February 6, 2008—The Federal Energy Regulatory Commission (FERC) recently approved eight new mandatory critical infrastructure protection (CIP) reliability standards to protect the nation’s bulk power system against potential disruptions from cyber security breaches.
These reliability standards were developed by the North American Electric Reliability Corporation (NERC), which FERC has designated as the electric reliability organization (ERO).
The final rule also directs NERC to monitor the development and implementation of cyber security standards by the National Institute of Standards and Technology (NIST) to “determine if they contain provisions that will protect the Bulk-Power System better than the CIP Reliability Standards,” FERC said. But FERC did not direct NERC to adopt the NIST standards because that could lead to possible delays in putting into place any mandatory and enforceable standards.
<p.The mandatory reliability standards require certain users, owners and operators of the bulk power system to establish policies, plans and procedures to safeguard physical and electronic access to control systems, to train personnel on security matters, to report security incidents, and to be prepared to recover from a cyber incident.
The eight CIP reliability standards address the following topics:
- Critical Cyber Asset Identification;
- Security Management Controls;
- Personnel and Training;
- Electronic Security Perimeters;
- Physical Security of Critical Cyber Assets;
- Systems Security Management;
- Incident Reporting and Response Planning; and
- Recovery Plans for Critical Cyber Assets.
For more information, see the FERC Web site.
