The current mandatory reliability standard governing electric system cyber security requires each responsible entity to identify which of its assets are “Critical Assets” that support the reliability of the bulk electric system. The entity must make this identification by applying its own “risk-based assessment methodology” (RBAM). Many entities have struggled with how to perform such a risk-based assessment that would satisfy this reliability standard. FERC has now proposed to drop the amorphous RBAM concept in favor of bright line criteria.

Much of the electric industry is dependent on digital information being transferred through electronic pathways to control generators and transmission operations. These “cyber” pathways could be subject to deliberate or non-deliberate disruptions, potentially causing serious interruptions on the nation’s electric grid. The protection of cyber communications has been a matter of increasing concern within the electric industry.

The existing cyber security reliability standard was drafted by the North American Electric Reliability Corporation (NERC) and approved by the Federal Energy Regulatory Commission (FERC). NERC enforces mandatory electric reliability standards, which carry substantial monetary penalties for violations, for all entities that own or operate parts of the nation’s bulk electric system. A group of these standards address cyber security for “Critical Cyber Assets” and are designated as CIP-002 through CIP-009. Under this framework, the CIP-002 standard outlines the method for identifying Critical Cyber Assets, and the rest detail the requirements for protecting such assets. Such protection measures include security management controls, electronic security perimeters, physical security, incident reporting, and recovery plans.