Security & Defense

FERC Order No. 918: Approval of CIP-003-11 Cyber Security – Security Management Controls for Critical Infrastructure

🇺🇸United States··Final Rule·High Impact·View source ↗

AI-generated summary for informational purposes only. Not legal advice. See the original source for the authoritative text.

🇬🇧 English

The Federal Energy Regulatory Commission (FERC) has issued Order No. 918, approving the proposed Critical Infrastructure Protection Reliability Standard CIP-003-11, which focuses on Cyber Security–Security Management Controls. This standard was submitted by the North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization. The primary objective of CIP-003-11 is to mitigate risks posed by coordinated cyberattacks targeting low-impact bulk electric system (BES) facilities. While individual low-impact facilities may pose limited risk on their own, FERC and NERC recognize that a coordinated attack across multiple such facilities could have a significant aggregate impact on the reliability of the electric grid. This standard strengthens cybersecurity requirements for low-impact BES cyber systems by mandating enhanced security management controls. It represents an evolution from previous CIP-003 versions, extending more rigorous cyber protections to facilities previously subject to less stringent requirements, closing a gap that adversaries could exploit through simultaneous attacks on numerous smaller targets.

AI-generated summary. May contain errors. Refer to official sources for legal decisions.

Key Changes

  • FERC approves CIP-003-11 replacing previous CIP-003 versions, establishing updated cyber security management controls for the bulk electric system
  • New requirements specifically target coordinated cyberattack risks on low-impact BES facilities, which were previously subject to minimal cybersecurity obligations
  • Mandatory security management controls now extend to low-impact bulk electric system cyber assets, recognizing their aggregate vulnerability

+ 3 more changes with Pro

Obligations

What this law requires

high

Implement enhanced security management controls for low-impact bulk electric system (BES) cyber systems as specified in CIP-003-11 standard

Operators of low-impact BES facilities
operational
high

Comply with CIP-003-11 Cyber Security–Security Management Controls Reliability Standard requirements to mitigate risks from coordinated cyberattacks

NERC-registered entities operating critical infrastructure
operational
high

Maintain security management controls that address the aggregate impact risk of coordinated attacks across multiple low-impact facilities

Operators of low-impact BES facilities
operational

Affected Parties

Electric utility companies operating bulk electric system facilitiesOperators of low-impact BES cyber systems and assets+6 more…

Tags

cybersecurity,critical infrastructure,FERC

More from United States

Agency Information Collection Activities; Proposed eCollection eComments Requested; Reinstatement, With Change, of a Previously Approved Collection: Census of State and Local Law Enforcement Agencies (CSLLEA)

Continuation of the National Emergency and Emergency Authority for Russian Vessels in U.S. Ports

Resumption of US-Venezuela Direct Flights