NERC Adds to Electric Utilities’ Cybersecurity Duties
New and more detailed cyber-related responsibilities are on the horizon for electric utilities. The North American Electric Reliability Corporation, also known as NERC, is adopting modifications to Critical Infrastructure Protection (CIP) standards compliance framework.
NERC began developing this cyber compliance framework in 2008 to mitigate cyberattacks on our bulk electric system. The following standards are in a formal comment period until Nov. 29, 2023:
| CIP-003-10 | Cyber Security - Security Management Controls |
| CIP-004-8 | Cyber Security - Personnel & Training |
| CIP-005-8 | Cyber Security - Electronic Security Perimeter |
| CIP-007-7 | Cyber Security - Systems Security Management |
| CIP-010-5 | Cyber Security - Configuration Change Management and Vulnerability Assessments |
Security Management Controls
Initially, this was a very brief definitional section of what constituted a violation of security procedures. The Violation Security Levels section, as drafted, has been extensively rewritten to include an abundance of new responsibilities electric utilities must follow to determine if an entity’s violation ranges from lower-level to severe. Added compliance violations include a utility’s failure to approve, review, document and follow its cyber polices and cyber incident plans.
Personnel & Training
This section continues to specify training in Electronic Access Control Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) but now includes proposed training in Interactive Remote Access (IRA).
Electronic Security Perimeter
Major proposed changes in this section include:
- Limiting access to Encapsulating Security Payload (ESP)
- External Services Interface configurations
- Providing for added authentication protocols
- Suitable malware protections
- Added physical controls to bolster cyber hygiene
Systems Security Management
The proposed changes include reclassifying Ports and Services to System Hardening. This revamped section requires utilities to disable or prevent improper network accessibility and mitigate the risk of CPU or memory vulnerabilities by preventing CPU resource sharing and vulnerabilities on the network.
Configuration Change Management and Vulnerability Assessments
This section proposes recordkeeping and additional processes to document the source of changes to utilities’ computer system configuration. It now requires tracking modifications of the operating system, firmware, software and cyber security patches.
Utilities can submit comments on the proposed changes until Nov. 29. The NERC Board of Trustees will consider and vote on the changes in Dec. 2023 with expected implementation in 2024.
Please contact Walt Green or any member of Phelps’ Cybersecurity, Privacy and Data Protection team if you have questions or need compliance advice and guidance.
