Energy Law Alert: FERC Approves New CIP Reliability Standards Despite Concern Over Ambiguity In Multiple Areas


On April 18, 2013, the Federal Energy Regulatory Commission issued a Notice of Proposed Rulemaking recommending approval of the Version 5 Critical Infrastructure Protection Reliability Standards proposed by the North American Electric Reliability Corporation. In addition to approving the NERC proposal, FERC also is seeking comments on a number of identified areas of concern, and has ordered NERC to make one modification to the proposed standards.

What Are the New CIP Standards?

CIP Reliability Standards relate to cyber security of the bulk electric system. The Version 5 standards propose a new approach to identifying and classifying "BES Cyber Systems" as having potential for Low, Medium, or High Impact to the bulk electric system. Significantly, for registered entities with assets that will fall under the Low Impact category of BES Cyber Systems—the category under which the most assets will fall—FERC expressed concern regarding the proposed obligations under CIP-003-5, Requirement R2, the only requirement applicable to Low Impact systems. Requirement R2 compels entities to have documented cyber security policies for Low Impact systems, but does not require entities to implement actual cyber security protections. Concerned with the lack of specific protections for Low Impact BES Cyber Systems, FERC directed NERC to modify the requirement to "require responsible entities to adopt specific, technically-supported cyber security controls."

FERC Questions Implementation Plan

FERC has called into question the proposed implementation plan. FERC proposes to approve the transition from Version 3 of the CIP Reliability Standards directly to Version 5 of the CIP Reliability Standards, effectively retiring the Version 4 standards before they become effective. FERC, however, questioned the proposed 24-month implementation period for High and Medium Impact systems as well as the 36-month implementation period for Low Impact systems, and seeks comment on the justification for the length of the implementation periods and whether shorter implementation periods would be feasible.

Why Is This important?

The Version 5 CIP Reliability Standards mark an important change in compliance obligations for entities on the NERC Registry with cyber assets, and the final resolution of both the requirements for Low Impacts BES Cyber Systems and the implementation schedule will be important for many NERC registered entities.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stinson Leonard Street | Attorney Advertising

Written by:


Stinson Leonard Street on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.