NERC Submits Electronic Access Controls Study Report

On June 30, 2021, in Docket No. RM17-11-000, NERC submitted the CIP-003-8 Electronic Access Controls Study Report as directed by FERC Order No. 843. Order No. 843 directed NERC to develop modifications to CIP-003-7 (Cyber Security – Security Management Controls) to address mitigation of the risk of malicious code posed by third-party transient devices. The order also directed NERC to conduct a study of the implementation of electronic access controls at assets containing low impact BES Cyber Systems, concluding in a report filed at the Commission within 18 months of the effective date of CIP-003-7. For the first directive, NERC developed CIP-003-8, which was approved by the Commission on July 31, 2019. For the second directive, NERC and the Regional Entities (the ERO Enterprise) conducted a study of approximately 200 registered entities with assets containing low impact BES Cyber Systems regarding: (1) what electronic access controls entities chose to implement and under what circumstances at these assets; (2) whether the electronic access controls adopted by entities provide adequate security; and (3) other relevant information found by the ERO Enterprise as a result of the study. This filing includes the results of that study.

To view NERC’s report, click here.