Search
`
October 1, 2024
FERC Denies Mabee’s CIP Complaint
Oct 5, 2020
FERC rejected a challenge by security activist Michael Mabee against NERC’s Critical Infrastructure Protection reliability standards.

FERC on Friday rejected a challenge by security activist Michael Mabee against NERC’s Critical Infrastructure Protection (CIP) reliability standards (EL20-46).

Mabee filed his complaint May 12, focusing primarily on CIP-013-1 (Cybersecurity — Supply chain risk management) and its supposed deficiencies relating to President Trump’s executive order of May 1 declaring a national emergency regarding foreign threats to the bulk electric system. (See Trump Declares BPS Supply Chain Emergency.) The activist characterized the executive order as “a vote of no-confidence in the lackadaisical and inadequate actions of FERC and NERC” to protect the grid.

Mabee’s complaint holds that CIP-013-1 in particular is inadequate to protecting the grid because it only covers high- and medium-impact BES cyber systems but allows individual companies to determine what systems qualify as low-impact. Citing language in the order directing the secretary of energy to identify grid equipment “designed, developed, manufactured or supplied” by foreign adversaries, without reference to their level of impact, Mabee called for FERC to direct NERC to modify CIP-013-1 to apply to all BPS equipment without exception.

The complaint also criticized FERC for failing to ensure that the broader family of CIP standards “fully address leading federal guidance for critical infrastructure cybersecurity” — specifically the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. He requested that all CIP standards be revamped to bring them more in line with NIST’s recommendations.

FERC Sides with NERC, Trade Associations

NERC voiced its objections to Mabee’s complaint in June, accusing the activist of “[relying] on a logical fallacy” that the executive order must invalidate CIP-013-1 because it “covers more systems” than the standard. (See NERC Pushes Back on New CIP Standard Challenge.) Rather, the organization said, each measure applies to different cases, with the CIP standards — including CIP-013-1 — covering supply chain risks in a broad sense and the emergency declaration addressing “specific risks from specific sources.”

FERC CIP
| Shutterstock

The ERO also said it “consistently relies upon” NIST’s framework to guide its standards development efforts and accused Mabee of using criticism of outdated versions of the CIP standards from various sources, including a 2019 Government Accountability Office report, to imply otherwise.

A coalition of trade associations, including the American Public Power Association, Edison Electric Institute and the National Rural Electric Cooperative Association, backed NERC’s call to dismiss the complaint, despite requests by Mabee and the Secure the Grid Coalition to block EEI from commenting because of its alleged work on behalf of the Chinese government.

The trade associations said that Mabee had “[failed] to articulate any connection between the executive order and … CIP-013-1,” and further called his assertion that entities had discretion to decide what constitutes a low-impact cyber system “simply untrue.” In addition, they called Mabee’s complaints regarding the CIP standards and the NIST framework “unfounded,” referring to statements by FERC commissioners that the GAO report Mabee cited as an indictment of the commission was actually “constructive” and had resulted in action to implement its recommendations.

In its response, FERC agreed that the complaint provided “[no] legal basis to conclude that [the] executive order … ‘invalidates’ or otherwise requires modifications to” CIP-013-1. The commission asserted that its recently issued Notice of Inquiry on BES equipment originating overseas showed that it takes the risk of foreign interference in the BPS seriously. (See FERC Opens Supply Chain Cyber Risk Inquiry.) In addition, FERC noted that NERC is currently revising the CIP standards “to expand protections for low-impact BES cyber systems.”

FERC also denied the request to overhaul the CIP standards to close gaps with the NIST framework, citing another recent NOI that revealed reluctance on the part of industry stakeholders to revise the standards. (See Stakeholders Speak out on FERC CIP Concerns.)

CIPFERC & Federal
Keywordscritical infrastructure protection (CIP)cybersecurity
Holden Mann
Ballot Opens on Proposed GMD Revisions
More From This Author

Leave a Reply

Your email address will not be published. Required fields are marked *

We Recommend

1
FERC Reliability Conference to Highlight Resource Adequacy
Sep 26, 2024Resource AdequacyHolden Mann
2
DHS Offers $280M in Grants for Cyber Investments
Sep 24, 2024State RegulationHolden Mann
3
Texas RE Endorses ERO Enterprise Strategy
Sep 23, 2024Regional EntitiesTom Kleckner
4
WECC, Members Grapple with Strategic Vision
Sep 19, 2024Regional EntitiesElaine Goodman
5
FERC Proposes Further Cybersecurity Measures
Sep 19, 2024Standards/ProgramsHolden Mann

Popular Stories

1
Study: HVDC Needs Standards to Take off in US
Sep 9, 2024Standards/ProgramsJames Downing
2
WECC, Members Grapple with Strategic Vision
Sep 19, 2024Regional EntitiesElaine Goodman
3
Webinar Examines How FERC Could Use Interregional Transmission Study
Sep 9, 2024FERC & FederalJames Downing
4
Consumer Response Saved Alberta Grid During Jan. 2024 Cold Snap
Sep 11, 2024Regional EntitiesElaine Goodman
5
FERC Reliability Conference to Highlight Resource Adequacy
Sep 26, 2024Resource AdequacyHolden Mann

Industry Gatherings