Trusted Cyber Security and Regulatory Compliance

for

Critical Infrastructure

 

Regulatory Compliance Background

Regulatory Compliance Background

Regulatory Compliance Background

The North American Electric Reliability Corporation’s (“NERC”) approach to compliance and enforcement activities as entities transition to the new and modified Critical Infrastructure Protection (“CIP”) Reliability Standards, referred to as the CIP Version 5 Reliability Standards (the “CIP V5 Standards”), approved by the Federal Energy Regulatory Commission (“FERC” or “Commission”) in Order No. 791.1 The CIP V5 Standards represent an improvement over the currently-effective CIP Reliability Standards, referred to as the CIP V3 Reliability Standards (the “CIP V3 Standards”), by adopting new cyber security controls and extending the scope of the systems protected by the CIP V3 Standards. 2 To support an efficient and effective transition to the CIP V5 Standards, NERC and the Regional Entities will take a flexible compliance monitoring and enforcement approach for the CIP Reliability Standards prior to the effective date of the CIP V5 Standards (the “Transition Period”) and allow entities subject to the CIP V5 Standards (“Responsible Entities”) to implement the CIP V5 Standards, in whole or in part, during the Transition Period.3

In accordance with the FERC-approved “Implementation Plan for Version 5 CIP Cyber Security Standards” (the “Implementation Plan”), Responsible Entities are allowed to transition from compliance with the CIP V3 Standards directly to compliance with the CIP V5 Standards, bypassing the CIP Version 4 Standards (the “CIP V4 Standards”).


Section 215 of the Federal Power Act created a three- tiered structure for Reliability Standards development and enforcement, including CIP Reliability Standards

 

Importance to Utilities:

  • Easy to violate, perfect compliance very difficult
  • A significant human element, regardless of automation
  • Many specific operational & documentation requirements
  • Violations carry heavy penalties: up to $1M per violation, per day as a violation of Part II of the Federal Power Act
  • Provides important security protections for valuable and hard-to- replace assets
  • Importance to regulators:
  • Major source of concern for FERC (OER and OEIS)
  • Significant Congressional scrutiny, possibility of legislation




1 Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 145 FERC ¶ 61,160 (2013). The CIP V5 Standards consist of Reliability Standards CIP-002-5.1, CIP-003-5, CIP-004-5.1, CIP-005-5, CIP-006-5, CIP-007-5, CIP-008-5, CIP- 009-5, CIP-010-1, and CIP-011-1.

2 The CIP V3 Standards consist of currently effective Reliability Standards CIP-002-3, CIP-003-3, CIP-004-3a, CIP-005-3a, CIP-006-3c, CIP-007-3a, CIP-008-3, and CIP-009-3.

3 This document applies to Regional Entities and Responsible Entities and supersedes previous Cyber Security Standards Transition Guidance addressing compliance and enforcement activities during the Transition Period. This document will be updated, as necessary, to reflect changes to the CIP Reliability Standards in response to FERC’s directives in Order No. 791