NERC - the North American Electric Reliability Corporation

The North American Electric Reliability Corporation’s (NERC) mission is to ensure the reliability of the bulk power system in North America.

To achieve that, NERC develops and enforces reliability standards; assesses adequacy annually via a 10-year forecast and winter and summer forecasts; monitors the bulk power system; audits owners, operators, and users for preparedness; and educates, trains, and certifies industry personnel.

NERC is a self-regulatory organization, subject to oversight by the U.S. Federal Energy Regulatory Commission and governmental authorities in Canada. Learn more at www.nerc.com.

Multi-Phase Development Approach Will Address Short and Long-Term Goals.

Revised Phase I under review

As part of its efforts to better address cyber security and critical infrastructure protection, the North American Electric Reliability Corporation and its Cyber Security Standard Drafting Team have recently released phase one of proposed revisions to eight Critical Infrastructure Protection reliability standards for industry comment and review.

The standards (CIP-002 through CIP-009) are designed to ensure utilities and other users, owners, and operators of the bulk power system in North America have appropriate procedures in place to protect critical infrastructure from cyber attack.

Scheduled to be filed with regulatory organizations for final approval this spring, phase I revisions address a number of wording changes to the existing standards as specifically outlined in the Federal Energy Regulatory Commission’s Order 706, released in January 2008.

Importantly, the proposed modifications to the standards address the directive in Order 706 to “remove references to reasonable business judgment (in the standards) before compliance audits begin in 2009.” This phase also closes a key gap in the existing standards, specifying a compliance schedule for newly identified critical assets.

Phase II CS Standards

Work on Phase II has already begun and will result in more significant revisions which may change some of the philosophical foundations of the standards. These efforts will include a more thorough evaluation of the National Institute of Standards and Technology standards and risk management framework and their applicability to the bulk power system.

“Developing the multi-phase approach has enabled us to address pressing concerns around the existing standards in the short term while devoting the appropriate resources to thoroughly address more complex revisions in the long term,” commented Jeri D. Brewer of the United States Bureau of Reclamation, the Chair of the Cyber Security Standard Drafting Team. “We are firmly committed to drafting stronger standards that will better protect our continent’s bulk power system infrastructure and achieving this goal on a schedule that will make these standards mandatory and enforceable promptly and effectively.”

“These phase I revisions represent an unprecedented effort to improve existing standards in a short, two-month revision cycle and are evidence of the volunteer-based team’s dedication to this important work,” commented Gerry Adamski, Vice President of Standards Development at NERC. “We all recognize, however, that there is still much work to be done. I am confident that industry-based standards development process will meet the high expectations set out for this critical project and look forward to working closely with the drafting team as this project progresses.”

The proposed modifications to the eight Critical Infrastructure Protection reliability standards are available at:

www.nerc.com/filez/standards/Project_2008-06_Cyber_Security.html

The drafting team is comprised of 24 cyber security experts from across the electric industry. View the team members online at:

www.nerc.com/docs/standards/sar/Drafting_Team_Roster_External_Version.pdf

Get a high-level update on drafting team activities by subscribing to our e-mail notifications list. Send an e-mail to: subscribe-cipdt-info@listserv.nerc.com. Leave the subject and body of the message blank.