FERC Order No. 918: Approval of CIP-003-11 Cyber Security – Security Management Controls for Critical Infrastructure
AI-generated summary for informational purposes only. Not legal advice. See the original source for the authoritative text.
The Federal Energy Regulatory Commission (FERC) has issued Order No. 918, approving the proposed Critical Infrastructure Protection Reliability Standard CIP-003-11, which focuses on Cyber Security–Security Management Controls. This standard was submitted by the North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization. The primary objective of CIP-003-11 is to mitigate risks posed by coordinated cyberattacks targeting low-impact bulk electric system (BES) facilities. While individual low-impact facilities may pose limited risk on their own, FERC and NERC recognize that a coordinated attack across multiple such facilities could have a significant aggregate impact on the reliability of the electric grid. This standard strengthens cybersecurity requirements for low-impact BES cyber systems by mandating enhanced security management controls. It represents an evolution from previous CIP-003 versions, extending more rigorous cyber protections to facilities previously subject to less stringent requirements, closing a gap that adversaries could exploit through simultaneous attacks on numerous smaller targets.
AI-generated summary. May contain errors. Refer to official sources for legal decisions.
Key Changes
- FERC approves CIP-003-11 replacing previous CIP-003 versions, establishing updated cyber security management controls for the bulk electric system
- New requirements specifically target coordinated cyberattack risks on low-impact BES facilities, which were previously subject to minimal cybersecurity obligations
- Mandatory security management controls now extend to low-impact bulk electric system cyber assets, recognizing their aggregate vulnerability
+ 3 more changes with Pro