FERC recently proposed to approve the Version 5 Critical Infrastructure Protection (CIP) Reliability Standards, CIP-002-5 through CIP-011-1, submitted by the North American Electric Reliability Corporation (NERC). FERC believes the proposed CIP Version 5 Standards, which pertain to the cybersecurity of the bulk electric system, represent an improvement over the current Commission-approved CIP Reliability Standards because they adopt new cybersecurity controls and extend the scope of the systems that are protected by the CIP Reliability Standards.
Despite the benefits, the Commission has concerns regarding the potential ambiguity and, ultimately, enforceability of the CIP Version 5 Standards. Specifically, 17 of the requirements of the suite of CIP Version 5 Standards include language that requires the responsible entity to implement the requirement in a manner to “identify, assess and correct” deficiencies. The issue is that this language may be unclear with respect to the compliance obligations it places on regulated entities making it too vague to audit and enforce compliance. The NOPR seeks comments on this and several other concerns. Moving at the speed of technology, some parts of CIP 4 may never become enforceable; it is expected some utilities may go from CIP 3 to CIP 5 for some standards.