FERC approved revisions to three Critical Infrastructure Protection (CIP) North American Electric Reliability Corporation (NERC) Reliability Standards to expand the scope of the assets subject to supply chain cybersecurity requirements and related obligations. Supply chain cybersecurity continues to be a focus of NERC, energy industry stakeholders, and government regulatory and securities agencies.
The revisions affect CIP-013-2, Cyber Security – Supply Chain Risk Management; CIP-005-7, Cyber Security – Electronic Security Perimeter(s); and CIP-010-4, Cyber Security – Configuration Change Management and Vulnerability Assessments which were modified to address bulk electric system (BES) security and address concerns identified by FERC when the prior iteration of each Reliability Standard was approved.
In Order No. 850 (October 2018), the prior versions of each standard, which are currently in effect, were approved by FERC. While FERC found that the Reliability Standards were “forward-looking” and “objective-based,” as per FERC’s directive to NERC in Order No. 829 to develop CIP supply chain cybersecurity requirements, FERC determined that a significant…
