The American Public Power Association and several other trade associations recently submitted comments with the Federal Energy Regulatory Commission in support of a revised Critical Infrastructure Protection (CIP) reliability standard.
Earlier this year, the North American Electric Reliability Corporation (NERC) developed revisions to its CIP-003 mandatory reliability standard to require owners/operators of low impact Bulk Electric System Cyber Systems to implement enhanced electronic access controls for those systems.
Industry stakeholders, including public power, supported the revised standard during NERC’s balloting process. In September, FERC issued a notice of proposed rulemaking (NOPR) proposing to approve the standard.
But, citing a security incident at a small public power utility, the NOPR asked several questions about the evolving threats to low impact cyber systems and asked whether it should direct NERC to conduct an additional study to assess whether the current standards are adequate.
APPA and the other trade associations supported FERC’s proposal to approve the revised CIP-003 standard.
The revised standard, in conjunction with the other CIP standards, provides comprehensive protection against coordinated attacks on multiple low impact systems.
The suite of CIP standards also effectively mitigates against the risk that a threat actor could leverage access to a compromised low impact system to launch an attack on a higher impact system.
Furthermore, the groups told FERC about the efforts that NERC and industry are currently engaged in to continue improving the security posture of the bulk electric system. Given those efforts, the groups urged FERC not to issue any directives at this time.
NERC also filed comments on the NOPR, echoing the positions of APPA and the other trade associations -- FERC should approve the new standard and not issue any directives for a further study.
NERC highlighted the risks from Advanced Persistent Threat actors that have the resources and motivation to execute sophisticated attacks, and the growing risk posed by remote access by international vendors. NERC then discussed its various efforts to mitigate those threats.
