On April 18th, 2013 FERC held a meeting in which it heard from NERC regarding the proposed Critical Infrastructure Protection version 5 standards. The committee voted to skip version 4 and move straight to version 5, and the recently issued Presidential executive order on critical infrastructure cyber security appeared to largely be the driving force behind the rapid movement. Some of the major changes for version 5 include:
- New risk-based tiered classification system for cyber assets: High, Medium and Low
- Extended scope of who would be required to meet the standards
- CIP-010-1: Configuration Change Management and Vulnerability Assessments
What does today’s meeting mean for electric utilities that currently fall under CIP reliability standards? Mostly just business as usual. With v4 set to take effect April 1, 2014 it looks like it might be a couple years before version 5 is the enforced standard. FERC is seeking comment on a certain language within the proposed v5 standards that could lead to ambiguity and enforceability of the proposed standards, as well as consideration for low-impact BES cyber assets. The good news is you can start to prepare for version 5 knowing that it will arrive sooner than version 4!
FERC News release regarding adoption of new standards: http://www.ferc.gov/media/news-releases/2013/2013-2/04-18-13-E-7.asp
Commissioner Cheryl A. LaFleur Statement: http://www.ferc.gov/media/statements-speeches/lafleur/2013/04-18-13-lafleur-E-7.asp