We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

FERC Adopts Revised Reliability Standards for Cybersecurity

John R. Lilyestrom

John R. Lilyestrom,

Washington, D.C.

26 January 2016
On January 21, 2016, the Federal Energy Regulatory Commission (FERC) issued a final rule adopting seven revised critical infrastructure protection (CIP) Reliability Standards addressing cybersecurity of the electric grid, as initially proposed in July 2015. The revised standards were developed by the North American Electric Reliability Corporation (NERC), the FERC-certified Electric Reliability Organization, in response to FERC Order No. 791. The revised standards, effective on July 1, 2016, are:

(i) CIP-003-6 (Security Management Controls), specifying security management controls that establish responsibility and accountability to protect grid cyber systems against compromise;

(ii) CIP-004-6 (Personnel and Training), requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting grid cyber systems;

(iii) CIP-006-6 (Physical Security of BES Cyber Systems), specifying a physical security plan to manage physical access to grid cyber systems;

(iv) CIP-007-6 (Systems Security Management), specifying select technical, operational, and procedural requirements to manage system security by;

(v) CIP-009-6 (Recovery Plans for BES Cyber Systems), specifying recovery plan requirements in support of the continued stability, operability, and reliability;

(vi) CIP-010-2 (Configuration Change Management and Vulnerability Assessments), specifying configuration change management and vulnerability assessment requirements to prevent and detect unauthorized changes to grid cyber systems; and

(vii) CIP-011-2 (Information Protection), specifying information protection requirements to prevent unauthorized access to grid cyber systems information.

The final rule also includes a number of directives for NERC intended to facilitate enhanced protection of information and the physical security of cyber systems. The final rule also announces a FERC staff-led technical conference on January 28, 2016 to address the development by NERC of requirements for supply chain management for control system hardware, software and service.

John R. Lilyestrom

John R. Lilyestrom,

Washington, D.C.

Loading data