FERC on Thursday acted to shore up power grid cybersecurity defenses by approving NERC reliability standard CIP-003-9 (Cybersecurity — security management controls).
The new standard replaces CIP-003-8 and adds requirements for utilities to protect low-impact cyber resources (RD23-3).
NERC’s Board of Trustees approved CIP-003-9 during its November meeting in New Orleans. (See “Standards Actions,” NERC Board of Trustees/MRC Briefs: Nov. 15-16, 2022.) The standard was developed over more than two years by Project 2020-03, which NERC began in order to address the risk of low-impact cyber assets with remote electronic access connectivity on the bulk electric system as recommended by the ERO’s Supply Chain Risk Assessment report in 2019. (See Supply Chain Survey Finds Ongoing Action on Cyber Risks.)
Low-impact systems are defined as generation or transmission assets that pose a lower risk of disrupting grid operations if compromised. As a result, many of NERC’s critical infrastructure protection (CIP) standards, including CIP-003-8, only apply to cyber systems considered high- and/or medium-impact, leaving many low-impact systems unaddressed.
However, as FERC observed on Thursday, the Supply Chain Risk Assessment found that “the risk of a coordinated attack on multiple low impact assets with remote electronic access connectivity could result in an event with interconnection-wide impact on the bulk electric system.” In light of this possibility, the assessment called on the ERO to apply the CIP standards’ supply chain risk management requirements to low-impact assets with remote access connectivity.
The new standard accomplishes this objective with the addition of a new requirement, R.1.2.6, which will “require responsible entities to include the topic of ‘vendor electronic remote access security controls’ in their cybersecurity policies.” Another change will require entities with assets that vendors can access remotely to have the ability to detect and disable access, along with at least one method for detecting “malicious communications” through this channel.
According to the implementation plan proposed by NERC and approved by FERC, the new standard will take effect on the first day of the first calendar quarter that is 36 months after commission approval, or April 1, 2026. NERC explained the lengthy implementation period as necessary because of the large number of low-impact systems on the grid and the time needed by utilities “to procure and install equipment that may be subject to delays given high demand.” CIP-003-8 will be retired immediately prior to the new standard’s effective date.
In opening remarks at Thursday’s meeting, Commissioner James Danly called CIP-003-9 “a good first step” and Chair Willie Phillips said the new standard is “the latest product of our joint cybersecurity efforts with NERC and stakeholders in support of the reliable operation of the bulk power system.”
“You’ve heard me say this many times, and you’re going to hear me say it a lot more — we must continue to focus on cybersecurity and physical security, extreme weather events, and the rapidly changing resource mix,” Phillips said.
In a statement, NERC said it “appreciates FERC’s focus on reliability matters and will continue to work toward assuring the reliability and security of the” electric grid.
