Utility sector wary of new security rules for distributed resources
“I’m not surprised industry vendors are suggesting there should be a lower threshold,” said Mike Almeyda, account manager with risk management firm Force 5. At the same time, he said, “it’s not that industry doesn’t want to do the work.” CIP standards are evolving and are already closely aligned with the National Institute of Standards and Technology’s Cyber Security Framework, he said.
Enacting stricter standards for smaller resources would raise costs, said Almeyda, including potentially requiring physical security perimeters around smaller renewable facilities. The utility sector is “trying to figure out how they can be within compliance,” he said, “but still produce a profit for shareholders.”
The North American Electric Reliability Corporation (NERC) and its six regional reliability entities jointly said that federal regulators should move cautiously in extending the data security requirements for medium and high-impact BES facilities to smaller resources.
“NERC has new and modified CIP Reliability Standards in various stages of implementation that will strengthen the requirements already in effect,” according to the non-profit corporation charged with overseeing grid reliability. “NERC is also in the midst of several standards development projects aimed at enhancing the CIP Reliability Standards to provide additional protection against cyber threats and vulnerabilities.”
New CIP standards being rolled out aim to increase security controls for vendors and include a supply chain risk assessment by utilities.
FERC “should reconsider any additional enhancements until after these standards have been in place for a period of time,” EEI and EPSA told regulators. “Experience with these standards will better inform any potential future Commission action in this area.”
And the Transmission Access Policy Study Group (TAPS), which represents entities across almost three dozen states that are largely dependent on transmission facilities, said in comments that instead of issuing directives for new standards FERC “should allow NERC’s existing processes to work.”