In a Notice of Proposed Rulemaking (NOPR) issued on April 18, 2019, the Federal Energy Regulatory Commission (FERC or Commission) requested comments on proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-012-1 (CIP-012-1), a new cybersecurity rule requiring responsible entities to harden communication links and secure certain types of data transmitted between the Control Centers that operate the bulk electric system. Responsible entities include balancing authorities, generator operators, reliability coordinators, transmission operators and transmission owners that own or operate a Control Center. Conceived in response to the Commission’s directive in Order No. 822, proposed CIP-012-1 envisions a tiered data security framework with data security measures to be implemented based on an assessment of risk levels (low, medium, and high) associated with various aspects of responsible entities’ Control Centers.
In the NOPR, the Commission states that it generally supports adoption of CIP-012-1, but that it would like to also see NERC propose modifications to clarify requirements concerning Control Center communication links and the Control Center data that would be subject to the proposed rule.
The Commission invites stakeholders to submit comments on the Commission’s NOPR regarding CIP-012-1 in FERC Docket No. RM15-14-000 by June 24, 2019.
The CIP Reliability Standards are designed “to mitigate the cybersecurity risks to bulk electric system facilities, systems, and equipment, which, if destroyed, degraded, or otherwise rendered unavailable as a result of a cybersecurity incident, would affect the reliable operation of the Bulk-Power System.” In Order No. 822, the Commission directed NERC to modify the CIP Reliability Standards “to require responsible entities to implement controls to protect . . . communication links and sensitive bulk electric system data communicated between bulk electric system Control Centers in a manner that is appropriately tailored to address the risks posed to the bulk electric system by the assets being protected.” The Commission also instructed NERC to “consider the differing attributes of bulk electric system data as it assesses the development of appropriate controls.”
NERC proposed CIP-012-1, a new CIP Reliability Standard, in response to the Commission’s directive in Order No. 822. Proposed CIP-012-1 requires responsible entities to implement protocols that address the unauthorized disclosure and modification of Real-time Assessment and Real-time Monitoring data that are transmitted between Control Centers. The protocols must include specific, identified security protections and, for situations that involve communications between Control Centers operated by different responsible entities, an allocation of responsibilities as between or among the entities involved.