Upcoming NERC Threshold Changes – Part Three of Three

How NERC’s Threshold Change Will Affect Critical Infrastructure Protection

The inverter-based resources (IBRs) that are now subject to NERC registration, meaning those connected to the bulk power system with an aggregate nameplate capacity of 20 MVA to 75MVA interconnected at voltage levels of at least 60kV, will face additional scrutiny. Specifically, they will be required to comply with NERC Critical Infrastructure Protection (CIP) standards. Depending on the age and makeup of your system, this can take time to achieve.

What Are NERC CIP Standards?

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a set of standards that regulate, monitor, manage, and enforce the security of the bulk electric system (BES) in North America. These standards relate specifically to the cybersecurity aspects of the BES by establishing a standard to secure the essential assets that can affect the reliable and efficient supply of electricity. 

The goal of NERC CIP standards is to ensure members have sufficient security controls in place to protect the BES and its users from various threats such as cyber-attacks, cyber-terrorism, and cyber-vandalism. Rules imposed by NERC CIP standards include the following.

  • NERC CIP-002 — Critical Cyber Asset Identification. This standard requires the identification and evaluation of all cyber assets that could potentially affect the continued operations of the business. 
  • NERC CIP-003 — Security Management Controls. This standard clarifies who is accountable for protecting the BES by delegating authority and outlining emergency guidelines.

Additionally, responsible entities are required to include the following sections in their cyber security plans for assets containing low-impact BES cyber systems.

  • Section 1 — Cyber Security Awareness. This section requires that responsible entities reinforce cyber security practices at least once every 15 months.
  • Section 2 — Physical Security Controls. This section requires that responsible entities control physical access to their assets or the location of their low-impact BES cyber systems within the asset, as well as their cyber assets that provide electronic access controls.
  • Section 3 — Electronic Access Controls. This section requires that responsible entities implement electronic access controls for specific scenarios, which are outlined in Attachment 1 of CIP-003-8 – Cyber Security — Security Management Controls.
  • Section 4 — Cybersecurity Incident Response. This requires that responsible entities implement comprehensive and thorough cyber security incident response plans. Required inclusions are outlined Attachment 1 of the above document.
  • Section 5 — Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation. This section requires that responsible entities implement plans to mitigate the risk of the introduction of malicious code to low-impact BES cyber systems through the use of transient cyber assets or removable media. Required inclusions are outlined in Attachment 1 of the above document.

How the NERC Threshold Change Will Affect CIP Compliance

The Federal Energy Regulatory Commission (FERC) issued an order on May 18, 2023, titled “Order Approving Registration Work Plan.” This new order creates an additional class of inverter-based resources (IBRs) that are subject to NERC registration. If you meet the definition of a GO-IBR, you will need to register with NERC within the next 36 months. You will also be required to comply with CIP standards. 

The first step for many GO-IBRs is to take stock of what equipment and systems they currently have in place. Are they up-to-date, and do they currently comply with CIP standards? Can they be updated as necessary? 

Some established systems may not even have a firewall or may no longer have access to their firewall protection. Others might run on legacy systems that will be difficult or even impossible to upgrade. That doesn’t mean you will need to fold up shop due to non-compliance, but you will need to start working on bringing your systems into NERC compliance as soon as possible. 

Reach Out to Radian Generation for Expert Assistance with NERC Registration and CIP Compliance

While you may know a great deal about operating your IBR, regulatory compliance and cybersecurity compliance may be something better left to the experts. The cost of getting it wrong can be significant, and there are better uses for your time and resources. 

Radian Generation is a trusted source for full NERC registration compliance and CIP implementation. Our NERC compliance experts can streamline and simplify this process, allowing you to focus on the big picture. Contact us today for more information about how we can help!