In the newly proposed version of the Critical Infrastructure Protection (“CIP”) Reliability Standards, the Federal Energy Regulatory Commission (“FERC”) is seeking, for the first time, to create mandatory cybersecurity protections for the bulk electric system (“BES”), which includes electric utilities. The new standards would classify each BES Cyber System as Low, Medium or High Impact based on how severely a cyber attack on a given system would affect the national power grid. For each classification tier, the new CIP standards would require varying but specific levels of cybersecurity protection. It is important to note that any system considered a BES Cyber System will at a minimum be classified as Low Impact. BES Cyber Systems are defined as groupings of BES Cyber Assets, which in turn are defined as “Asset[s] that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which . . . would affect the reliable operation of the Bulk Electric System.” The new rule was proposed by the North American Electric Reliability Corporation (“NERC”) and would constitute CIP version 5 standards. CIP version 3 standards are currently in effect, and the proposed rule would essentially leapfrog the CIP version 4 standards that were set to become mandatory in April, 2014. CIP version 4 standards would not have reached those Cyber Systems that will be classified as Low Impact under the new CIP standards.
FERC Commissioner John Norris recognized the significant shift that mandatory requirements represent, noting in a statement “I am cognizant of the tremendous responsibility that mandatory standards place on industry to help ensure that the country’s electric grid is protected from cyber attack. We are essentially requiring private industry to support a national defense effort by contributing its time and money to protect the cyber security of the electric grid.” Comments on the proposed rule may be submitted through http://www.ferc.gov with reference to Docket No. RM13-5-000, or by mail or hand delivery to:
Federal Energy Regulatory Commission
Secretary of the Commission
888 First Street, NE
Washington, DC 20426
The proposed rule is available at: http://www.ferc.gov/whats-new/comm-meet/2013/041813/E-7.pdf
Written by Lou Dennig, Associate, Litigation & Trial Practice | Alston & Bird LLP