- The North American Electric Reliability Corp. (NERC) will delay the implementation of seven reliability standards, including three cybersecurity Critical Infrastructure Protection (CIP) rules, due to the burdens of the electric sector's response to the COVID-19 pandemic.
- The Federal Energy Regulatory Commission on April 17 approved NERC's request to delay the standards by three to six months, citing "substantial impacts" of the virus on registered entities.
- The delayed CIP standards aim to increase security controls for vendors and include a supply chain risk assessment by utilities. Experts say the three-month delay for the cybersecurity rules is unlikely to leave the grid vulnerable, but the threat could grow if additional, lengthy delays are eventually granted.
New vendor rules for the utility sector were set to go into effect on July 1, but will now be on hold until October. Considering the standards have been years in the making, most utilities are either protected or are in the process of implementing them, according to Alex Santos, CEO of Fortress Information Security.
But still, "whenever you remove a deadline, you get a little risk," Santos told Utility Dive. "There's a saying: the deadline is the ultimate inspiration."
NERC petitioned federal regulators two weeks ago requesting the delay, pointing out that registered entities "would need to expend significant effort and resources in the coming months" in order to document compliance. Delaying some standards by up to six months was appropriate "in light of the significant uncertainties regarding the response to and recovery from the coronavirus outbreak," the reliability organization told FERC.
Along with the three-month delay for three cybersecurity CIP standards, regulators approved a six-month delay for four other requirements focused on bulk electric system personnel and protection control standards
"I don't think it's a big risk because every utility I've spoken to really hasn't changed their plan," Santos said. "They're still striving for security and compliance on July 1."
Utilities are already conducting assessments of their critical vendors to see what security controls are in place for companies and the electric grid, Santos said. New requirements include examining code for "backdoors" that could give hackers access to sensitive systems, and background checks on personnel.
Santos said the delay could wind up leading utilities to increase spending for cybersecurity efforts, as the compliance deadline now sits amid budget development that typically happens in the fall. Fortress works with about 30 utilities and the company "is busy doing a lot of assessments. ... We're as busy as we've ever been," he said.
Utilities have already had 15 months notice of the new requirements, Richard Henderson, head of global threat intelligence at security firm Lastline, told Utility Dive. Another three months is likely not significant, he said.
"I would hope that most organizations were quite a ways along their planning and preparation before COVID-19 threw a wrench into our whole world," Henderson said in an email. "Those organizations who are almost there — or better yet, done — won't feel much difference here. And for the few that have lagged behind, maybe this is the respite they need to start."
Protect Our Power, a non-profit advocating for grid security, had called for FERC to approve a shorter 30-day delay to the CIP standards but the group's executive director, Jim Cunningham, told Utility Dive the commission's decision "is not unexpected amid the upheaval and loss caused by the coronavirus."
"It remains imperative that cybersecurity vulnerabilities in the electric sector supply chain are eliminated as quickly and aggressively as possible," Cunningham said in an email.
"The added flexibility provided by a three-month delay will allow entities to recover from the impacts of COVID before implementing new controls and new supply chain processes, which may be significantly different from how an entity currently conducts its procurement," NERC Vice President and Director of Engineering and Standards Howard Gugel told Utility Dive.
While modest implementation delay of the new CIP standards is not considered a threat, Santos said going much further could have an impact.
"If the deadline gets extended to Jan. 1, I don't think it makes a big difference," Santos said. "Far beyond that, I think it starts to get 'out of sight, out of mind.'"
While COVID-19 has injected more risk into the utility sector, in part due to the prevalence of remote work, Santos said the industry is not alone. "It's a heightened risk environment for everybody," he said. "The economy as a whole is taking a little risk, because we're working out of our environment."