On October 2, 2017, the Federal Energy Regulatory Commission (the “Commission”) terminated its inquiry into the need for, and potential effects of, modifications to the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Reliability Standards (“CIP Standards”) regarding the cybersecurity of control centers used to monitor and control the bulk electric system. That inquiry, initiated, in part, in response to a 2015 cyberattack on Ukraine’s electric grid, sought industry and stakeholder feedback on whether the Commission should modify the CIP Standards to require (i) separation between the Internet and BES cyber systems in control centers performing transmission operator functions and (ii) “application whitelisting”—a computer administration practice used to prevent unauthorized programs from running—for such systems. After reviewing comments on its Notice of Inquiry (NOI), the Commission concluded that the risks and operational challenges that might result from requiring isolation or whitelisting do not outweigh the potential benefits.
As commenters highlighted in response to the NOI, current CIP Standards provide responsible entities with the operational flexibility to implement security measures that they deem necessary to comply with the CIP Standards.1 Prescriptive requirements, such as those proposed in the NOI, would reduce that flexibility, burdening responsible entities with additional costs and work required to properly implement the measures. The Commission agreed with commenters, deciding that the record “does not support requiring the use of isolation or whitelisting in the CIP Reliability Standards at this time.” Despite terminating the inquiry, however, the Commission encouraged “continued information sharing and dissemination of lessons learned among stakeholders” so that “responsible entities can better implement security controls, including, when appropriate, isolation and whitelisting,” to achieve the objectives of the CIP Standards. The Commission also noted that its “staff will engage with NERC, industry, and other stakeholders to look for opportunities to explore these strategies more thoroughly and encourage their use in appropriate circumstances, seeking ways to achieve their potential benefits while addressing possible risks.”