Version 5 of the NERC Critical Infrastructure Protection (CIP) was released for comment and vote in December. The results of the voting have been released and the standard updates failed to receive the necessary votes to pass. The voting results can be viewed and downloaded here.

Honeywell's Tom Alrich, who has been working closely with this process, commented, "The only positive vote of greater than 40% was for the implementation plan. CIP-003 and CIP-008 got between 30 and 40% positive votes. Everything else got under 30% positive. In addition, participation was quite high - over 90% for each ballot." Mr. Alrich notes that the Standard Development Team is working on changes that will increase the likelihood of ratification in the next vote. 

Version 3 of the NERC CIP standards are in place now, with version 4 approved and waiting implementation. Some industry professionals hoped that version 5 would be approved quickly so that implementation of procedures to comply with version 4 would not be necessary. The failed vote brings this possibility in question. 

Integration of smart grid devices, and other new and emerging technologies reliant on communications to control operations of the device pose a threat to the reliability of the electric grid, according to a new report released by the North American Electric Reliability Corporation (NERC). Providing a 10-year outlook on the North American electric industry, the new '2011 Long Term Reliability Assessment' report released by NERC evaluates key reliability indicators and dives into the impact of regulations and other issues on bulk power system reliability. The key issues discussed in the report were: the decrease in projected generation resources; the growing dependence on natural gas as a primary fuel source of on-peak capacity; the increased demand for integrating and delivering new resources and the subsequent growth of transmission; and the cumulative effect from environmental regulations may reduce reserve margins in ways that could affect bulk power system reliability, depending on the scope and timing of final regulation implementation. Read more »

In a recent announcement, the North American Electric Reliability Corporation (NERC) has published ten CIP standards (CIP-002-5 through CIP-009-5, CIP-010-1, and CIP-011-1), a set of new and revised NERC Glossary definitions, and a proposed implementation plan. The documents have been posted on the NERC website for a formal 60-day comment period through Friday, January 6, 2012, which will be accepted via an electronic form. The implementation plan, also called the mapping document, identifies each requirement in the already-approved Version 4 CIP standards and identifies how the requirement has been treated in the Version 5 CIP standards. For more information, click here.

Source: FERC Press Release dated September 15, 2011

"In a long awaited regulatory action, the Federal Energy Regulatory Commission (FERC) took steps to support continued transmission system reliability by proposing revisions to eight critical infrastructure protection (CIP)reliability standards that include a new method of identifying cyber assets that are critical to the nation’s bulk power grid.

The North American Electric Reliability Corp. (NERC) voted to approve the newest version of the CIP standards some time ago, and the industry has been waiting for FERC's decision on whether the standards should be enacted.

If enacted, NERC CIP 4 would present significant changes in the way utilities identify critical assets and the means used to protect them. Utility security professionals should review the draft standards and begin considering changes needed to their procedures to comply with the new methodologies.

The notice of proposed rulemaking (NOPR) stressed that NERC has not addressed all the modifications directed by the Commission’s Order No. 706, which approved the original CIP standards in January 2008. The NOPR would require NERC to make a filing to fully comply with Order No. 706 by the end of the third quarter of 2012. Comments on the proposed rule (RM11-11) are due 60 days after publication in the Federal Register.

The proposed “Version 4” CIP standards are an interim step, FERC said in directing the electric industry and the North American Electric reliability Corp. (NERC) to continue developing a comprehensive approach to assure the grid can withstand a cyber security incident. NERC is the Commission-certified electric reliability organization responsible for developing and enforcing mandatory reliability standards."

The Department of Energy, in collaboration with the National Institute of Standards and Technology and the North American Electric Reliability Corporation, has released a draft of the Electricity Sector Cybersecurity Risk Management Process (RMP) Guideline for public comment. The RMP Guideline was drafted by a joint public-private sector team that also included representatives from the Federal Energy Regulatory Commission, the Department of Homeland Security, and utilities. The initiative to develop the RMP Guideline is led by the Department’s Office of Electricity Delivery and Energy Reliability. Comments are by October 28, 2011 and can be made at: https://public.commentworks.com/CW_DOE_AWF/ Read more »

Earlier today, the Senate Energy and Natural Resources unanimously approved the "Grid Cyber Security Act", a somewhat amended version of the bill it approved last session but was never brought to the Senate floor for a vote.  The bill now goes to Senate Majority Leader Harry Reid, who may opt to fold it into a more comprehensive cybersecurity bill he hopes to bring to the Floor later this summer. 

Meanwhile, the House Subcommittee on Energy and Power of the Energy and Commerce Committee plans a hearing next Tuesday, May 31, on its own version of the bill whose language is based on the GRID Act passed unanimously last year by the House.

Under the provisions of the Senate bill, FERC jurisdiction would be expanded to include distribution in addition to generation and transmission systems and assets deemed "critical electric infrastructure [CEI]," defned as "so vital to the United States that the incapacity or destruction of the systems and assets would have a debilitating impact on national security, national economic security, or national public health or safety."

Within 120 days of enactment, FERC is directed to review current standards to determine their adequacy to mitigate cyber vulnerabilities.  Due in part to criticisms that the NERC CIP standards setting process is too slow, the bill would impose a 180 day deadline for NERC to propose revisions to those standards that FERC finds wanting, or develop a new standard to address new vulnerabilities identified by FERC.  Reasonable time extensions will be granted, but the bill is silent on penalities if the deadline is not met. Read more »

The Department of Energy (DOE) has announced a collaborative grid cyber security initiative with the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC). Led by the DOE’s Office of Electric Delivery and Energy Reliability, the effort will also collaborate with public and private sector representatives including the NIST Smart Grid Interoperability Panel’s Cyber Security Working Group (CSWG) and the Federal Energy Regulatory Commission (FERC). Read more »

The North American Electric Reliability Corp (NERC) is requiring that members of the bulk power system implement protections against a vulnerability that could be exploited to cause physical damage to critical systems that provide electricity. Specifically, NERC has issued a recommendation to the industry on the AURORA vulnerability which provides new sensitive and clarifying information regarding the nature of AURORA. The recommendation requires entities to report on efforts and progress by Dec. 13, with updates every six months until mitigation is complete. Read more »

The Energy secretary will have the power to issue emergency orders for imminent cybersecurity threats to the electric grid according to legislation passed unanimously by the Senate Energy and Natural Resources Committee. Amending the GRID Act (H.R. 5026) that was passed by the House two months ago, the Senate Committee approved the bill to give authority to the Federal Energy Regulatory Commission (FERC) for risks that are not as imminent. It also gives FERC the authority to order, without notice or hearing, and circumvent the North American Electric Reliability Corporation (NERC) process and directly order generation, transmission and select distribution utilities to address cyber vulnerabilities pertaining to programmable electronic devices or communications networks. FERC is directed to establish a cost recovery mechanism for utilities for prudently incurred compliance costs. A spokesperson for the Senate Committee Chairman Jeff Bingaman (D-N.M.) told CongressDaily that these provisions will give  the bill a better chance passing the Senate this year. 

Cyber security will come to dominate all aspects of information communications technology at utilities in 2011 and 2012. I would love your ideas on what more UTC could do to help you with this.

The National Institute of Standards and Technology (NIST) has just released a final draft of its Smart Grid Cyber Security Strategy and Requirements. This will now drive future cyber security work at the North American Electric Reliability Corporation (NERC) on their Critical Infrastructure Protection (CIP) requirements in 2011. The NIST recommendations and political pressure from Congress will combine to force stronger cyber security protections in both the bulk power grid and the distribution grid. Read more »