On April 17, 2019, FERC issued a Notice of Proposed Rulemaking (“NOPR”) in which it proposed to approve, pending certain modifications, Critical Infrastructure Protection (“CIP”) Reliability Standard CIP-012-1 (“Proposed Reliability Standard”), as submitted by the North American Electric Reliability Corporation (“NERC”).  The Proposed Reliability Standard is designed to mitigate cybersecurity risks associated with communications between bulk electric system control centers.  While FERC found that the Proposed Reliability Standard largely met FERC’s directive set forth in Order No. 822, FERC stated that the Proposed Reliability Standard did not address all of its concerns, and thus proposed to direct NERC to modify the Proposed Reliability Standard.

On January 1, 2016, in Order No. 822, FERC approved seven CIP Reliability Standards and directed NERC to, among other things, develop modifications to the CIP Reliability Standards in order to mitigate cybersecurity risks associated with communications between bulk electric system control centers.  On September 18, 2018, NERC submitted the Proposed Reliability Standard, which would be a new, additional CIP Reliability Standard.

The Proposed Reliability Standard would require responsible entities to put forth plans to address confidentially and integrity risks as related to real-time assessment and monitoring data that is transmitted between control centers.  However, FERC found that the Proposed Reliability Standard did not require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers, as directed in Order No. 822.  FERC also determined that the Proposed Reliability Standard did not adequately identify the types of data covered by its requirements.  Thus, FERC proposed to direct NERC to modify the Proposed Reliability Standard to require that the plans developed by the responsible entities (1) include protections regarding the availability of communication links and data communicated between bulk electric system control centers and (2) identify the types of data that would be protected.

Comments on FERC’s NOPR are due June 24, 2019.  A copy of the order may be found here.