FERC Proposes to Remove Risk-Based Assessment Methodologies from Reliability Standards Relating to Cyber Security


The current mandatory reliability standard governing electric system cyber security requires each responsible entity to identify which of its assets are “Critical Assets” that support the reliability of the bulk electric system. The entity must make this identification by applying its own “risk-based assessment methodology” (RBAM). Many entities have struggled with how to perform such a risk-based assessment that would satisfy this reliability standard. FERC has now proposed to drop the amorphous RBAM concept in favor of bright line criteria.

Much of the electric industry is dependent on digital information being transferred through electronic pathways to control generators and transmission operations. These “cyber” pathways could be subject to deliberate or non-deliberate disruptions, potentially causing serious interruptions on the nation’s electric grid. The protection of cyber communications has been a matter of increasing concern within the electric industry.

The existing cyber security reliability standard was drafted by the North American Electric Reliability Corporation (NERC) and approved by the Federal Energy Regulatory Commission (FERC). NERC enforces mandatory electric reliability standards, which carry substantial monetary penalties for violations, for all entities that own or operate parts of the nation’s bulk electric system. A group of these standards address cyber security for “Critical Cyber Assets” and are designated as CIP-002 through CIP-009. Under this framework, the CIP-002 standard outlines the method for identifying Critical Cyber Assets, and the rest detail the requirements for protecting such assets. Such protection measures include security management controls, electronic security perimeters, physical security, incident reporting, and recovery plans.

Please see full article below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.