ANSI - American National Standards Institute
 Print this article  Previous Next 

FERC Approves New Standards to Shield the Power Grid from Malicious Disruption

New York, Jan 22, 2008

In an effort to safeguard the nation’s electrical grid from disruption by cyber attackers, the Federal Energy Regulatory Commission (FERC) has issued a final rule approving eight mandatory security standards that apply to all users, owners, and operators of the U.S. bulk power system.

Deemed “critical infrastructure protection” (CIP) standards, the documents are intended to protect against poor access control, software vulnerabilities, and other weaknesses in data-control systems.

Developed in 2006 by the North American Electric Reliability Corporation (NERC), a member and accredited standards developer of the American National Standards Institute (ANSI), the CIP standards underwent a lengthy review and comment process before their final approval on January 17, 2008.

The eight CIP reliability standards address the following topics:

  • Critical Cyber Asset Identification,
  • Security Management Controls,
  • Personnel and Training,
  • Electronic Security Perimeters,
  • Physical Security of Critical Cyber Assets,
  • Systems Security Management,
  • Incident Reporting and Response Planning, and
  • Recovery Plans for Critical Cyber Assets.

FERC chairman Joseph Kelliher called the final rule a milestone in “adopting the first mandatory and enforceable reliability standards that address cyber security concerns on the bulk power system in the United States.”

“The electric industry now can move on to the implementation of the standards in conjunction with improvement of these standards in order to increase the security and reliability of the bulk power system,” continued Kelliher.

Once the final rule takes effect in approximately 60 days, NERC will be tasked with any additional modifications to the documents. Violators face fines of up to $1 million per day, per incident.

Under the terms of the rule, NERC will also monitor the development and implementation of cyber security standards by the National Institute of Standards and Technology (NIST). Should any guidelines developed by NIST offer better protection of the bulk power system, NERC may consider adoption of the NIST standards.

For more information about the final rule, view the FERC press release.

ANSI Membership