From: National Law Journal
Remand of Cyber Security Standard Interpretations
FERC issued two orders remanding interpretations rendered by NERC of two of its Reliability Standards concerning Cyber Security. In the first order, FERC dealt with a proposed interpretation of Reliability Standard CIP-006-4 concerning physical security for Critical Cyber Assets. Requirement 1.1 of CIP-006-4 requires a “six wall” border to enclose and protect a Critical Cyber Asset. Upon a request for interpretation as to whether this “six wall” border must encompass all external wiring to the physical security perimeter, NERC issued an interpretation that the standard only addressed protection of Cyber Assets and not wiring or communication mediums. FERC disagreed with that interpretation, noting that the definition of Cyber Asset includes “communication networks,” which necessarily includes wires or other communication mediums. FERC also noted that a previously issued and approved interpretation of CIP-006-2 R1.1 addressed external wiring and alternative methods to provide security equivalent to a six-wall boundary. Because of the flexibility in this prior interpretation, FERC rejected claims by NERC that an expansive reading of Requirement 1.1 to cover external wiring would be unduly costly for the industry.
In the second order, FERC rejected NERC’s proposed interpretation of CIP-002-4, R2. This requirement relates to identification of Critical Cyber Assets by looking at those Cyber Assets that are “essential to the operation of the Critical Asset.” This phrase has been at the heart of debates about whether transmission operator laptops which may be used to control system operations remotely (but which are not required to be used to control system operations) must be treated as Critical Cyber Assets. NERC interpreted that phrase as requiring a Critical Cyber Asset to be “inherent to” or “necessary for” the operation of the Critical Asset and not merely “valuable to.” FERC found this an unduly narrow reading of CIP-002-4, R2, and instead suggested that a Cyber Asset that is being used to operate a Critical Asset would be “essential” to that operation “during such usage.” FERC stated: “Even if the Critical Asset can function at times without human intervention, or such intervention can be done through alternative devices, the device used at any given time to exert such control is ‘inherent to or necessary for the operation of the Critical Asset.’”
Rehearing requests on either of these two remand orders would be due April 22, 2013.