CIP Low Impact [2024]
As cyber threats continue to evolve, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) have expanded cybersecurity requirements for Low Impact Bulk Electric System (BES) assets. These updates are designed to address growing risks related to vendor remote access and supply chain vulnerabilities.
NERC has specifically warned that coordinated attacks through remote access represent a persistent and credible threat to the BES. To mitigate this risk, FERC approved CIP-003 version 9 on March 16, 2023, with enforcement beginning April 1, 2026. CIP-003-9 introduces supply chain risk management requirements for Low-Impact registered entities, aligning them more closely with controls already in place for Medium and High Impact assets since 2017.
Under CIP-003-9 R1.2.6 and Attachment 2, Section 6, entities with Low Impact BES Cyber Systems that allow vendor electronic remote access must implement documented processes to:
-
Identify when vendor remote access exists
-
Disable vendor remote access when necessary
-
Detect known or suspected malicious inbound and outbound communications