On June 18, 2020, FERC issued a Notice of Inquiry [Docket No. RM20-12-000] titled “Potential Enhancements to the Critical Infrastructure Protection Reliability Standards”. In the inquiry, FERC seeks comment on certain potential enhancements to the currently effective CIP Standards, including cybersecurity risks pertaining to data security, detection of anomalies and events, and mitigation of cybersecurity events along with the potential risk of a coordinated cyberattack on geographically distributed targets.
FERC inquiries often give the electric industry insight into what is coming in future FERC directives for new or modified Standards. One of the significant items contained in this inquiry is the following language: “The Commission seeks comment on the need to address the risk of a coordinated cyberattack on the bulk electric system, as well as potential approaches to address the matter, such as voluntary or mandatory participation in grid exercises, other types of training to prepare for a coordinated attack, and modifications to the current applicability thresholds in Reliability Standard CIP-002-5.1a that would subject additional facilities to the CIP controls that apply to medium and/or high impact BES Cyber Assets.” It appears that FERC is considering directing our industry to modify CIP-002 impact assessment criteria in order to classify more low impact BCS facilities as medium impact BCS and possibly some medium impact BCS facilities as high impact BCS.
The timing on this notice is interesting, as NERC just recently submitted the CIP-002-6 draft Standard to FERC for consideration. The submitted CIP-002-6 draft Standard adds an additional criterion that will actually lower a number of medium impact BCS Transmission Owner (TO) Control Centers down to low impact BCS Control Centers. This seems to be diametrically opposed to what FERC is inquiring about and creates an interesting dilemma.
The Notice of Inquiry was published in the Federal Register on June 24, 2020. If you are interested in submitting comments, the Procedures for Commenting to FERC and the submittal deadlines are contained in the document which can be found here.
Proven Compliance Solutions Inc. (PCS) monitors FERC communications, as well as the Standards drafting processes on a daily basis, and will continue to follow this developing story, so stay tuned for more information as this process moves forward!