In two Notices of Proposed Rulemaking issued at its open meeting Sept. 18, FERC proposed to approve 11 new Critical Infrastructure Protection (CIP) standards intended to allow utilities to use virtualization technology, along with a further modification to one of those standards that would improve cybersecurity at low-impact grid-connected cyber systems.  

NERC submitted the virtualization updates in July 2024 (RM24-8). (See NERC Sends Virtualization Standards to FERC.) Along with four new and 18 revised definitions for the NERC Glossary of Terms, the filing touched almost every entry in the library of CIP standards: 

• • CIP-002-7 (Cybersecurity – BES cyber system categorization); 
  • CIP-003-10 (Cybersecurity – security management controls); 
  • CIP-004-8 (Cybersecurity – personnel and training); 
  • CIP-005-8 (Cybersecurity – electronic security perimeters); 
  • CIP-006-7 (Cybersecurity – physical security of BES cyber systems); 
  • CIP-007-7 (Cybersecurity – systems security management); 
  • CIP-008-7 (Cybersecurity – incident reporting and response planning); 
  • CIP-009-7​ (Cybersecurity – recovery plans for BES cyber systems); 
  • CIP-010-5 (Cybersecurity – configuration change management and vulnerability assessments); 
  • CIP-011-4 (Cybersecurity – information protection); and 
  • CIP-013-3 (Cybersecurity – supply chain risk management)​. 

Virtualization constitutes “the process of creating virtual, as opposed to physical, versions of computer hardware to minimize the amount of physical hardware resources required to perform various functions,” according to the National Institute of Standards and Technology. NERC said in its filing that the current versions of these standards are “designed around the concept that devices have a one-to-one relationship between software and hardware,” which prevents entities from taking advantage of security advances made possible by virtualization techniques.

In the NOPR, the commissioners wrote they “support NERC’s efforts to … accommodate virtualization and other nascent technologies” and that the new standards should “allow responsible entities to [adapt] to emerging risks with forward-looking security models.” They emphasized the revisions would allow, but not require, utilities to adopt these technologies. 

However, commissioners questioned NERC’s proposal to replace the phrase “where technically feasible” with “per system capability.” While the ERO said this change would ease the “administrative burdens” of reviewing technical feasibility exceptions, FERC expressed concern it “would eliminate transparency … by introducing a self-implementing exceptions process with no reporting obligations.” 

In light of these concerns, the commission asked for comments in three areas: first, whether there stillis a need to maintain a technical feasibility exception program and what administrative burdens are associated with the current program; second, if the proposed changes would result in entities seeking new exceptions using the “per system capability” language; and third, alternative approaches that would meet the streamlining goals while also allowing effective oversight. 

Low-impact Cyber System Concerns

In the other NOPR, FERC sought comments on its proposal to approve CIP-003-11 (Cybersecurity — security management controls), which NERC submitted Dec. 20, 2024 (RM25-8). 

The update to CIP-003-10 is intended to address the risk of a coordinated attack using low-impact cyber systems, which constitute most of the systems within the grid. They are considered to pose less of a risk to reliability than high- or medium-impact systems and thereforeare subject to fewer CIP requirements than other systems. However, after the SolarWinds Orion cyberattack of 2020, in which hackers infiltrated the update channel of a popular network management tool and sent malicious code to users around the world, NERC began an investigation into the potential threat posed by a coordinated attack against multiple low-impact systems. 

In the proposed standard, NERC staff said it would require utilities to add controls to authenticate remote users, protect authentication information in transit and detect malicious communications to or between low-impact cyber systems with external routable connectivity. These changes still would allow entities “the flexibility as to where the [authentication] control is implemented based on their architecture,” the authors said. 

FERC’s NOPR called for comments on developments in the cybersecurity environment since the SolarWinds attack, such as the China-linked Volt Typhoon group that has been accused of embedding itself in the information technology networks of U.S. critical organizations for at least five years. The commission asked whether such actors, who infiltrate a protected network and then move laterally into others, could pose a threat to grid reliability, and whether FERC should direct NERC to perform a study or develop a white paper on the issue. 

Comments on the NOPRs are due 60 days after they’re published in the Federal Register. 

Supply Chain Standards Due in 18 Months

FERC also directed NERC to develop standards addressing entities’ supply chain risk management (SCRM) plans (RM24-4).  

The order also ended a related inquiry regarding reliability risks posed by grid-connected cyber equipment originating overseas, particularly equipment manufactured by Huawei and ZTE (RM20-19). 

The final rule “largely adopts” a NOPR issued in 2024 in which FERC identified “multiple gaps” in NERC’s existing SCRM standards. Those standards did not specify when or how entities should identify and assess supply chain risks or require entities to respond to supply chain risks through their SCRM plans, the commission said. 

The new standards will have to address “the sufficiency of responsible entities’ SCRM plans related to the identification of and response to supply chain risks,” as well as whether the SCRM standards will apply to protected cyber assets (PCAs). PCAs are defined as “one or more cyber assets connected using a routable protocol within or on an electronic security perimeter [ESP] that is not part of the highest-impact [grid] cyber system within the same” ESP. 

One element not included from the NOPR was a directive to require utilities to validate data received from vendors. Instead, FERC encouraged entities to do so voluntarily “as appropriate.” 

The final rule directed NERC to submit the required standards within 18 months of the date of issuance.