On March 16, FERC approved North American Electric Reliability Corporation (NERC) Reliability Standard CIP-003-9, Cyber Security – Security Management Controls, which introduces two new requirements to the suite of cybersecurity protections for low-impact bulk electric system (BES) cyber systems. The requirements focus on mitigating a supply chain risk that continues to challenge the electric industry: vendor remote access to critical electronic systems. The new rule will ensure these vendor risk mitigation requirements apply across every BES facility in the continental United States.
FERC, CFTC, and State Energy Law Developments
On March 2, the White House issued the National Cybersecurity Strategy (the Strategy), a broad vision to reinvigorate the federal government’s approach to cybersecurity and address a wide spectrum of long-term challenges. The Strategy reflects the latest significant cybersecurity-focused activity from the Biden administration and contains an ambitious set of goals and initiatives.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) on the new cyber incident reporting requirements for critical infrastructure owners as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Be sure to check out the latest issue of Empowered, our energy industry newsletter.
The North American Electric Reliability Corporation (NERC) filed its 2022 NERC Standards Report, Status and Timetable for Addressing Regulatory Directives summarizing the progress made and plans for addressing the reliability standard-related directives issued by applicable governmental authorities. NERC reported that since March 29, 2021, the date of NERC’s last annual report, it filed petitions with the Federal Energy Regulatory Commission (FERC) addressing four reliability standards-related directives.
The Federal Register recently published the US Department of Energy’s (DOE) notice of Request for Information (RFI) seeking public input on energy sector supply chains. The RFI requests that stakeholders provide comment on a wide variety of issues concerning supply chains of energy and related technologies.
As has been reported, a recent ransomware attack has caused an interstate pipeline and fuel supplier to much of the eastern United States to shut down its operations. Although the attack did not compromise operational systems, the company opted to cease operations as a precautionary measure.
FERC approved revisions to three Critical Infrastructure Protection (CIP) North American Electric Reliability Corporation (NERC) Reliability Standards to expand the scope of the assets subject to supply chain cybersecurity requirements and related obligations. Supply chain cybersecurity continues to be a focus of NERC, energy industry stakeholders, and government regulatory and securities agencies.
President Joe Biden signed an executive order on February 24 to address possible vulnerabilities in the supply chains of critical national economic sectors, including the energy sector. The executive order directs various executive departments and agencies to complete, in coordination with private stakeholders, a series of assessments to evaluate the resiliency of supply chains in those key sectors. In his prepared remarks, President Biden explained that the order was prompted partly by concerns surrounding shortages in semiconductors, which are vital components of electronic devices used in everything from mobile phones to motor vehicles.
In May 2020, US President Donald Trump issued Executive Order 13920, banning the unrestricted import or use of certain categories of bulk-power system electric equipment from foreign adversaries, with a focus on Russian and Chinese equipment suppliers. The future of that regulation is now up in the air.