FERC Approves New Cybersecurity Standards for Low-Impact Electric Assets

At its open monthly meeting on March 16, 2023, the Federal Energy Regulatory Commission (FERC) approved a new cybersecurity standard proposed by the North American Electric Reliability Corporation (NERC) to address the supply chain risks posed by "low-impact" assets within the nation's bulk electric system (BES). The new standard, entitled Reliability Standard CIP-003-9, would require responsible entities to include the topic of "vendor electronic remote access security controls" in their cybersecurity policies and have methods for determining and disabling vendor electronic remote access.

This directive expands upon, and replaces, a previous cybersecurity standard, Reliability Standard CIP-003-8, which applied only to high- and medium-impact BES assets. In justifying this expansion to FERC, NERC explained that it identified supply chain risks affecting low-impact BES cyber systems similar to those affecting medium- and high-impact BES cyber systems, such as the introduction of malicious code in the supply chain and remote access of vendors' employees. While these low-impact assets admittedly pose a lesser risk to the BES than their high- and medium-impact counterparts, there is the potential for a greater impact if multiple low-impact assets are simultaneously compromised through remote access or if a medium- or high-impact asset is accessed through a low-impact asset.

This threat is aggravated by the fact that, as a recent NERC risk assessment found, most low-impact BES assets are contained in organizations with higher-impact assets but do not often receive the same protections, particularly where the low-impact assets use separate vendors. Moreover, the risk of a coordinated attack on multiple low-impact assets with remote electronic access connectivity could result in an event with interconnection-wide impact on the BES.

Highlights of the New Standard

In its March 16 order, FERC approved this new standard under Federal Power Act Section 215(d)(2), concluding that Reliability Standard CIP-003-9 improves upon its predecessor by adding new requirements focused on supply chain risk management for low-impact BES cyber systems and enhancing reliability controls that grant responsible entities additional visibility into threats. FERC found that it would do so by:

• requiring responsible entities to include the topic of "vendor electronic remote access security controls" in their cyber security policies
• requiring responsible entities with assets containing low-impact BES cyber systems to have methods for determining and disabling vendor electronic remote access
• requiring responsible entities with assets containing low-impact BES cyber systems to have methods for detecting malicious communications for vendor electronic remote access

The new standard essentially recognizes that low-impact assets may serve as conduits to attacks on other assets (or even facilitate system reconnaissance by criminals) in the event that security-in-depth is not applied across all aspects of the responsible entity's covered operations and its supply chain. Cybercriminals can sometimes be deterred (and move on to other targets) even with simple but critical measures such as multifactor authentication and role-based access to a responsible entity's operational or information systems.

FERC also approved NERC's proposed implementation plan, which provides that the new Reliability Standard CIP-003-9 would become effective on the first day of the first calendar quarter that is 36 months after FERC approval and that the currently effective Reliability Standard CIP-003-8 would be retired immediately prior to the effective date. As NERC observed – and FERC agreed – this reflects the consideration that there are a large number of low-impact BES cyber systems, and responsible entities need time to procure and install equipment that may be subject to delays, given high demand. Among other things, the new standard will likely require revisions to a number of contracts and updates to cybersecurity controls for service providers that were previously not the subject of NERC CIP requirements because they did not impact medium- or high-risk BES assets.

Finally, FERC approved NERC's proposal to modify the associated violation risk factors and violation severity-level assignments for Reliability Standard CIP-003-9.

Conclusion and Considerations

This new undertaking is the latest effort by FERC and other relevant federal agencies to combat the ever-growing threat posed by cybersecurity attacks to the nation's infrastructure, highlighted prominently by the Colonial Pipeline ransomware attack in 2021 and the SolarWinds hack in 2020.

Holland & Knight regularly advises industry entities on complying with these evolving regulations. If you have any questions regarding this FERC order or other cybersecurity regulations, please contact the authors.