December 27, 2024
NERC Responds to FERC Cybersecurity NOPRs
ERO Reminds Commission of Busy Standards Pipeline
Shutterstock
|
NERC and the regional entities expressed support for FERC's cybersecurity proposals but reminded the commission of their already busy development cycle.

Replying to two recent cybersecurity-related Notices of Proposed Rulemaking from FERC, NERC and the regional entities Nov. 22 expressed their support for the proposals while urging the commission to “consider the entirety of” the ERO Enterprise’s standards development process when setting their deadlines. 

The NOPRs propose to expand the ERO’s recently introduced reliability standard requiring registered entities to implement internal network security monitoring (INSM) at some grid-connected cyber systems (RM24-7) and to address perceived gaps in the standards concerning supply chain risk management (RM24-4). The commission issued both NOPRs at its monthly open meeting Sept. 19. (See FERC Proposes Further Cybersecurity Measures.) 

Clarity Requested on INSM Expansion

The INSM proposal builds on CIP-015-1 (Cybersecurity — INSM), which FERC proposed to approve in the same NOPR. The standard requires utilities to implement INSM at all high-impact grid-connected cyber systems, as well as medium-impact systems with external routable connectivity. 

While FERC said the standard would advance grid reliability, in its current form, it is “not … fully responsive to the commission’s directive” to implement INSM. In particular, the commission worried that attackers may be able to compromise systems external to an entity’s electronic security perimeter (ESP) and use that control to establish access within the perimeter as a trusted connection. 

It proposed directing NERC to modify the standard to include electronic access control and monitoring systems (EACMS) and physical access control systems (PACS) in the list of those requiring INSM, which it said would protect “all trust zones of the CIP-networked environment.” 

In its response, NERC first called on the commission to approve CIP-015-1 “as expeditiously as possible,” saying the standard would “improve the probability of detecting anomalous or unauthorized network activity” and help utilities respond to cyberattacks. But, the ERO continued, FERC needs to provide additional clarity on what it means by the term “CIP-networked environment.”  

Although NERC acknowledged that FERC said in the NOPR that the term includes “all assets and systems to which the CIP [critical infrastructure protection] standards apply and [that] may be the targets of attacks,” the ERO pointed out that the term is still not explicitly defined in the proposal. 

“To facilitate an expeditious development process, it would be beneficial if the commission clarifies in a final rule the expected scope of any internal network security monitoring revisions,” NERC said. “For example, in extending the CIP-015-1 protections to EACMS and PACS, would the term ‘CIP-networked environment’ be restricted to east-west communications between EACMS and PACS outside of the ESP? Similarly, would the communications between PACS and controllers and communications to and from EACMS used solely for electronic access monitoring be included?” 

NERC also suggested that FERC give the ERO at least 12 months to complete the proposed revisions, in light of the ERO’s growing standards development workload. NERC pointed out that it is already resolving 82 outstanding FERC directives through the standards development process, and its seven “high priority” projects alone are expected to take more than 10,000 total drafting team hours to complete by the end of 2025. 

Noting that FERC proposed to require that the CIP-015-1 revisions be submitted within 12 months of the final rule, NERC urged the commission to give it enough time to “facilitate additional development options,” including a technical conference, while also allowing the ERO to “balance limited resources between competing high priority projects.” 

ERO Supports Supply Chain Proposal

In the second NOPR issued Sept. 19, FERC indicated its intent to direct NERC to develop new or modified standards regarding evaluation of vendors and equipment to identify supply chain risks, along with processes to validate the accuracy of information received from vendors during procurement and track supply chain risks. 

The commission said it felt moved to act because of “multiple gaps” in NERC’s existing supply chain risk management (SCRM) standards: 

    • CIP-005-7 — Cybersecurity — electronic security perimeter(s);  
    • CIP-010-4 — Cybersecurity — configuration change management and vulnerability assessments; and  
    • CIP-013-2 — Cybersecurity — supply chain risk management. 

FERC said the standards do not specify when and how entities should identify and assess supply chain risks, and do not require entities to respond to supply chain risks through their SCRM plans. 

In their response, NERC and the REs said they appreciate FERC for recognizing the work they have done so far to advance SCRM, including their efforts to revise CIP-013-2 (which were cut short when FERC announced it would be addressing SCRM at the September meeting).  

They said they support the proposed revisions, including adding protected cyber assets (defined by NERC as “cyber assets connected … within or on an [ESP] that is not part of the highest impact … cyber system within the same [ESP]”) as applicable assets within supply chain requirements. However, as with the other NOPR, the ERO Enterprise reminded the commission of its standard development workload and the other deadlines to which it is subject. 

The organizations also asked FERC to consider the relationship between the different standards. Some standards refer to others, and revisions to CIP-005-7, CIP-010-4 and CIP-013-2 could impact other ongoing standards development projects. For example, earlier in 2024, NERC filed a suite of proposed changes to nearly all of the CIP standards, including the three supply chain standards, which might affect the team tasked with carrying out FERC’s order. (See NERC Sends Virtualization Standards to FERC.) 

NERC and the REs requested that FERC “consider no less time than proposed in the NOPR” — 12 months — to both accommodate the busy standards development pipeline and “provide the standards drafting team certainty on the version of CIP reliability standards to revise.” 

CIP

Leave a Reply

Your email address will not be published. Required fields are marked *