Thursday, June 8 2023 Sign In   |    Register

News Quick Search



Front Page
Power News
Today's News
Yesterday's News
Week of Jun 05
Week of May 29
Week of May 22
Week of May 15
Week of May 08
By Topic
By News Partner
Gas News
News Customization


Pro Plus(+)

Add on products to your professional subscription.
  • Energy Archive News

    Home > News > Power News > News Article

    Share by Email E-mail Printer Friendly Print

    FERC Approves Vendor-Focused Cybersecurity Protections for Low-Impact Systems

    March 22, 2023 - Legal Monitor Worldwide


      On March 16, FERC approved North American Electric Reliability Corporation (NERC) Reliability Standard CIP-003-9, Cyber Security Security Management Controls, which introduces two new requirements to the suite of cybersecurity protections for low-impact bulk electric system (BES) cyber systems. The requirements focus on mitigating a supply chain risk that continues to challenge the electric industry: vendor remote access to critical electronic systems. The new rule will ensure these vendor risk mitigation requirements apply across every BES facility in the continental United States.

      Cybersecurity requirements in other NERC standards already require similar controls, but only for higher criticality systems. FERCs approval of CIP-003-9 means registered entities will now need to extend vendor risk mitigation practices to those generation or transmission assets containing cyber systems that are determined under Reliability Standard CIP-002 to pose a low reliability risk to the BES. Those facilities generally include everything not already covered by more stringent NERC cybersecurity requirements, including small 100-plus kilovolt (kV) substations, generation plants of 75 mega volt amps (MVA) and above connected at 100-plus kV, and generating units of 25 MVA and above connected at 100-plus kV.

      Registered entities will now need to ensure that their cybersecurity policies covering such facilities include vendor electronic remote access security controls. Registered entities must also implement processes that include the following:

      One or more method(s) for determining vendor electronic remote access

      One or more method(s) for disabling vendor electronic remote access

      One or more method(s) for detecting known or suspected inbound and outbound malicious communications for vendor electronic remote access

      While the changes above appear subtle, they are likely to present some challenges, particularly for utilities with large portfolios of dispersed, low-impact generator sites with remote access capabilities. Indeed, as FERC Chair Willie Phillips noted, [t]he vast majority of BES assets today are considered low-impact and that number is only expected to grow. Regulators have grown increasingly concerned in recent years over the aggregate risks to the grid if many such facilities were to be lost or compromised. Conversely, compliance burdens will be reduced for entities that prohibit external remote access to such facilities or that do not permit it for vendors.

      The new rules become effective on April 1, 2026, which is the first day of the first calendar quarter that is 36 months after the FERC approval date. The long implementation period reflects regulators recognition of the equipment procurement and installation challenges required to bring the large number of low-impact BES cyber systems into compliance.


    Other Articles - Generation


       Home  -  Feedback  -  Contact Us  -  Safe Sender  -  About Energy Central   
    Copyright © 1996-2023 by CyberTech, Inc. All rights reserved.
    Energy Central® and Energy Central Professional® are registered trademarks of CyberTech, Incorporated. Data and information is provided for informational purposes only, and is not intended for trading purposes. CyberTech does not warrant that the information or services of Energy Central will meet any specific requirements; nor will it be error free or uninterrupted; nor shall CyberTech be liable for any indirect, incidental or consequential damages (including lost data, information or profits) sustained or incurred in connection with the use of, operation of, or inability to use Energy Central. Other terms of use may apply. Membership information is confidential and subject to our privacy agreement.