FERC on Friday rejected a challenge by security activist Michael Mabee against NERC’s Critical Infrastructure Protection (CIP) reliability standards (EL20-46).
Mabee filed his complaint May 12, focusing primarily on CIP-013-1 (Cybersecurity — Supply chain risk management) and its supposed deficiencies relating to President Trump’s executive order of May 1 declaring a national emergency regarding foreign threats to the bulk electric system. (See Trump Declares BPS Supply Chain Emergency.) The activist characterized the executive order as “a vote of no-confidence in the lackadaisical and inadequate actions of FERC and NERC” to protect the grid.
Mabee’s complaint holds that CIP-013-1 in particular is inadequate to protecting the grid because it only covers high- and medium-impact BES cyber systems but allows individual companies to determine what systems qualify as low-impact. Citing language in the order directing the secretary of energy to identify grid equipment “designed, developed, manufactured or supplied” by foreign adversaries, without reference to their level of impact, Mabee called for FERC to direct NERC to modify CIP-013-1 to apply to all BPS equipment without exception.
The complaint also criticized FERC for failing to ensure that the broader family of CIP standards “fully address leading federal guidance for critical infrastructure cybersecurity” — specifically the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. He requested that all CIP standards be revamped to bring them more in line with NIST’s recommendations.
FERC Sides with NERC, Trade Associations
NERC voiced its objections to Mabee’s complaint in June, accusing the activist of “[relying] on a logical fallacy” that the executive order must invalidate CIP-013-1 because it “covers more systems” than the standard. (See NERC Pushes Back on New CIP Standard Challenge.) Rather, the organization said, each measure applies to different cases, with the CIP standards — including CIP-013-1 — covering supply chain risks in a broad sense and the emergency declaration addressing “specific risks from specific sources.”
The ERO also said it “consistently relies upon” NIST’s framework to guide its standards development efforts and accused Mabee of using criticism of outdated versions of the CIP standards from various sources, including a 2019 Government Accountability Office report, to imply otherwise.
A coalition of trade associations, including the American Public Power Association, Edison Electric Institute and the National Rural Electric Cooperative Association, backed NERC’s call to dismiss the complaint, despite requests by Mabee and the Secure the Grid Coalition to block EEI from commenting because of its alleged work on behalf of the Chinese government.
The trade associations said that Mabee had “[failed] to articulate any connection between the executive order and … CIP-013-1,” and further called his assertion that entities had discretion to decide what constitutes a low-impact cyber system “simply untrue.” In addition, they called Mabee’s complaints regarding the CIP standards and the NIST framework “unfounded,” referring to statements by FERC commissioners that the GAO report Mabee cited as an indictment of the commission was actually “constructive” and had resulted in action to implement its recommendations.
In its response, FERC agreed that the complaint provided “[no] legal basis to conclude that [the] executive order … ‘invalidates’ or otherwise requires modifications to” CIP-013-1. The commission asserted that its recently issued Notice of Inquiry on BES equipment originating overseas showed that it takes the risk of foreign interference in the BPS seriously. (See FERC Opens Supply Chain Cyber Risk Inquiry.) In addition, FERC noted that NERC is currently revising the CIP standards “to expand protections for low-impact BES cyber systems.”
FERC also denied the request to overhaul the CIP standards to close gaps with the NIST framework, citing another recent NOI that revealed reluctance on the part of industry stakeholders to revise the standards. (See Stakeholders Speak out on FERC CIP Concerns.)