The Federal Energy Regulatory Commission on Thursday proposed new mandatory cybersecurity controls to protect the utility system from the threat posed by laptops and other mobile devices that could spread malicious software.
The standards are meant to “further enhance the reliability and resilience of the nation’s bulk electric system” by preventing malware from infecting utility networks and bringing down the power grid, according to the nation’s grid regulator.
The standards were proposed at FERC’s public meeting amid increasing reports of a possible North Korea cyberattack targeting the U.S. power system by using malware.
The proposal includes “mandatory controls to address the risks posed by malware from transient electronic devices like laptop computers, thumb drives and other devices used at low-impact bulk electric system cyber systems,” the agency said after announcing the proposed controls at its public meeting.
Low impact systems refer to a broad swath of smaller grid control centers, parts of the transmission grid, like sub-stations and even some types of generators and power plants. These facilities are typically deemed less critical to electricity system than larger grid control centers and transmission hardware, but are nonetheless vulnerable to intrusion software.
The controls that FERC is proposing were drafted by the commission’s reliability organization, the North American Electric Reliability Corporation, or NERC.
NERC’s proposed reliability standard “is designed to mitigate the cybersecurity risks to bulk electric system facilities, systems, and equipment, which, if destroyed, degraded, or otherwise rendered unavailable as a result of a cybersecurity incident, would affect the reliable operation of the bulk electric system,” meaning the grid, according to the commission.
The NERC standards are mandatory for the industry to comply with and enforceable with fines. Violation of some of NERC’s reliability standards can incur fines up to $1 million per day, per violation.
The commission said it is proposing “to determine that proposed Reliability Standard CIP-003-7 is just, reasonable, not unduly discriminatory or preferential, and in the public interest.”
The commission also approved a separate plan to confront the threat to the grid from geomagnetic disturbances, which includes solar flares that are proven to affect the function of the grid. It ordered NERC to issue a final research plan on how to study the threat within six months.
“The work plan identifies nine [geomagnetic]-related research areas and sets an estimated time frame for their completion,” it said. “Today’s order, among other things, provides NERC with guidance on how to prioritize the GMD research.”
