FERC Approves Infrastructure Protection Standards to Help Shield Power Grid from 'Malicious'Disruption
February 7, 2008 // Published as a news service by IHS
In an effort to safeguard the nation's electrical grid from disruption by cyber attackers, the Federal Energy Regulatory Commission (FERC) issued a final rule approving eight mandatory security standards that apply to all users, owners and operators of the U.S. bulk power system.
Deemed "critical infrastructure protection" (CIP) standards, the documents are designed to protect against poor access control, software vulnerabilities and other weaknesses in data-control systems, according to the FERC.
Developed in 2006 by the North American Electric Reliability Corp. (NERC), the CIP standards underwent a review and comment process before their final approval on Jan. 17, 2008.
The eight CIP reliability standards address the following topics:
- Critical cyber asset identification.
- Security management controls.
- Personnel and training.
- Electronic security perimeters.
- Physical security of critical cyber assets.
- Systems security management.
- Incident reporting and response planning.
- Recovery plans for critical cyber assets.
The mandatory reliability standards require certain users, owners and operators of the bulk power system to establish policies, plans and procedures to safeguard physical and electronic access to control systems, to train personnel on security matters, to report security incidents and to be prepared to recover from a cyber incident, said the FERC.
Once the final rule takes effect, the NERC will be tasked with any additional modifications to the documents. Violators face fines of up to $1 million per day, per incident, said the FERC.
The final rule also directs the NERC to monitor the development and implementation of cyber security standards by the National Institute of Standards and Technology (NIST) to "determine if they contain provisions that will protect the bulk power system better than the CIP reliability standards," said the FERC.
But the FERC did not direct the NERC to adopt the NIST standards because that could lead to possible delays in putting into place any mandatory and enforceable standards, according to the FERC.
Source: American National Standards Institute (ANSI). and Federal Energy Regulatory Commission (FERC).