In late June 2020, the Federal Energy Regulatory Commission (FERC) released a Notice of Inquiry1 (NOI) in which they asked detailed questions about the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the risk and impact of a coordinated cyberattack on the bulk electric system (BES). A recurring question throughout the NOI was whether low-impact cyber systems should be subject to the same North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards currently required of medium- and high-impact BES cyber systems.
The policy outcome that arises from this attention on the BES will need to balance the government interest in protecting the nation against a coordinated cyberattack and industry concerns about regulatory burden. This is especially important as low-impact systems are usually smaller and often have fewer resources than their larger, medium- and high-impact system counterparts. To balance these interests, one potential solution would be to implement certain NERC CIP controls and NIST concepts for low-impact cyber systems that will have the most impact:
- NERC-CIP’s Asset inventory (CIP 002-5.1a)2…