By Rich Heidorn Jr.
FERC on Thursday approved rules to prevent malware from infecting “low impact” computer systems through transient electronic devices such as laptops and thumb drives (RM17-11, Order 843).
The order approves a requirement outlined in the commission’s October Notice of Proposed Rulemaking directing NERC to modify reliability standard CIP-003-7 to mitigate the risk of malicious code that could result from third-party devices that frequently connect to and disconnect from low-impact systems. (See FERC Seeks Cyber Controls on Portable Devices; Sets GMD Plans.)
The commission reiterated the concerns it raised in the NOPR that the NERC standard “lacks a clear requirement to mitigate the risk of malicious code” that could result from third-party transient devices. “Accordingly, we direct NERC to develop a modification to the reliability standard to provide the needed clarity. Such modification will better ensure that registered entities clearly understand their mitigation obligations and, thus, improve individual entity mitigation plans,” the commission said.
However, the commission declined to adopt a proposal requiring NERC to “provide clear, objective criteria for electronic access controls” for low-impact systems. NERC tiers its cybersecurity requirements based on classifications of high-, medium- and low-impact Bulk Electric System (BES) cyber systems.
The commission said comments from NERC and others convinced it that the reliability standard already “provides a clear security objective that establishes compliance expectations.”
Instead, FERC ordered NERC to conduct a study within 18 months to assess the implementation of the standard to determine whether the electronic access controls adopted by responsible entities “provide adequate security.” The study was proposed in a joint filing by the American Public Power Association, Edison Electric Institute and National Rural Electric Cooperative Association, identified in the order as “trade associations.”
Reversal
NERC said that the standard requires responsible entities to “document the necessity of its inbound and outbound electronic access permissions and provide justification of the need for such access.”
The trade associations, Electric Consumers Resource Council (ELCON) and Transmission Access Policy Study Group said the proposal would be burdensome and ineffective. While it “appreciates the value establishing more tangible criteria for adequate low-impact BES cyber system controls … the additional requirements that the commission proposes would do nothing to harden a low-impact facility against the rapid evolution in cyber warfare,” ELCON said.
The trade associations urged a risk-based approach to allow responsible entities to focus their resources on assets that have a higher impact on reliability.
“Given NERC’s statements, we believe that there will be adequate measures to assess compliance with reliability standard CIP-003-7,” FERC concluded. “We expect responsible entities to be able to provide a technically sound explanation as to how their electronic access controls meet the security objective.”
Mitigation of Malicious Code
The trade associations and ELCON also opposed the NOPR’s proposal to require responsible entities to prevent malicious code from entering their systems via transient electronic devices used by contractors and other third parties. The trade groups said risk mitigation is implicitly required under Section 5 of the standard.
But FERC said the standard doesn’t go far enough. “While commenters agree that, at least implicitly, the mitigation of malicious code is an obligation, the lack of a clear requirement could lead to confusion in both the development of a compliance plan and in the implementation of a compliance plan,” the commission said. “In addition, although NERC contends that the proposed directive may not be necessary, NERC agrees that modifying reliability standard CIP-003-7 to address the mitigation of malicious code explicitly could clarify compliance obligations.”
FERC said the new standard also will improve reliability by requiring responsible entities to have a policy for declaring and responding to “exceptional circumstances” — defined by NERC as a natural disaster, civil unrest or a situation that threatens to impact BES reliability or presents a risk of injury or death.