The Federal Energy Regulatory Commission has proposed new cyber security management controls to further enhance the reliability and resilience of the nation’s bulk electric system. These include mandatory controls to address the risks posed by malware from transient electronic devices like laptop computers, thumb drives and other devices used at low-impact bulk electric system cyber systems.
FERC proposes to approve Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security – Security Management Controls), which is designed to mitigate cyber security risks that could affect the reliable operation of the Bulk-Power System. The proposed standard improves upon the current Commission-approved CIP standards by clarifying the obligations that pertain to electronic access control for low-impact cyber systems; adopting mandatory security controls for transient electronic devices, such as thumb drives and laptop computers; and requiring responsible entities to have a policy for declaring and responding to CIP exceptional circumstances related to low-impact cyber systems.
This Notice of Proposed Rulemaking also proposes to direct the North American Electric Reliability Corp. (NERC) to develop modifications to provide clear, objective criteria for electronic access controls for low-impact cyber systems and to address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices. These modifications will address potential gaps and improve the cyber security posture of entities that must comply with the CIP standards.
In a separate order, the Commission accepted NERC’s preliminary geomagnetic disturbance (GMD) research work plan and directed that NERC file a final plan within six months. The work plan identifies nine GMD-related research areas and sets an estimated time frame for their completion. This order, among other things, provides NERC with guidance on how to prioritize the GMD research.