The Federal Energy Regulatory Commission last week gave final approval to Critical Infrastructure Protection (CIP) standards that for the first time cover all bulk power system assets according to their impact on the grid.
Version 5 of the CIP cybersecurity standards replace the current “in or out” designations with a tiered approach which classify assets as high, medium or low impact. (See What You Need To Know About CIP Version 5.)
TOP, IRO Standards Remanded
At the same time, FERC issued a notice of proposed rulemaking that remanded to the North American Electric Reliability Corp. its proposed revisions to reliability standards for system monitoring.
NERC’s Transmission Operations (TOP) and Interconnection Reliability Operations and Coordination (IRO) reliability standards go in the right direction – combining similar requirements, clarifying responsibilities and eliminating redundancies – but go too far, FERC said. Commissioners took pains at their public meeting to strike a friendly tone. “We tried to make sure that the remand tone was such that passions would not be inflamed,” Commissioner Philip Moeller said.
Commissioner Cheryl LaFleur said that the proposed revisions wrongly eliminate transmission operators’ current obligation to monitor and operate within all system operating limits. They would exclude from monitoring, for example, certain system operating limits in one operator’s area that affect another operator’s area. Failing to monitor such limits, FERC said, could contribute to outages.
Language Deleted
Although it approved nearly all the Version 5 CIP standards NERC had proposed, FERC deleted language that it identified as a problem when it proposed approval in April: a provision that required CIP standards to be implemented in a way that “identifies, assesses and corrects” deficiencies. That language would cause inconsistencies and difficulties with enforcement, the commission said. Everyone involved “must have a common understanding of the obligations imposed by reliability standards.” LaFleur said in a statement. “Otherwise, we risk creating gaps in reliability, confusion during audits and a compliance backlog that diverts resources away from improving reliability.”
FERC also told NERC to develop objective criteria for evaluating entities’ cyber protection for low-impact assets.
Although some had objected to creating burdens for assets in the lowest rung of impact, the commission reiterated its position that the standard “does not provide those entities with a clear roadmap of what they need to do.” NERC will not have to draw up a set of specific controls, but could take a number of approaches to fulfill the requirement, FERC said.
Standards Retired
In another reliability action, FERC approved NERC’s proposed retirement of 34 requirements in 19 reliability standards that provide little protection or are redundant of other standards. The order also withdraws 41 outstanding commission directives that NERC modify standards that have been addressed in another way or are too broad.
