On March 16, 2023, FERC approved a new cybersecurity reliability standard, CIP-003-9 (along with associated violation risk factors and violation security levels), proposed by the North American Electric Reliability Corporation (“NERC”). CIP-003-9 focuses on supply chain risk management for low impact Bulk Electric System (“BES”) Cyber Systems and requires: (1) responsible entities to include the topic of “vendor electronic remote access security controls” in their cyber security policies; (2) entities with low impact BES facilities to have methods for identifying and disabling vendor remote access; and (3) entities with low impact BES facilities to have methods for detecting malicious communications for vendor remote access. The new standard aims to prevent compromises to cyber systems in the event of a known or suspected malicious communication and will become effective 36 months after FERC’s approval.
NERC explained that it originally issued reliability standards for medium and high impact BES systems and concurrently directed further study of supply chain risks associated with low impact BES Cyber Systems. NERC’s 2019 NERC Supply Chain Risk Assessment found…
