On March 16, 2023, the Federal Energy Regulatory Commission (“FERC”) approved a new Reliability Standard “adding new requirements focused on supply chain risk management for low impact bulk electric system (“BES”) Cyber Systems.”
The new standard was developed by the North American Electric Reliability Corporation (“NERC”), and FERC had previously requested public comment in a 2020 Notice of Inquiry on the potential risks of a coordinated cyberattack targeting geographically distributed generation resources. Given “that there are a large number of low impact BES Cyber Systems and that responsible entities need time to procure and install equipment that may be subject to delays given high demand[,]” the new Reliability Standard will become effective “on the first day of the first calendar quarter that is 36 months after Commission approval” – as in 2026.
The new Reliability Standard for low impact BES Cyber Systems also follows shortly after FERC issued a final rule directing NERC to develop new or modified Reliability Standards that require internal network security monitoring within Critical Infrastructure Protection networked environments for certain high and medium impact BES Cyber Systems.
Supply Chain Risk Management. The new Reliability Standard imposes supply chain risk management requirements on low impact BES Cyber Systems, including by requiring:
- Responsible entities to include “‘vendor electronic remote access security controls’ in their cyber security policies[;]”
- Responsible entities “with assets containing low impact BES Cyber Systems to have methods for determining and disabling vendor electronic remote access[;]” and
- Responsible entities “with assets containing low impact BES Cyber Systems to have methods for detecting malicious communications for vendor electronic remote access.”
FERC also approved “the associated violation risk factors and violation severity level assignments” for the new Reliability Standard.
Implementation Plan. As noted above, the new Reliability Standard will become effective “on the first day of the first calendar quarter that is 36 months after Commission approval” in light of the “high number of assets containing low impact BES Cyber Systems[] and supply chain constraints for equipment necessary to implement the Reliability Standard.” The currently effective Reliability Standard CIP-003-8 will “be retired immediately prior to the effective date of the” new Reliability Standard CIP-003-9. Looking Ahead. FERC’s approval of the new Reliability Standard for low impact BES Cyber Systems follows shortly after the White House’s publication of its new U.S. National Cybersecurity Strategy, which called for mandatory minimum cybersecurity requirements in critical infrastructure sectors. In fact, FERC’s approval is one of several recent agency actions implementing additional cybersecurity requirements or guidance for critical sectors, including public water systems, airport and aircraft operators, and healthcare entities.