FERC Directs NERC to Tighten Bulk Electric System Cybersecurity

January 26, 2023

Reading Time : 5 min

By: Stephen J. Hug, Emily P. Mallen, Scott Daniel Johnson, Angelica Gonzalez (Paralegal)

These Reliability Standards will apply to all high impact BES Cyber Systems with and without external routable connectivity—i.e., a high-speed internet connection6—and medium impact BES Cyber Systems with external routable connectivity.7 FERC also directed NERC “to study the feasibility of implementing INSM at bulk electric cyber systems that would not be addressed by the new or modified standard[s],”8 which include low impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems without external routable connectivity.9

The Final Rule will become effective 60 days after publication in the Federal Register.10 NERC has 15 months to submit the new standards and 12 months to submit its study on low- and medium-impact systems.11

New Acting Chairman Willie L. Phillips commented that “[t]he nature of cyber security threats to our nation’s grid require constant monitoring and vigilance,” and FERC’s action represents “a major step to better secure the reliability of our nation’s bulk power system.”12 In a prior role, Chairman Phillips served as an Assistant General Counsel with NERC.

Overview

Under the current NERC CIP Reliability Standards, network security monitoring requirements focus on defending the electronic security perimeter—such as through access point controls and monitoring for malicious communications—rather than on potential vulnerabilities of the internal network.13 Adding INSM requirements is “designed to address as early as possible situations where perimeter network defenses are breached by detecting intrusions and malicious activity within a trust zone.”14It consists of: (1) collection; (2) detection; and (3) analysis.15 These three stages together “provide the benefit of early detection and alerting of intrusions and malicious activity.”16 Early detection and response can, in turn, “reduce[] the likelihood that an attacker can gain a strong foothold, including operational control, on the target system.”17 INSM can also enable “collection of data and analysis required to implement a defense strategy, improves an entity’s incident investigation capabilities, and increases the likelihood that an entity can better protect itself from a future cyberattack and address any security gaps the attacker was able to exploit.”18

While “NERC has flexibility in developing the content of INSM requirements, the new or modified CIP Reliability Standards must address [certain] specific concerns” FERC raised.19They must be “forward-looking, objective-based, and . . . address . . . three security objectives that pertain to INSM.”20 First, they “should address the need for responsible entities to develop baselines of their network traffic inside their CIP-networked environment.”21 Second, they “should address the need for responsible entities to monitor for and detect unauthorized activity, connections, devices, and software inside the CIP-networked environment.”22 Finally, they “should require responsible entities to identify anomalous activity to a high level of confidence by: (1) logging network traffic” (such as by packet capture); “(2) maintaining logs and other data collected regarding network traffic; and (3) implementing measures to minimize the likelihood of an attacker removing evidence of their tactics, techniques, and procedures from compromised devices.”23

As to other BES Cyber Systems not covered by the new or revised Reliability Standards, FERC found that it is “premature” to require INSM for such systems, but also recognized “the importance of bolstering the cybersecurity of those systems,” noting that “extending INSM to [such] BES Cyber Systems . . . in the future could be necessary to protect the security and the reliability of the Bulk-Power System.”24

NERC Study Regarding Lower-Impact Systems

In NERC’s study of such BES Cyber Systems, FERC directed that NERC “should include . . . a determination of: (1) ongoing risk to the reliability and security of the Bulk-Power System posed by low and medium impact BES Cyber Systems that would not be subject to the new or modified Reliability Standards, including the number of low and medium impact BES Cyber Systems not required to comply with the new or modified standard; and (2) potential technological or other challenges involved in extending INSM to additional BES Cyber Systems, as well as possible alternative mitigating actions to address ongoing risks.”25 FERC may use this information to provide a basis “for further Commission action, as warranted, regarding INSM or alternatives.”26 NERC’s study is due within a year of the effective date of the Final Rule.27

Recommendations

Entities that own or operate high impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity should, at a minimum, continue to monitor NERC’s Reliability Standards development process and consider participating in that process and/or the FERC proceeding in which NERC submits its proposed standards. Those entities with medium impact BES Cyber Systems without external routable connectivity or low impact BES Cyber Systems should review NERC’s study report for indications about what more, if anything, NERC or FERC might do going forward with respect to such systems. This remains a rapidly evolving area with the potential to create additional cybersecurity risk, compliance costs and liability for affected entities. Stay ahead by staying informed.


1Internal Network Sec. Monitoring for High & Medium Impact Bulk Elec. Sys. Cyber Sys., Order No. 887, 182 FERC ¶ 61,021 (2023) (“Final Rule”). See also FERC, News Release, FERC Strengthens Reliability Standards for Monitoring Electric Grid Cyber Systems (Jan. 19, 2023) (“FERC News Release”) (available here).

2Final Rule at P 20. See also id. at PP 39, 50.

3Id. at P 3. See also id. at PP 19, 80.

4 Id. at PP 15, 50.

5 Id. at P 15. See also id. at PP 3, 50.

6 “External routable connectivity” is the “ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.” Id. n.3 (quoting NERC, Glossary of Terms Used in NERC Reliability Standards (2022) (NERC Glossary), https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf).

7 Id. at P 1. NERC’s CIP Reliability Standards categorize BES Cyber Systems “as high, medium, or low impact depending on the functions of the assets housed within each system and the risk they potentially pose to the reliable operation of the Bulk-Power System.” Id. n.2. The designated impact level then “determines the applicability of security controls for BES Cyber Systems that are contained in the remaining CIP Reliability Standards (i.e., Reliability Standards CIP-003-8 to CIP-013-1)” as they currently exist. Id. In early 2022, FERC had proposed to direct NERC to address INSM for all high and medium impact BES Cyber Systems, but limited the requirement in the Final Rule in response to stakeholder comments. Id. at P 4 (citing Internal Network Sec. Monitoring for High & Medium Impact Bulk Elec. Sys. Cyber Sys., Notice of Proposed Rulemaking, 178 FERC ¶ 61,038 (2022)).

8 E.g., FERC News Release at 1.

9 Final Rule at PP 1, 88.

10Id. at P 104.

11 E.g., id., at PP 1, 6.

12 FERC News Release at 1.

13 See, e.g., Final Rule at PP 3, 14.

14 Id. at P 9.

15 Id.

16 Id.

17 Id. at P 13.

18 Id. at P 49.

19 Id. at P 5.

20 Id.

21 Id.

22Id.

23Id. (footnotes omitted). See also id. at P 77.

24 Id. at P 88.

25 Id. at P 7. See also id. at P 88.

26 Id. at P 7. See also id. at PP 31, 88.

27 E.g., id. at P 91.

Share This Insight

Previous Entries

Speaking Energy

August 15, 2025

On August 8, 2025, the Federal Energy Regulatory Commission (FERC) issued an enforcement order in Skye MS, LLC (Skye) and levied a $45,000 civil penalty on an intrastate pipeline operator in Mississippi, resolving an investigation into the operator’s violations of section 311 (Section 311) of the Natural Gas Policy Act (NGPA). FERC faulted the operator for providing a Section 311 transportation service without timely filing a Statement of Operating Conditions (SOC) and obtaining FERC’s approval for the transportation rates. Section 311 permits intrastate pipelines to transport interstate gas “on behalf of” interstate pipelines without becoming subject to FERC’s more extensive Natural Gas Act (NGA) jurisdiction, but requires the intrastate pipeline to have an SOC stating the rates and terms and conditions of service on file with FERC within 30 days of providing the interstate service. Under the NGPA, Section 311 rates must be “fair and equitable” and approved by FERC. In Skye, FERC stated that the operator began providing Section 311 service on certain pipeline segments in Mississippi in May 2023, following their acquisition from another Section 311 operator, but did not file an SOC with FERC until April 2025. The order ties the penalty to the approximately two-year delay between commencement of the Section 311 service and the SOC filing date. The pipeline operator was also ordered to provide an annual compliance report and to abide by additional verification requirements related to the filing of its FERC Form No. 549D, the Quarterly Transportation & Storage Report for Intrastate Natural Gas and Hinshaw Pipelines.

...

Read More

Speaking Energy

August 6, 2025

In Sierra Club v. FERC, No. 24-1199 (D.C. Cir. Aug. 1, 2025), the U.S. Court of Appeals for the District of Columbia Circuit (D.C. Circuit) upheld the Federal Energy Regulatory Commission’s (FERC) approval of a 1,000-foot natural gas pipeline segment crossing the United States-Mexico border (the Border Pipeline) under section 3 of the Natural Gas Act (NGA), rejecting environmental groups’ challenges that FERC improperly limited its analysis under both the NGA and the National Environmental Policy Act (NEPA), as related to a 155-mile intrastate “Connector Pipeline” constructed upstream of the Border Pipeline in Texas.

...

Read More

Speaking Energy

July 17, 2025

On July 15, 2025, the Federal Energy Regulatory Commission (FERC or Commission) issued an order1 proposing to eliminate the soft price cap of $1,000 per megawatt-hour (MWh) for bilateral spot sales in the Western Electricity Coordinating Council (WECC) that was implemented following the California energy crisis. If adopted, the Commission’s proposal would eliminate the requirement that sellers make a filing with FERC cost justifying spot market sales in excess of the soft price cap, which have become increasingly common in recent years as market conditions have continued to tighten throughout the West. Eliminating the WECC soft price cap would provide sellers that make sales during periods when prices exceed the cap greater certainty that their sales will not be second guessed after the fact.

...

Read More

Speaking Energy

June 25, 2025

On June 4–5, 2025, the Federal Energy Regulatory Commission (FERC or Commission) hosted a commissioner-led technical conference to discuss resource adequacy challenges facing regional transmission organizations and independent system operators (RTO). The conference is a response to the growing concern that multiple RTO regions across the country may not have sufficient supply available in the coming years to meet demand due to resource retirements, the pace of new generation entry and higher load growth arising from the construction of data centers and reindustrialization.

...

Read More

Speaking Energy

June 12, 2025

We are pleased to share the presentation slide deck and a recording of Akin’s recently presented webinar, “Navigating U.S. Policy Shifts in the Critical Minerals Sector.”

...

Read More

Speaking Energy

June 10, 2025

On June 4, 2025, the U.S. Department of Transportation’s (DOT) Pipeline and Hazardous Materials Safety Administration (PHMSA) announced revisions to its procedures for pipeline safety enforcement actions. The changes, outlined in two new policy memoranda from PHMSA’s Office of the Chief Counsel (PHC), aim to enhance due process protections for pipeline operators by clarifying how civil penalties are calculated and expanding the disclosure of agency records in enforcement proceedings.

...

Read More

Speaking Energy

May 22, 2025

On May 19, 2025, the Department of Energy (DOE) finalized its 2024 LNG Export Study: Energy, Economic and Environmental Assessment of U.S. LNG Exports (the 2024 Study) through the release of a Response to Comments on the 2024 Study. The Response to Comments concludes that the 2024 Study, as augmented through public comments submitted on or before March 20, 2025, supporting a finding that liquefied natural gas (LNG) exports serve the public interest. With the comment process complete, DOE will move forward with final orders on pending applications to export LNG to non-free trade agreement (non-FTA) countries.

...

Read More

Speaking Energy

May 20, 2025

On Thursday, May 15, the Senate Commerce, Science & Transportation Subcommittee on Surface Transportation, Freight, Pipelines and Safety held a hearing titled, “Pipeline Safety Reauthorization: Ensuring the Safe and Efficient Movement of American Energy.” The hearing examined legislative priorities for reauthorizing the Pipeline and Hazardous Materials Safety Administration (PHMSA).

...

Read More

© 2025 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.