REGULATORY: FERC: Notice of Proposed Rulemaking on Bulk Electric System Cyber Security Standards


On April 18, 2013, the Federal Energy Regulatory Commission (“FERC”) issued a notice of proposed rulemaking (the “NOPR”) stating that it intends to approve Version 5 of the Critical Infrastructure Protection (“CIP”) Reliability Standards submitted by the North American Electric Reliability Corporation (“NERC”), which pertain to the cyber security of the bulk electric system.

The proposed CIP Version 5 Reliability Standards include ten new or modified Reliability Standards to address Bulk Electric System (“BES”) Cyber System Categorization, Security Management Controls, Personnel and Training, Electronic Security Perimeters, Physical Security of BES Cyber Systems, Systems Security Management, Incident Reporting and Response Planning, Recovery Plans for BES Cyber Systems, Configuration Change Management and Vulnerability Assessments, and Information Protection. In connection with the Version 5 CIP Reliability Standards, FERC had directed NERC to monitor the development of the National Institute of Standards and Technology (“NIST”) standards. Consistent with the NIST Risk Management Framework, the CIP Version 5 Reliability Standards provide for low, medium, and high categorization. While the NIST Risk Management Framework utilizes a categorization process based on the loss of confidentiality, integrity, and availability of systems, however, the CIP-002-5 categorizes assets based on reliability impact. While FERC stated that it would accept NERC’s approach at this time, it indicated that it may revisit the categorization of assets under the CIP Reliability Standards in the future.

NERC also proposed definitions for “BES Cyber Asset” and “BES Cyber System,” to which the CIP Version 5 Reliability Standards would apply. Importantly, the CIP Version 5 Reliability Standards apply a minimum classification of “Low Impact” for all BES Cyber Systems, and the Low, Medium, or High Impact classifications serve to establish the applicable set of requirements under the CIP Version 5 Reliability Standards with which a responsible entity must comply.

The NOPR further provides that FERC intends to accept NERC’s proposal to allow responsible entities to transition directly from compliance with the currently-effective CIP Version 3 standards to the Version 5 standards, meaning that the CIP Version 4 standards would be retired prior to the April 1, 2014 mandatory compliance deadline for such standards.

FERC has requested comments on a number of issues identified in the NOPR, including, among other things, whether the requirements imposed on responsible entities are vague and/or ambiguous, whether the implementation periods proposed by NERC are necessary, and whether certain new or revised definitions proposed by NERC for inclusion in the NERC Reliability Standards are appropriate. FERC also identified communications security and the use of cryptography, remote access, and adoption of certain aspects of the NIST Risk Management Framework as three areas in which the CIP Version 5 Reliability Standards could be improved and invited comments on these topics as well. Comments on the NOPR are due on June 24, 2013.

 Neil L. Levy
 Washington, D.C.
 +1 202 626 5452

 View Profile


 David G. Tewksbury
 Washington, D.C.
 +1 202 626 5454

 View Profile


 Bruce L.  Richardson
 Washington, D.C.
 +1 202 626 5510

 View Profile


 Stephanie S. Lim
 Washington, D.C.
 +1 202 626 8991

 View Profile


Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.