Revised Reliability Standard clarifies obligations for electronic access controls at less critical assets and places more focus on risks posed by certain portable electronic devices.

On the heels of the news reports describing cyberattacks on the energy sector that have continued to accumulate over the last few years, the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a technical alert on March 15 describing ongoing attacks on critical infrastructure by hackers associated with the Russian government. 

The North American Electric Reliability Corporation (NERC) filed a Notice of Penalty summarizing an agreement by an unidentified electric utility to pay a $2.7 million penalty in connection with self-reported violations of the Critical Infrastructure Protection reliability standards related to sensitive data exposure by a vendor.

At today’s open meeting, the Federal Energy Regulatory Commission (FERC) proposed to approve new Critical Infrastructure Protection (CIP) Reliability Standards developed by the North American Electric Reliability Corporation (NERC) to protect the cybersecurity of the supply chains for critical utility systems.

Under a notice of proposed rulemaking to be released today, December 21, the Federal Energy Regulatory Commission (FERC) is proposing to direct the North American Electric Reliability Corporation (NERC) to revise the Critical Infrastructure Protection (CIP) reliability standards to require electric utilities to report all cyberattacks on the electric security perimeters surrounding their key electric infrastructure as well as the associated electronic access control and monitoring devices that protect those perimeters. 

As evidence that cyberattacks continue to threaten electric infrastructure in the United States, a report issued on December 14 by cybersecurity firm FireEye indicates that critical infrastructure industrial control systems (ICS) could be susceptible to a new type of malware.

The North American Electric Reliability Corporation (NERC) filed a petition on September 26 requesting approval from the Federal Energy Regulatory Commission (FERC or the Commission) for a suite of Reliability Standards that focus on vulnerabilities in vendor products and services and would regulate the utility procurement process.

On December 7, the Energy Bar Association sponsored a discussion on FERC-led audits of entities’ compliance with the North American Electric Reliability Corporation’s (NERC’s) critical infrastructure protection (CIP) Reliability Standards.

On November 17, FERC adopted regulations to enhance the protection of Critical Energy Infrastructure Information (CEII) using its new statutory authority from the Fixing America’s Surface Transportation Act (FAST Act), which added Section 215A to the Federal Power Act.

On July 21, FERC directed NERC to develop a new or modified “forward-looking, objective-driven” Reliability Standard that addresses supply chain risk management for industrial control system hardware, software, and computing and networking services (“cyber controls”) associated with BES operations.