By Rich Heidorn Jr.
WASHINGTON — FERC on Thursday proposed rules to prevent malware from infecting “low impact” computer systems through transient electronic devices such as laptops and thumb drives.
The Notice of Proposed Rulemaking would approve critical infrastructure protection reliability standard CIP-003-7, a response to an order issued by FERC in January 2016 (RM17-11). (See FERC Postpones Action on Supply Chain Protections.)
In addition to setting controls on devices frequently connected and disconnected from low-impact Bulk Electric System (BES) facilities, the NOPR also requires such facilities to have a policy for declaring and responding to “exceptional circumstances.”
High- and medium-impact BES cyber systems already have rules for responding to “exceptional circumstances,” which include situations that impact BES reliability or pose the risk of injury or death and cybersecurity incidents requiring emergency assistance.
The NOPR also directs NERC to revise the standard to provide objective criteria for electronic access controls for low-impact systems and add ways to mitigate the risk of malicious code introduced by third-party transient electronic devices, such as scanning devices prior to use.
GMD Order
In a separate order, FERC approved NERC’s preliminary geomagnetic disturbance (GMD) research work plan and ordered it to file a final plan within six months (RM15-11-002).
NERC’s GMD work plan, which it developed in collaboration with the Electric Power Research Institute and its GMD Task Force, identified nine research areas and sets an estimated time frame for their completion. It was developed in response to the commission’s September 2016 order requiring grid operators to assess and protect against the threat of GMDs. (See FERC Approves GMD Reliability Standard.)
Thursday’s order sets the priority in which NERC should conduct the GMD research, saying it should first seek to improve earth conductivity models for studies of geomagnetically induced currents. The commission cited the models’ importance in completing the GMD vulnerability assessments required by reliability standard TPL-007-1.
It said the second priority should be improving harmonics analysis “because the synergistic effects of harmonics during GMD events are not well understood.”