The Federal Energy Regulatory Commission (FERC) has withdrawn its notice of inquiry and terminated the related rulemaking proceeding in Docket No. RM20-12-000. The notice of inquiry had requested public comment on whether the Critical Infrastructure Protection (CIP) Reliability Standards in place at the time sufficiently addressed cybersecurity risks related to data security, detection of anomalies and events, and mitigation of cybersecurity incidents. The withdrawal will become effective July 31.
In a Tuesday notice published on the Federal Register, the Commission has also asked for input on the potential risks of a coordinated cyberattack on geographically distributed targets and whether Commission action, including possible changes to the CIP Reliability Standards, would be warranted to address such threats.
Back in June 2020, the FERC issued a notice of inquiry in the proceeding, seeking comment on potential enhancements to the CIP Reliability Standards corresponding to certain aspects of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST Framework) and the risk of coordinated cyberattack to the security and reliability of the bulk-power system (BPS).
In the notice of inquiry, the Commission sought comment on whether the then-effective CIP Reliability Standards adequately addressed various topics, including cybersecurity risks pertaining to data security, detection of anomalies and events, and mitigation of cybersecurity events. Commission staff identified these topics after reviewing the NIST Framework and comparing its content to that of the CIP Reliability Standards.
The Commission also sought comment on the potential risk of a coordinated cyberattack on geographically distributed targets and whether Commission action, including potential modifications to the CIP Reliability Standards, would be proper to address such risk. In issuing the notice of inquiry, the Commission explained that as ‘new cyber threats continue to evolve, the Reliability Standards should keep pace to support a robust, defense-in-depth approach to electric grid cybersecurity.’
FERC received 24 comments in response to the questions posed in the notice of inquiry. Most commenters responded that the then-effective Reliability Standards, together with Reliability Standards pending implementation and Reliability Standards under development by NERC at that time, adequately addressed the NIST Framework categories identified in the notice of inquiry.
Other commenters acknowledged that the Reliability Standards may not address some aspects of the NIST Framework but asserted that the NIST Framework and CIP Reliability Standards serve fundamentally different purposes and, as a result, cautioned against an apples-to-apples comparison of the two regimes. Some commenters did identify potential areas for improvement.
Regarding coordinated cyberattacks, the comments identified Reliability Standards, NERC programs, and voluntary actions that the industry was taking to address the potential risk. Other commenters suggested that there should be additional protections for low-impact bulk electric system (BES) cyber systems.
Following the issuance of the notice of inquiry, FERC and NERC took multiple actions to address emerging issues and to improve the cybersecurity posture of the BES. For example, the Commission addressed control center communication by approving Reliability Standard CIP-012-1 in 2020, and directing NERC to develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated, specifically the confidentiality and integrity of real-time assessment and real-time monitoring data, between control centers. NERC developed responsive modifications, and the FERC then approved the revised Standard last May.
FERC also took steps to improve the detection of anomalies and detection and mitigation of cybersecurity events. Specifically, in January 2023, the Commission directed NERC to develop requirements for internal network security monitoring, which NERC submitted last June. Concurrently with this proceeding, FERC said it was approving Reliability Standard CIP-015-1 (Internal Network Security Monitoring) and directing further improvements to the Standard.
Regarding the potential risk of a coordinated cyberattack on geographically distributed targets, in March 2023, the Commission approved Reliability Standard CIP-003-9 that requires entities with BES facilities whose assets are designated low impact to have methods for determining and disabling vendor remote access. NERC also performed an in-depth analysis of the risk presented by low-impact cyber facilities and reported on whether those criteria should be modified to address coordinated cyberattacks.
Based on those findings, NERC revised Reliability Standard CIP-003 and, on December 20, 2024, NERC filed a proposed Reliability Standard CIP-003-11 (Security Management Controls) for Commission approval. The proposed Standard would, among other things, require entities to ‘mitigate the risks posed by a coordinated attack using distributed low impact bulk electric system Cyber Systems by adding controls to authenticate remote users; protecting the authentication information in transit; and detecting malicious communications to or between assets containing low impact BES Cyber Systems with external routable connectivity.’
Patrick Miller, president and CEO at Ampyx Cyber, wrote in a company blog post that “while the docket is withdrawn, the underlying concerns—data security, anomaly detection, and coordinated cyberattacks—are being addressed through recent standards like CIP-015-1 (INSM) and proposed updates to CIP-003.”
Miller added that FERC’s withdrawal of RM20-12-000 does not mean these concerns were unfounded, just that the regulatory mechanism to address them has evolved.
For the industry, he assesses that this means there will be no sweeping overhaul of the CIP standards. Instead, the regulatory strategy remains one of evolution rather than revolution. There will be continued pressure to strengthen security for low-impact assets, particularly where remote connectivity is involved. New obligations under CIP-015-1, covering internal network security monitoring, are now active, and registered entities must begin preparing for audits and implementing the required measures. Even without a direct mandate from RM20-12-000, the regulatory bar continues to rise for anomaly detection, supply chain risk, and network monitoring.
Miller identified that FERC’s closure of RM20‑12-000 isn’t necessarily an indication that cybersecurity concerns have been dismissed; it’s the culmination of a deliberate, standards-centric strategy that’s now unfolding in real time. “In the backdrop, the current administration has been pushing a broader ‘deregulation’ agenda, adding a layer of complexity to the regulatory environment.”
“The regulatory landscape is at a crossroads, pulling between deregulatory momentum and mature cybersecurity expectations,” according to Miller. “The next few months will test whether standards like CIP‑015‑1, the virtualization updates, and CIP‑003‑11 can stand firm amid political shifts, or whether they’ll be recalibrated under the complex pressures and opposing forces of today’s landscape.”
Just last week at the June FERC meeting, the North American Electric Reliability Corporation (NERC) CIP-015-1 was formally approved, signalling a significant shift for the North American electric sector, mandating internal network security monitoring of industrial control systems (ICS) within the electronic security perimeter, moving beyond protection at the network edge. Within the year, it will also cover electronic access control and physical access control systems.