On March 16, FERC approved North American Electric Reliability Corporation (NERC) Reliability Standard CIP-003-9, Cyber Security – Security Management Controls, which introduces two new requirements to the suite of cybersecurity protections for low-impact bulk electric system (BES) cyber systems. The requirements focus on mitigating a supply chain risk that continues to challenge the electric industry: vendor remote access to critical electronic systems. The new rule will ensure these vendor risk mitigation requirements apply across every BES facility in the continental United States.
Cybersecurity requirements in other NERC standards already require similar controls, but only for higher criticality systems. FERC’s approval of CIP-003-9 means registered entities will now need to extend vendor risk mitigation practices to those generation or transmission assets containing cyber systems that are determined under Reliability Standard CIP-002 to pose a low reliability risk to the BES. Those facilities generally include everything not already covered by more stringent NERC cybersecurity requirements, including small 100-plus kilovolt (kV) substations, generation plants of 75 mega volt amps (MVA) and above connected at 100-plus kV, and generating units of 25 MVA and above connected at 100-plus kV.
Registered entities will now need to ensure that their cybersecurity policies covering such facilities include vendor electronic remote access security controls. Registered entities must also implement processes that include the following:
- One or more method(s) for determining vendor electronic remote access
- One or more method(s) for disabling vendor electronic remote access
- One or more method(s) for detecting known or suspected inbound and outbound malicious communications for vendor electronic remote access
While the changes above appear subtle, they are likely to present some challenges, particularly for utilities with large portfolios of dispersed, low-impact generator sites with remote access capabilities. Indeed, as FERC Chair Willie Phillips noted, “[t]he vast majority of BES assets today are considered low-impact and that number is only expected to grow.” Regulators have grown increasingly concerned in recent years over the aggregate risks to the grid if many such facilities were to be lost or compromised. Conversely, compliance burdens will be reduced for entities that prohibit external remote access to such facilities or that do not permit it for vendors.
The new rules become effective on April 1, 2026, which is the first day of the first calendar quarter that is 36 months after the FERC approval date. The long implementation period reflects regulators’ recognition of the equipment procurement and installation challenges required to bring the large number of low-impact BES cyber systems into compliance.