FERC on Thursday gave final approval to revisions to seven critical infrastructure protection (CIP) reliability standards.

The final rule approves NERC’s proposed requirements for personnel and training, physical security of the grid’s cyber systems and information protection (RM15-14).

It requires NERC to make changes addressing protection of transient electronic devices, such as thumb drives and laptop computers, at low-impact Bulk Electric System cyber systems and protections for communication network components between control centers. It also requires NERC to refine its definition for low-impact external routable connectivity and to conduct a study assessing the effectiveness of CIP remote access controls, the risks posed by remote access-related threats and vulnerabilities, and appropriate controls.

Supply Chain Protections not Included

The order does not include a provision in the commission’s July Notice of Proposed Rulemaking that would have required NERC to develop requirements for supply chain management for control system hardware, software and services. (See FERC Seeks Supply Chain Protection Against Cyber Threats.)

The commission said it will consider action on that issue based on advice from staff following a Jan. 28 technical conference.

A supply chain standard would be only the third time the commission has ordered NERC to initiate a standard, following standards addressing geomagnetic disturbances and physical security.

The commission’s supply chain concerns were prompted by two malware campaigns against vendors of industrial control systems.

The final rule takes effect 65 days after publication in the Federal Register.

— Rich Heidorn Jr.