The Federal Energy Regulatory Commission ("FERC"), on April 19, 2012, approved the eight modified Critical Infrastructure Protection ("CIP") Reliability Standards, CIP-002-4 through CIP-009-4 ("Version 4 CIP Standards"), which were developed and submitted for approval by the North American Electric Reliability Corporation ("NERC") ("Final Order"). CIP-002-4 requires the identification and documentation of Critical Cyber Assets associated with Critical Assets. Responsible entities, under the newly-approved CIP-002-4, will identify Critical Assets by applying the bright line criteria set forth in Version 4 of the Reliability Standard, replacing the current risk-based assessment methodology set forth in Version 3.2 FERC also approved other conforming modifications to CIP-003-4 through CIP-009-4. FERC noted that these standards are an interim step towards NERC's full compliance with FERC directives set forth in Order No. 706 (development of Version 5 of the CIP Standards) and, in the Final Order, FERC directed NERC to comply fully with Order No. 706 by March 31, 2013.
CIP-002-4—Bright Line Criteria
The Final Order sets forth 17 uniform bright line criteria for responsible entities to use as a checklist for the identification of Critical Assets, which are programmable electronic devices and communication networks including hardware, software and data. For example, one bright line criteria deems that the following asset is a Cyber Asset: "[e]ach group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW in a single Interconnection."
Once a responsible entity identifies its Critical Assets, that responsible entity will be able to identify the associated Critical Cyber Assets which are those Cyber Assets that are essential to the reliable operation of the Bulk Electric System. Critical Cyber Assets are subject to the requirements set forth in the remaining CIP standards which seek to protect Critical Cyber Assets by requiring that responsible entities have adequate security plans, security devices and personnel training in place. While registered entities can voluntarily apply any or all of the CIP Reliability Standard requirements to assets that fall outside of the bright line criteria, those assets will not be subject to a compliance obligation enforced by FERC, NERC or a Regional Entity.
The bright line criteria, set forth in Attachment A to CIP-002-4, apply to specific types of facilities, such as generating units, transmission lines and control centers. While NERC and FERC acknowledged that the bright line criteria do not identify all control centers as Cyber Assets, FERC recognized that more control centers will be indentified as Critical Assets under Version 4 than are currently identified. FERC noted that it continues to expect that NERC will provide comprehensive protection of all control centers as it works to comply with the requirements set forth in Order No. 706.
Implementation
FERC approved NERC's proposed effective date and implementation plan for CIP-002-4. Registered entities must achieve full compliance with the Version 4 CIP Standards for existing Critical Assets on the first day of the eighth calendar quarter after applicable regulatory approvals have been received. NERC's approved implementation plan sets forth how: i) registered entities will bring newly identified Critical Cyber Assets into compliance with CIP-002-4 once the standard becomes effective; and ii) those entities registering in the NERC Compliance Registry on or after the effective date of the Version 4 CIP Standards will attain compliance.
Some comments expressed concern that the CIP-002-4 implementation plan may overlap with a future Version 5 of CIP Standards, which NERC anticipates filing with FERC by the third quarter of 2012. However, FERC found that since NERC has not yet proposed Version 5, any concerns regarding the implementation of that version of the standard were outside the scope of this proceeding.
Compliance with Order No. 706
NERC acknowledged that its proposed Version 4 CIP Standards do not cover all the outstanding directives that FERC set forth in Order No. 706. Version 4 only concerns FERC's more immediate concerns regarding risk-based assessment methodology and the identification of Critical Assets and Critical Cyber Assets. FERC accepted NERC's phased approach to compliance with Order No. 706 and provided NERC with guidance in the development of the future Version 5 CIP Standards regarding: i) the consideration of cyber connectivity as a basis for identification of Critical Cyber Assets; ii) applying applicable features of the National Institute of Standards and Technology Framework, which recognizes that all connected assets require a baseline level of protection to prevent attackers from launching further, more devastating attacks; and iii) the need for an entity with a regional perspective to have the opportunity to adjust the identification of Cyber Assets in some circumstances.
In the Final Order, FERC required that NERC comply with all outstanding Order No. 706 directives by March 31, 2013. FERC set this compliance deadline six months beyond NERC's estimated filing date for the proposed Version 5 CIP Standards to allow for any unforeseen delays. In the meantime, NERC is required to file a report at the beginning of each quarter that: i) explains whether it is on track to meet that deadline; and ii) describes the status of its Version 5 standard development efforts.
Implications
FERC saw the Version 4 CIP Standards as an important step in ensuring that Critical Cyber Assets are identified through the adequate identification of Cyber Assets. In FERC's view, the current risk-based assessment methodology leaves gaps in coverage of potential Critical Cyber Assets that need the protection afforded to them through the application of the remaining CIP Standards.
With the implementation of CIP-002-4, more assets will be deemed Critical Assets than under the current identification procedure. In turn, more assets are likely to be deemed Critical Cyber Assets and, thus, subject to the remaining CIP Standards. While the Version 4 CIP Standards seek to bring clarity and consistency to the identification of Cyber Assets, the industry is awaiting NERC's proposal of the Version 5 CIP Standards and the associated implementation plan. For now, FERC directed NERC, Regional Entities and all registered entities to begin the implementation of the Version 4 CIP Standards, while noting that FERC will consider any overlap between the implementation of Version 4 and Version 5 CIP Standards once NERC proposes the Version 5 CIP Standards.