On June 18, 2020 the Federal Energy Regulatory Commission (FERC) released a notice of inquiry (NOI) seeking comments on potential enhancements to NERC’s Critical Infrastructure Protection (CIP) Reliability Standards. FERC staff called attention to several reports (some regarding the capabilities of foreign actors) and recent NERC Lessons Learned related to security as indicators that more stringent NERC CIP standards may be needed.
The CIP standards as currently implemented already present substantial compliance challenges for utilities, as existing processes were recently changed. Keeping a close eye on developments related to the NOI- and providing your perspective via the comment process – is critical to understanding further regulatory changes and effectively managing compliance going forward.
Cyber Security Enhancements
The NOI specifically requests feedback on whether the CIP Reliability Standards adequately address cyber security risks including data security, detection of anomalies and events and mitigation of cyber security events.
FERC also seeks comment on the potential risk of a coordinated cyberattack on geographically distributed targets and whether NERC action, including potential modifications to the CIP Reliability Standards, would be appropriate to address such risk.
The topics covered by the NOI are complementary of ongoing Security Training work, particularly in the area of Distributed Energy Resources. NERC plans to engage with FERC and stakeholders as the NOI process moves forward.
Initial comments are due 60 days after publication in the Federal Register, and reply comments are due 90 days after publication in the Federal
Next Steps for Successful Compliance
NERC CIP standards are the minimum obligations that must be met for utility cybersecurity. It is expected that NERC will “raise the bar” for security and compliance obligations as a result of this NOI.
Utilities should evaluate their programs and processes in order to stay ahead of regulatory changes. Now is the time to consider what support you might need for further CIP program development, independent program assessment, pre-audit reviews and compliance documentation.
Resources
- FERC June 18, 2020 Notice of Inquiry for Potential CIP Standards Enhancements
- TRC Security Services
- TRC Compliance Support
About TRC
TRC’s Security Team’s approach to security planning and design balances physical, operational and technological solutions that incorporate appropriate standards, regulatory requirements, best practices, operational goals and budgets. Our experts plan, design and install programs that meet a client’s financial, technical, and scheduling goals including compliance with changing NERC CIP standards and guidelines.
This regulatory update is a service to TRC’s utility clients, helping keep you informed of issues that impact your company’s electric system security risks along with related topics regarding future regulatory developments to help you achieve your company’s business goals.
Bill Hawk
Bill Hawk is TRC’s Director of Private Networks Engineering. He is a Professional Engineer with over 35 years of experience in the planning, design and implementation of all aspects of utility networks and communications systems, security systems and Smart Grid/Distribution Automation systems. His areas of expertise include technology, project planning, requirements definition, project team management and project coordination. Bill has successfully completed numerous large telecommunications and security projects with local, municipal and state utilities, governments, school districts, commercial and industrial businesses, universities and university systems. Contact Bill at BHawk@trccompanies.com.