Proposed revisions to two North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards have been submitted to the Federal Energy Regulatory Commission (FERC) for consideration. The two affected standards are CIP-004 and CIP-011. The petition for these revisions can be found on the NERC website, in the “Filed and Pending Regulatory Approval” area here. These revised standards would become effective 24 months after approval.
CIP-004 deals with personnel risk assessment, training, security awareness, and access management. The proposed revision, which would become CIP-004-7, seeks to remove references to “designated storage locations” and focus on provisioned access to the BES Cyber System Information (BCSI) rather than its location. The change would permit entities to implement file-level rights and permissions, such as policy-based credentials or encryption, to manage access to BCSI.
CIP-011 focuses on preventing unauthorized access to critical systems by specifying information protection requirements. The suggested amendment, which would become CIP-011-3, clarifies the requirements expected when using third-party solutions such as cloud services. The revisions in proposed Reliability Standards CIP-004-7 and CIP-011-3 would allow Responsible Entities to leverage these protections within their control for third-party data storage and analysis systems.
According to the petition, “The protections available for Responsible Entities to secure information in the cloud, for example, depend less on the actual storage location of the information and more on file-level rights and permissions. As a result, the revisions in proposed Reliability Standards CIP-004-7 and CIP-011-3 would allow Responsible Entities to leverage these protections within their control for third-party data storage and analysis systems.”
These revisions highlight NERC’s increased focus on supply chain compromises and incidents. In July 2021, NERC and FERC published a white paper emphasizing lessons learned from the SolarWinds hack and other supply chain compromises and included a wide range of key actions electric utilities should take to protect themselves from known supply chain attacks, such as SolarWinds, Microsoft Exchange, Pulse Connect VPN and others.
Recommendations in this paper include revalidating the implementation of the least-privilege principle for host and network permissions, considering a systemic risk-based approach for protecting the most critical assets, implementing the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and baselining critical access and administrative privileges. Utilities were also encouraged to consider participating in the Cyber Mutual Assistance Program with peer utilities to ensure a collective response during a cyber event, in addition to exercising cyber and physical security response plans with third-party vendors, partners, and the government.
To learn more about the NERC CIP standards and tips on how to comply with them, check out our NERC CIP compliance guide.