Under Docket RM16-18-000, the Federal Energy Regulatory Commission (FERC) recently issued a Notice of Inquiry (NOI) on Cyber Systems in Control Centers to collect industry input on possible modifications for the Critical Infrastructure Protection (CIP) Reliability Standards focused on cybersecurity for Control Centers that monitor and control the nation’s Bulk Electric System (BES). The NOI was created in response to multiple industry triggers including the Foundation for Resilient Societies’ Order 822 rehiring request that FERC recently denied, the Dec. 2015 Ukrainian cyber attack, and FERC’s growing concern about the significant threat of Control Centers being the target of potential attacks on the U.S. Bulk Electric System (BES).

As part of the NOI, FERC is requesting comments from the industry to determine whether the CIP Reliability Standards should be modified to better secure Controls Centers from potential cyber attacks, with FERC providing two possible modifications to the Standards:

  • Disconnecting the Internet from BES Cyber Systems (BCS) that perform transmission operations within Control Centers
  • Using “application whitelisting” — computer technology that prevents unauthorized programs from operating — for Control Centers’ BCS

Although the NOI only indicates transmission Control Centers, it could possibly be extended to generation and distribution facilities as well as part of a final, or future, order.

Isolating Control Centers’ BCS from the Internet is one of the significant recommendations in response to the cyber attack on Ukraine’s electric grid in 2015. The attack highlight how vulnerable cyber systems that operate and maintain interconnected networks can be — unless properly protected. This valuable lesson on robust security practices is something Burns & McDonnell has supported and recommended for years and can be put into place at minimal cost. The need for Internet access on BCS has always been questioned, with ways to provide that similar using such methods as having secondary systems with Internet access on a separate network segment from the Control Center BCS.

The industry’s use of application whitelisting as an added layer of security protection has grown steadily over the years and is listed in the CIP-007-6 Requirement R3 “Malicious Code Prevention” as one of the options available for mitigating malicious cyber activity. The NOI hopes to address whether or not whitelisting should be made mandatory, and what impact that decision would have on the industry.

The NOI does not indicate if the protections would apply to high, medium, and/or low impact Control Centers, but the citations within the NOI on the Ukraine cyber attack indicate that FERC may be considering applying these controls to all Control Centers. While the Ukrainian grid is different than the U.S., the attack demonstrated an overarching ability for hackers to potentially compromise any Control Center and inflect damage to the facilities they control.

Judging by the catalysts that prompted the NOI, I expect FERC will issue a ruling to apply additional controls for Control Center cyber assets, and this is our opportunity as an industry to provide input on the ruling’s contents. Instructions for submitting comments can be found within the NOI, and will be accepted until Sept. 26. I encourage Registered Entities to submit their comments of support or concern on the listed protections, including any technical or operational reasoning details, to help FERC fully understand the impact of this decision.

Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.