The Federal Energy Regulatory Commission (“FERC”) released a final rule approving three new Critical Infrastructure Protection (“CIP”) standards which address supply chain risk management for bulk electric systems (“BES”) operations.  The new standards were developed by the North American Electric Reliability Corporation (“NERC”) in response to FERC Order No. 829, which directed NERC to create new CIP standards to address risks associated with the supply chain for grid-related cyber systems.  The final rule will take effect sixty days after it is published in the Federal Register.  The new standards must be implemented in eighteen months.  More details regarding the new CIP standards, which may be of interest to entities that develop, implement, or maintain hardware or software for industrial control systems associated with bulk electric systems (“BES”), are provided below.

The three new CIP standards require responsible entities (such as distribution providers, generator owners and operators, and transmission owners and operators) to develop and implement security controls for industrial control system hardware, software, and services associated with BES operations.  FERC noted that these new standards respond to supply chain risks, including the insertion of counterfeit or malicious software, unauthorized production, tampering, and theft.

Specifically, the new CIP standards will impose the following high-level requirements:

  • Cyber Security – Supply Chain Risk Management: According to FERC, this standard “does not require any specific controls or mandate ‘one-size-fits-all’ requirements.” Instead, this standard requires the development of a documented supply chain cyber security risk management plan for higher-risk covered systems that addresses, as applicable, six “baseline” security concepts:
    • Vendor security event notification;
    • Coordinated incident response;
    • Vendor personnel termination notification;
    • Product/services vulnerability disclosures;
    • Verification of software integrity and authenticity; and
    • Coordination of vendor remote access controls.
  • Cyber Security – Electronic Security Perimeter(s): This standard will include two new requirements for identifying active vendor remote access sessions and having method(s) for disabling active vendor remote access sessions.
  • Cyber Security – Configuration Change Management and Vulnerability Assessments: Finally, this standard requires responsible entities to verify the “identity of the software source and the integrity of the software obtained from the software source” prior to any installing software that changes established baseline configurations, “when methods are available to do so.”  According to NERC, these requirements could help reduce the risk that an attacker could “exploit legitimate vendor patch management processes to deliver compromised software updates or patches to a [covered system].”

FERC directed NERC to develop modifications that will include Electronic Access Control and Monitoring Systems (“EACMS”) in the scope of the standards within twenty-four months.  EACMS include firewalls, authentication servers, security event monitoring systems, intrusion detection systems, and alerting systems.

Tags: BEP, CIP, critical infrastructure, Cybersecurity, FERC, Internet of Things (IoT), NERC
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less