Item E-1 & E-2 | Docket Nos. Dockets: RM24-4; RM24-7
FERC today proposed to require new or modified critical infrastructure (CIP) standards to address the growing risks posed by malicious actors seeking to compromise the reliable operation of the bulk-power system.
The proposal would direct the North American Electric Reliability Corporation (NERC) to require entities to identify their current supply chain risks to their grid-related cybersecurity systems at specified intervals; assess and take steps to validate the accuracy of the information received from vendors during the procurement process; and document, track and respond to these risks to their systems. The Commission also would direct NERC to extend the applicability of the supply chain standards to include a category of products known as protected cyber assets, or “PCAs.”
NERC would submit responsive new or revised standards within 12 months of the effective date of a final rule.
Also today, FERC proposed to approve a CIP reliability standard that requires internal network security monitoring inside an entity’s electronic security perimeter, which NERC had submitted to comply with FERC Order No. 887. That rule, approved in January 2023, directed NERC to develop CIP reliability standards requiring internal network security monitoring to provide greater defense-in-depth for entities’ CIP-networked environments.
FERC also is proposing to direct NERC to develop modifications to the internal network security monitoring standard to extend those protections outside of the electronic security perimeter to electronic access control or monitoring systems and physical access control systems. NERC would submit a responsive revised reliability standard within 12 months of the effective date of a final rule.
These two orders show FERC’s continued core focus on reliability, and build upon recent actions taken by the Commission over the past two years.
R24-17