Powering Strong Communities
Security and Resilience (Cyber and Physical)

FERC seeks comment on critical infrastructure protection standards, cybersecurity risks

The Federal Energy Regulatory Commission on June 18 issued a notice of inquiry (NOI) that seeks comments on whether critical infrastructure protection (CIP) reliability standards adequately address cybersecurity risks pertaining to data security, detection of anomalies and events and mitigation of cybersecurity events in comparison to the National Institute of Standards and Technology (NIST) Framework.

In addition, the NOI seeks comment on the potential risk of a coordinated cyberattack on geographically distributed targets and whether Commission action including potential modifications to the CIP reliability standards would be appropriate to address such risk.

In the NOI (Docket No. RM20-12-000), FERC notes that Commission-approved CIP reliability standards are intended to provide a risk-based, defense in depth approach to cybersecurity of the bulk electric system (BES). 

Since the approval of the first mandatory CIP reliability standards in 2008, these standards have been modified on multiple occasions to address emerging issues and to improve the cybersecurity posture of the bulk electric system. “Yet, new cyber threats continue to evolve, and the reliability standards should keep pace to maintain a robust, defense in depth approach to electric grid cybersecurity,” the NOI said.

With this in mind, Commission staff undertook a review of the NIST Cyber Security Framework, which sets forth a comprehensive, repeatable structure to guide cybersecurity activities and to consider cybersecurity risks as part of an organization’s risk management processes of its critical infrastructure.

FERC staff compared the content of the NIST framework with the substance of the CIP reliability standards, and identified certain topics addressed in the NIST framework that may not be adequately addressed in the CIP reliability standards, leaving potential gaps. Commission staff also analyzed whether the identified topics are within the scope of the CIP reliability standards.

FERC staff then studied whether the potential gaps that are within the scope of the CIP reliability standards presented a significant risk to bulk electric system reliability. 

Based on this analysis, Commission staff identified the three NIST framework categories that are the subject of the NOI: (i) cybersecurity risks pertaining to data security, (ii) detection of anomalies and events, and (iii) mitigation of cybersecurity events.  In the NOI Commission Staff provides a set of questions for commenters to respond to for each of the NIST framework categories.  

In several instances the questions ask if the CIP standards adequately address low impact BES cyber systems.

FERC also seeks comment on risk of coordinated cyberattack

In addition, the Commission is seeking comment on the risk of a coordinated cyberattack on the bulk electric system (BES) and potential Commission action to address such risk.

The NOI notes that in general, bulk electric system planning is based on the ability to withstand a system’s single largest contingency, known as an N-1 event. The Commission has questioned whether greater defense in depth is warranted to better protect the BES from a coordinated attack on multiple BES cyber assets.

The risk of such a coordinated attack may be exacerbated by the recent shift from larger, centralized generation resources to smaller, more geographically distributed generation resources, the NOI said.

The Commission is soliciting comment on the need to address the risk of a coordinated cyberattack on the BES.

It is also seeking comment on potential approaches to address the matter, such as voluntary or mandatory participation in grid exercises, other types of training to prepare for a coordinated attack, and modifications to the current applicability thresholds in a reliability standard (CIP-002-5.1a) that would subject additional facilities to the CIP controls that apply to medium and/or high impact BES cyber systems.

Initial comments on the NOI will be due 60 days after its publication in the Federal Register.

The NOI is available here.