Subscriber Login

Policy Review

US' New Cyber Security Standards: Aims to strengthen bulk electric system [free access]

September 10, 2015

The Unites States’ Federal Energy Regulatory Commission (FERC) is working on improving the cyber security norms for the country’s bulk electric system (BES). In this regard, in July 2015, it proposed to accept seven critical infrastructure protection (CIP) reliability standards and other modifications in Version 5 of CIP standards submitted by the North American Electric Reliability Corporation (NERC). With these standards, NERC aims to address risks to communication networks and related BES assets. FERC’s proposal would modify the scope and applicability of certain CIP standards to protect communication links and sensitive data among BES control centres.


In addition to these, FERC has directed NERC to improve its standards further by expanding the scope of its standards to include measures to protect low-risk cyber systems as well as to improve supply chain management. NERC’s reliability standards propose to limit risks posed by transient devices such as flash drives to only medium- and high-risk bulk electric service cyber systems and not to low-risk cyber systems. However, omitting low-risk cyber systems from the standards could create a gap in protection, as malware inserted by a flash drive or laptop computer at a single low-impact substation could propagate through a network of many substations without encountering a single security control. For this, FERC has directed NERC to modify its newly proposed CIP-006-6 standard.


NERC petition

NERC submitted these standards in response to FERC’s Order 791, which directed NERC to introduce some modifications in Version 5 of CIP standards to enhance cyber security systems for BES assets. In November 2013, under Order 791, FERC accepted Version 5 of CIP standards (reliability standards CIP-002-5 through CIP-009-5, and CIP-010-1 and CIP-011-1) proposed by NERC, and also gave some recommendations to further improve these standards.


NERC, under its petition, tried to address the concerns by eliminating the words “identify”, “assess” and “correct” from the requirements of 17 CIP Version 5 standards; providing enhanced security controls for low impact assets; and addressing the risks posed by transient electronic devices (thumb drives and laptop computers). It further requested FERC to allow the retirement of reliability standards CIP-003-5, CIP-004-5.1, CIP-006-5, CIP-007-5, CIP-009-5, CIP-010-1, and CIP-011-1 and replace these standards with the seven new standards. These include CIP-003-6 (security management controls); CIP-004-6 (personnel and training); CIP-006-6 (physical security of BES cyber systems); CIP-007-6 (systems security management); CIP-009-6 (recovery plans for BES cyber systems); CIP-010-2 (configuration change management and vulnerability assessments); and CIP-011-2 (information protection).


Further, NERC has also proposed an implementation plan along with violation risk factor and violation severity level assignments for the proposed reliability standards. It has proposed new or revised definitions for the glossary of terms of CIP standards.


The key highlights of the NERC petition are:


Enhanced security controls for low-impact assets: Under Order 791, FERC accepted NERC’s new approach to categorise BES cyber systems as high, medium or low impact based on their likely impact on reliable operations of the electric system. However, it raised concerns regarding the classification of BES cyber systems as low impact and the inability of the standards to judge the sufficiency of the controls adopted by responsible entities for low-impact BES cyber systems under reliability standard CIP-003-5. According to FERC, this introduced an unacceptable level of ambiguity and inconsistency into the compliance process.


To address this, NERC has included an additional specification mandating responsible entities to implement controls to protect their low-impact BES cyber systems. The proposed reliability standard CIP-003-6 requires responsible entities to develop cybersecurity policies for low-impact BES cyber systems in order to communicate the management’s cybersecurity requirements across the organisation. In addition, the proposed reliability standard CIP-003-6 requires responsible entities with low-impact BES cyber systems to implement controls necessary to meet specific security objectives of creating cybersecurity awareness, providing physical security as well as electronic access, and implementing the cybersecurity incident response system.


Protection of transient devices: FERC, in Order No. 791, had also raised concerns regarding the adequacy of CIP Version 5 to provide robust protection from risks posed by transient devices. Therefore, it directed NERC to either develop new reliability standards or modify the existing ones to address the risks posed by connecting transient devices to BES cyber assets and systems.


In response to this, NERC has proposed the reliability standard CIP-010-2, mandating applicable entities to develop plans and implement cybersecurity controls to protect transient cyber assets and removable media associated with their high-impact and medium-impact BES cyber systems; and train their personnel on the risks pertaining to transient cyber assets and removable media.


Protection of BES communication networks: For this, Order No. 791 directed NERC to give a detailed definition of a communication network to avoid confusion and complexities in the standards. In its response, NERC proposed reliability standard CIP-006-6, which augments the existing protections for programmable communication components by requiring entities to implement various security controls in order to restrict and manage physical access to physical security perimeters. Further, it also focuses on nonprogrammable communication components installed at control centres with high- or medium-impact BES cyber systems. It thus assures a high level of protection for communication networks.


Improving language: In Order No. 791, FERC concluded that the language of the current reliability standards is not clear with respect to the obligations they impose on responsible entities, how the standards will be implemented by responsible entities, and how they will be enforced. To resolve this problem, NERC has removed the words “identify”, “assess” and “correct” from the standards while retaining their substantive provisions.


All these revisions to the CIP standards have been included in the Notice of Proposed Rulemaking of FERC, under which FERC is seeking comments on the modifications and new standards till October 2015. Under its petition, NERC requested an effective date for the new reliability standards after April 1, 2016 or three months after the effective date of FERC’s order approving the proposed standard. NERC has also proposed not to mandate the responsible entities to comply with the requirements applicable to low-impact BES cyber systems (CIP-003-6, Requirement R1, Part 1.2 and Requirement R2) until April 1, 2017.