At its June 18 open meeting, FERC issued a notice of inquiry seeking public input on cybersecurity-related enhancements to the Critical Infrastructure Protection (CIP) reliability standards. In light of the constantly evolving nature of cybersecurity threats to the bulk power system, FERC is interested in determining whether the current CIP standards adequately address specific cyberrisk areas related to data security and cybersecurity incident detection, containment, and mitigation. In addition, FERC is seeking comment on the potential risk of a coordinated cyberattack on geographically distributed targets.
FERC’s focus on these risk areas is due in part to the scope of the existing CIP requirements. Most do not apply to BES Cyber Systems considered to be “low impact” because they are associated with less critical substations, generators, and other Bulk Electric System (BES) facilities. FERC is concerned that cyberattacks on those less protected low-impact facilities—especially smaller, geographically distributed generators—could create a ripple effect for higher criticality facilities and jeopardize overall bulk power system reliability.
Potential Gaps in CIP Standards
FERC Staff performed a gap analysis by comparing the existing CIP standards to the National Institute of Standards and Technology (NIST) Cyber Security Framework (Framework), a voluntary set of guidelines that is often considered a gold standard for managing organizational cybersecurity risk management.
Based on that review, FERC staff identified the following areas addressed by the NIST Framework but not adequately addressed in the current CIP standards, which FERC Staff believes could pose a significant risk to the bulk power system:
- Cybersecurity risks pertaining to data security: FERC Staff believes the current CIP standards may not require enough data capacity to support the adequate availability of critical information required to maintain or restore the bulk power system. For example, CIP-011-2 requires entities to implement data protection controls, but the standard does not apply to low-impact BES Cyber Systems. In addition, CIP-012-1, which goes into effect in 2022, will require entities to protect against the unauthorized disclosure and modification of certain data, but that standard is limited to only real-time assessment and monitoring data transmitted between control centers. FERC Staff also believes more could be done to ensure the integrity of certain key information systems. CIP-013-1, the supply chain risk management standard that goes into effect on October 1, 2020, requires entities to address verification of software integrity in their procurement plans. However, FERC staff remains concerned about software integrity risks because the CIP-013-1 requirements do not apply to low-impact BES Cyber Systems, nor do they apply to information, such as a digital manual provided with a software tool, for low-, medium-, or high-impact BES Cyber Systems.
- Detection of anomalies and events: FERC Staff believes the scope of the current CIP standards could be expanded to more fully implement security controls in the NIST Framework addressing anomalous activity detection. Currently effective CIP-008-5 requires the implementation of an incident response program that identifies, classifies, and responds to malicious or suspicious cyberevents, but FERC Staff believes the standard is too limited because it also does not apply to low-impact BES Cyber Systems. FERC Staff expressed concern that a compromised low-impact BES Cyber System could be used to gain access to more critical high- and medium-impact BES Cyber Systems.
- Mitigation of cybersecurity events: FERC Staff noted that CIP-008-5 does not specifically require the incident containment or mitigation controls described in the NIST Framework. FERC Staff also believes that CIP-008-5 and CIP-010-2—the standard that addresses vulnerability mitigation—may not adequately prevent the expansion of a cybersecurity event because they do not apply to low-impact BES Cyber Systems. FERC Staff echoed the concern that, without proper containment and mitigation, the compromise of a low-impact BES Cyber System could be used as a launching point to gain access to more critical high- and medium-impact BES Cyber Systems.
Next Steps
FERC is seeking public comment on the concerns described above and has embedded specific questions related to these topics in the notice of inquiry. We urge utilities subject to the CIP standards and other interested stakeholders to consider providing their perspectives on these issues. Given the gaps already identified by FERC staff and the looming cybersecurity challenges facing the energy industry, it is likely that FERC will not be satisfied with the CIP standards in their current state and will direct NERC to undertake revisions to the CIP standards. However, the extent of those changes, and any other regulatory action, will depend in part on FERC’s consideration of the comments provided in response to the Notice of Inquiry.
Comments and reply comments are due 60 and 90 days, respectively, after the date of publication of the Notice of Inquiry in the Federal Register, which has not yet occurred.