The Federal Energy Regulatory Commission (FERC) on Thursday proposed new cyber security management controls to further enhance the reliability and resilience of the nation’s bulk electric system.
These include mandatory controls to address the risks posed by malware from transient electronic devices like laptop computers, thumb drives and other devices used at low-impact bulk electric system cyber systems.
FERC proposes to approve Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security – Security Management Controls), which is designed to mitigate cyber security risks that could affect the reliable operation of the Bulk-Power System.
The proposed standard improves upon the current Commission-approved CIP standards by clarifying the obligations that pertain to electronic access control for low-impact cyber systems; adopting mandatory security controls for transient electronic devices, such as thumb drives and laptop computers; and requiring responsible entities to have a policy for declaring and responding to CIP exceptional circumstances related to low-impact cyber systems.
The Notice of Proposed Rulemaking also proposes to direct the North American Electric Reliability Corp. (NERC) to develop modifications to provide clear, objective criteria for electronic access controls for low-impact cyber systems and to address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices.
These modifications will address potential gaps and improve the cyber security posture of entities that must comply with the CIP standards, according to FERC.