The U.S. Federal Energy Regulatory Commission has approved updated cybersecurity standards for the nation’s electric utilities, with the hope that the new regulations will prevent attacks.
FERC’s seven updated critical infrastructure protection (CIP) reliability standards, published Tuesday in the Federal Register, require large utilities to conduct cybersecurity training at least once a quarter and, in most cases, to deploy two or more physical access controls outside their security perimeters.
The updated standards “are designed to mitigate the cybersecurity risks to bulk electric system facilities systems, and equipment, which, if destroyed, degraded or otherwise rendered unavailable as a result of a cybersecurity incident, would affect the reliable operation” of the U.S. power grid, FERC said in its published Federal Register rule.
The updated standards require most utilities to close unneeded networking ports and to adopt procedures for the storage of information and the wiping of systems before they’re reused.
The FERC standards are built on rules from the North American Electric Reliability Corp. (NERC), a nonprofit regulatory authority focused on the reliability of the bulk power system in North America. In some cases, FERC directed the nonprofit group to add to the proposed standards, the agency said.
NERC applauded the new standards. FERC’s actions “represent significant progress toward mitigating cyber risks to the bulk power system,” the nonprofit said in a statement.
One point of disagreement was over standards for the use of USB flash drives at small utilities. While NERC and some utilities questioned the need for new rules, FERC pushed for them, according to the published final rule. Several other security measures, including a requirement that all communications between small utilities go through secure routers, will protect against malware from USB drives, NERC argued.
But new rules for the use of USB flash drives “will provide an important enhancement to the security posture of the bulk electric system by reinforcing the defense-in-depth nature” of the standards, FERC countered.
In addition, the commission required NERC to study the effectiveness of the remote access control standards and the risks posed by remote access-related threats and vulnerabilities.
The commission also asked NERC to develop new standards providing security controls for supply chain management in the industrial control system hardware, software, and services industries.
FERC was concerned that “changes in the bulk electric system cyber threat landscape, identified through recent malware campaigns targeting supply chain vendors, have highlighted a gap in the protections” covered by the standards, the commission said.
FERC plans to host a technical conference on supply chain risk management issues on Thursday.
The new rules go into effect in about two months.