FERC’s New NOPR, Part III: What’s ahead for Lows, especially in CIP-013?

One of the things that struck me about FERC’s October NOPR was its tone regarding Low impact BES Cyber Systems. This is most evident in the discussion of electronic access control in Section 31, pp 19-20, which addresses the requirement for Low impact electronic access controls in CIP-003-7. FERC did say they would approve CIP-003-7 R2 Attachment 1 Section 3.1, which was developed to comply with FERC’s directive in Order 822 that NERC address what FERC saw as an ambiguity – and, in truth, a loophole – in the language of CIP-003. However, in this section they went further, and ordered NERC to start developing a new Low impact electronic access control requirement that goes beyond what is in CIP-003-7.

I will go into the substance of what FERC said about this topic in the next post in this series, but I’ll jump the gun a little and point out that FERC told NERC that they have to develop specific controls for Lows in four areas: Electronic Access Points, evaluation of access based on need, authentication of users, and password management. FERC brings these up in the context of electronic access control, but they have clearly moved beyond anything they’ve ordered before in the way of electronic access controls for Lows, which has until now has pretty much meant firewalls (and, in case you wondered, they’re making it almost inevitable that an inventory of Low impact BES Cyber Systems will be required to comply with these new requirements. More on that in the next post).

FERC clearly believes that Low impact BCS constitute a point of vulnerability for the BES, and they’re moving to strengthen the controls on them. This isn’t because they think that the physical assets NERC classifies as Low impact are actually much more impactful than NERC thinks they are. It’s because FERC sees the entire BES as being in some way connected on a logical level. You may scoff at this by pointing out that there is no such thing as a continent-wide IP network connecting any BES assets, let alone all of them. But if you consider serial communications as in some way hackable, then this idea gains a little more plausibility (although just a little, in my opinion).

In any case, this is what FERC believes, and they will be requiring that CIP-003-8 have more electronic access controls for Lows. But I think there is another likely area in which FERC will try to strengthen cyber security controls on Lows, and that’s CIP-013.

For those of you keeping score at home, CIP-013-1 was approved by NERC and submitted to FERC at the end of September. My guess is FERC will act on it within six months, possibly even earlier (I was quite surprised by the speed with which they acted on CIP-003-7, given that they’ve only had a quorum since August, and there were a lot of other items on their plate from the 5 or so months they didn’t have a quorum).

You also probably know that CIP-013-1 only applies to High and Medium impact BCS (although the first draft did include Lows, on a reduced scale). In Order 829, which ordered this standard, FERC just said that the standard should apply to BES Cyber Systems without specifying any impact levels, so the drafting team wasn’t explicitly disobeying FERC in limiting the scope to Highs and Mediums.

You may also know that there is only one FERC Commissioner remaining from the four that voted on that standard (and that Commissioner, Cheryl LaFleur, dissented from the vote, although her objection was that FERC wasn’t giving NERC enough time to develop the new standard – which I totally agreed with at the time), so the majority of the Commissioners now are newly appointed.

Finally, you probably also have heard somewhere that there is a new Administration in Washington, which many people believed would be very skeptical of any new or extended regulations – and whose appointees to FERC might be expected to oppose any major extension of the CIP standards, such as ordering NERC to include Lows in the next version of CIP-013. However, if you thought that, you would do well to take a look at the language in the NOPR, since FERC seems not only willing but eager to extend requirements on Lows. In my opinion, they believe Lows might be the weak underbelly to the whole BES.

This is all to say that I now think it quite likely that, when they approve CIP-013-1, FERC will also order NERC to develop a new version that brings Lows into scope in some way. So if you have responsibility for Low impact BCS, you might circle 2021 on your calendar as the possible date when this new version, probably CIP-003-8, will come into effect. And if you’re nearing retirement, you might want to aim for 2020! It’s supposed to be a good year.

The views and opinions expressed here are my own, and do not reflect those of any 6organization I work with. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.