A draft of the voluntary framework was released by NIST.
A draft of the voluntary framework was released by NIST.

The Federal Energy Regulatory Commission (FERC) approved a new standard to improve electronic access controls to low impact Bulk Electronic Systems (BES), mandatory security controls for mobile devices and develop modifications to critical infrastructure protection (CIP) reliability standards.

Work on the new standard began in October 2017 when FERC asked NERC to clarify electronic access controls, adopt mandatory requirements for transient electronic devices and to require the creation of a response policy in case of a system threat. The genesis of this request comes from a group of bipartisan bills that were advanced out of the House Energy and Commerce subcommittee to improve the government's response to cybersecurity attacks on the electric grid. Particularly against less critical facilities.

"CIP-003-7 pushes forward on FERC's concern that even the less critical assets covered by these standards (referred to as low impact facilities) present risks to the bulk electric system that need to be addressed," said Daniel Skees, a partner at the law firm Morgan Lewis. Skees represents electric utilities before FERC.

FERC officially approved the new CIP reliability standard CIP-003-7 (Cybersecurity Security Management Controls that were submitted by the North American Electric Reliability Corporation (NERC). By accepting the standard NERC is tasked with implementing the new standards. FERC noted that the new rules developed by NERC improve upon the prior CIP reliability standards by clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems, adopting mandatory security controls for transient electronic devices such as thumb drives, laptop computers, and other portable devices used frequently with a low impact BES Cyber Systems; and for adding the requirement to have responsible entities have in place a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems.

The fact these changes are designed to boost security at low impact BES is important, Skees said, noting that almost all energy facilities are networked together creating a huge attack surface.

"Hackers can target smaller, less critical facilities and when those attacks are successful, use them as the foundation of an attack into a more critical facility.  CIP-003-7 reinforces FERC's policy of minimizing the bulk electric system attack surface by ensuring every FERC-jurisdictional bulk electric system asset receives some minimal level of cybersecurity," he said.

Despite adopting most of NERC's proposals, FERC did have an issue with the fourth request saying the new reliability standard lacks a clear requirement to mitigate any problem that could arise if a third-party portable device caused a cyber issue and asked NERC to provide an additional level of clarity on that topic.