On June 18, 2020 the Federal Energy Regulatory Commission (FERC) released a notice of inquiry (NOI) seeking comments on potential enhancements to NERC’s Critical Infrastructure Protection (CIP) Reliability Standards. FERC staff called attention to several reports (some regarding the capabilities of foreign actors) and recent NERC Lessons Learned related to security as indicators that more stringent NERC CIP standards may be needed.
The CIP standards as currently implemented already present substantial compliance challenges for utilities, as existing processes were recently changed. Keeping a close eye on developments related to the NOI- and providing your perspective via the comment process – is critical to understanding further regulatory changes and effectively managing compliance going forward.
Cyber Security Enhancements
The NOI specifically requests feedback on whether the CIP Reliability Standards adequately address cyber security risks including data security, detection of anomalies and events and mitigation of cyber security events.
FERC also seeks comment on the potential risk of a coordinated cyberattack on geographically distributed targets and whether NERC action, including potential modifications to the CIP Reliability Standards, would be appropriate to address such risk.
The topics covered by the NOI are complementary of ongoing Security Training work, particularly in the area of Distributed Energy Resources. NERC plans to engage with FERC and stakeholders as the NOI process moves forward.
Initial comments are due 60 days after publication in the Federal Register, and reply comments are due 90 days after publication in the Federal
Next Steps for Successful Compliance
NERC CIP standards are the minimum obligations that must be met for utility cybersecurity. It is expected that NERC will “raise the bar” for security and compliance obligations as a result of this NOI.
Utilities should evaluate their programs and processes in order to stay ahead of regulatory changes. Now is the time to consider what support you might need for further CIP program development, independent program assessment, pre-audit reviews and compliance documentation.