demo

You're one step closer to unlocking our suite of comprehensive and robust tools.

Fill out the form so we can connect you to the right person.

If your company has a current subscription with S&P Global Market Intelligence, you can register as a new user for access to the platform(s) covered by your license at Market Intelligence platform or S&P Capital IQ.

  • First Name*
  • Last Name*
  • Business Email *
  • Phone *
  • Company Name *
  • City *
  • We generated a verification code for you

  • Enter verification Code here*

* Required

In This List

FERC clears additional requirements to strengthen grid's malware defenses

客户案例:跨国公用事业公司有效增强对新客户信用风险的认知

S&P podcast - Coronavirus pandemic, oil price crash shake up energy sector

Case Study: A Utility Company Efficiently Sharpens Its Focus on the Credit Risk of New Customers

Energy Evolution Podcast

Energy Evolution Why solar energy could get even cheaper


FERC clears additional requirements to strengthen grid's malware defenses

With an eye on preventing malicious code from infiltrating the nation's electric grid through less-critical assets, the Federal Energy Regulatory Commission has signed off on improvements to security management controls for electronic devices.

In 2018, FERC gave the nod to stronger protections for portable electronic devices, such as thumb drives and laptops used at low-impact cyber systems on the bulk electric system, or BES. But the commission also identified a reliability gap concerning third-party devices that are frequently connected to and disconnected from the grid.

In a letter order on July 31, the commission approved the North American Electric Reliability Corp.'s proposal (FERC docket RD19-5) to explicitly require responsible entities to take steps to mitigate the introduction of malicious code on low-impact cyber systems from devices managed by vendors, contractors and other third parties.

Responsible entities include transmission owners and operators, balancing authorities, reliability coordinators, distribution providers and generator owners and operators. The revised critical infrastructure protection standard (CIP-003-8) will become mandatory and enforceable on April 1, 2020.

NERC, when it proposed the revisions in May, said the new standard "provides an additional level of security for low-impact BES cyber systems and dispels any confusion over what actions a responsible entity must take," in line with FERC's April 2018 directive. (RM17-11)

According to the May proposal, "the responsible entity must determine which actions, if any, are necessary based on a review of the third party's mitigation practices," and those actions must be implemented "before connecting the transient cyber asset to its low impact BES cyber system."

NERC said in its May 21 filing with FERC that the new requirements would help utilities ensure that "third-party cyber security practices are on par with their own."

The July 31 order also approves updates to the CIP standard's violation severity levels, which offer guidance on how NERC will enforce the new requirements, and violation risk factors that assess the impact to reliability of violating those requirements.

Implementation plan

Entities are currently complying with CIP-003-6 approved in 2016. That iteration of the standard established security management controls to protect electricity cyber systems against compromise that could lead to mis-operation or instability in the bulk electric system.

FERC's April 2018 order approved updates, creating CIP-003-7 and adding requirements to put mandatory security controls in place to protect transient electronic devices used at low-impact cyber systems from malware. CIP-003-7 is slated to become effective Jan. 1, 2020, and overtake the currently enforced standard.

The implementation plan for CIP-003-8 includes retiring CIP-003-7 immediately prior to the new standard going into effect. The April 1, 2020, effective date for CIP-003-8, NERC said, gives "responsible entities time to incorporate the updated requirements into their processes while balancing the need for expeditious implementation" of the standard.

Jasmin Melvin is a reporter for S&P Global Platts. S&P Global Market Intelligence and S&P Global Platts are owned by S&P Global Inc.