FERC in a January 17 order approved eight new Reliability Standards developed by the North American Electric Reliability Corporation (NERC) regarding Cyber Security (CIP). These approvals come on the heels of FERC's approval last month of three new standards relating to Facilities Design, Connections and Maintenance (FAC). These authorizations mark two more bundles in a long series of standards developed by NERC as the FERC-designated Electric Reliability Organization.
The January 17 FERC-approved Cyber Security standards include CIP-002-1 – Critical Cyber Asset Identification, CIP-003-1 – Security Management Controls, CIP-004-1 – Personnel and Training, CIP-005-1 – Electronic Security Perimeter(s), CIP-006-1 – Physical Security of Critical Cyber Assets, CIP-007-1 – Systems Security Management, CIP-008-1 – Incident Reporting and Response Planning and CIP-009-1 – Recovery Plans for Critical Cyber Assets. The standards require “owners and operators of the bulk power system to establish policies, plans and procedures to safeguard physical and electronic access to control systems, to train personnel on security matters, to report security incidents, and to be prepared to recover from a cyber incident.”
FERC Chairman Joseph Kelliher indicated that while approving these standards, FERC was also directing NERC to make modifications relating to “reasonable business judgment and acceptance of risk” that “will strengthen the reliability standards . . . and improve [the Nation's] defenses against cyber threats.” In addition, FERC directed NERC to examine “a new framework of accountability surrounding exceptions based on technical feasibility” and to monitor the development and implementation of cyber security standards by the National Institute of Standards and Technology.
Last month's approval of three new mandatory standards for Facilities Design, Connections and Maintenance (FAC) require planning authorities and reliability coordinators to establish methodologies to determine system operating limits for the bulk-power system in the planning and operation arenas.
FAC-010-1 requires the planning authority to develop methodology that is “applicable to the planning time horizon, does not exceed facility ratings, and includes a description of how to identify the subset of [System Operating Limits] that qualify as [interconnection reliability operating limits].” FAC-011-1 imposes the same general directives on the reliability coordinator. FAC-014-1 requires reliability coordinators, planning authorities, transmission planners, and transmission operators to “develop and communicate System Operating Limits in accordance with FAC-010-1 and FAC-011-1.” In addition, FAC-014-1 requires that System Operating Limits are provided to entities with a reliability-related need.