On January 21, 2016, the Federal Energy Regulatory Commission (FERC) approved advancements to Critical Infrastructure Protection (CIP) Reliability Standards that address cybersecurity of the bulk electric system. The CIP Version 5 standards require that responsible entities actively consider the BES security needs beyond mere compliance with minimum standards, impacting how electric utilities include cybersecurity in their strategic business planning and operations.
The CIP version 5 standards, developed by the North American Electric Reliability Corporation (NERC), identify and categorize bulk electric system (BES) cyber structures based on whether such structures have a low, medium, or high impact on the reliable operation and set specific requirements for each category, with which categorized entities must comply. The tiered impact rating methodology would bring all cyber assets that could impact BES facilities into the scope of the CIP standards.
The action reflects the dynamic cybersecurity environment, which is moving toward proactive efforts for flexible and timely response to threats rather than basic compliance. While mandatory standards provide protection against known threats, electric utility sector and government agencies are increasingly coordinating their activities to maintain reliability against new and evolving threats. Additional interdependence between the electric grid and other infrastructure sectors, such as water and transportation, also raise concerns over the need for similar mandatory standards in these sectors.