FERC issues two proposals directing NERC to develop new, modified cybersecurity standards

The Federal Energy Regulatory Commission (FERC) issued two proposed rulemakings stipulating it would direct the North American Electric Reliability Corporation (NERC) to develop new or modified cybersecurity standards to combat growing risks posed by malicious actors seeking to compromise the reliable operation of the nation’s bulk-power system.

The two notices of proposed rulemaking issued Sept. 19 are entitled “Supply Chain Risk Management Reliability Standards Revisions” and “Critical Infrastructure Protection Reliability Standard CIP-015-1 – Cyber Security – Internal Network Security Monitoring”. Comments in both are due 60 days from the date of publication.

If approved, the final rule for the supply chain proposal would direct NERC to require entities to identify their current supply chain risks to their grid-related cybersecurity systems at specified intervals; assess and take steps to validate the accuracy of the information received from vendors during the procurement process; and document, track and respond to these risks to their systems, FERC said.

The commission also would direct NERC to extend the applicability of the supply chain standards to include a category of products known as protected cyber assets, also called PCAs, and NERC would have to submit new or revised standards within 12 months of the effective date of a final rule.

In the second order, FERC proposed to approve a CIP reliability standard that requires internal network security monitoring inside an entity’s electronic security perimeter, which NERC had submitted to comply with FERC Order No. 887.

That rule, approved in January 2023, directed NERC to develop CIP reliability standards requiring internal network security monitoring to provide greater defense-in-depth for entities’ CIP-networked environments, according to the commission.

Additionally, FERC proposes to direct NERC to develop modifications to the internal network security monitoring standard to extend those protections outside of the electronic security perimeter to electronic access control or monitoring systems and physical access control systems.

NERC would submit a responsive revised reliability standard within 12 months of the effective date of a final rule, the commission said.

FERC said its two orders show its “continued core focus on reliability,” and they will build upon recent actions the commission has taken during the past two years.

The post FERC issues two proposals directing NERC to develop new, modified cybersecurity standards appeared first on Daily Energy Insider .