New Low Impact NERC CIP-003-9 Regulations: Vendor Supply Chain Security

By Patrick Miller

On March 16 2023, FERC issued a new Order approving NERC CIP-003-9 introducing new requirements for vendor electronic remote access security controls to low impact BES Cyber Systems. These new security controls are intended to allow detection and the ability to disable vendor remote access in the event of a known or suspected malicious communication.

Ampere hosed a webinar/webpanel featuring a former CIP regulator and three former asset owners, where they will discuss what is in scope, when it be applicable, how it will impact your utility, and what you should be doing.

Panelists

Show Links

FERC Order Approving Reliability Standard CIP-003-9 - Docket No. RD23-3-00

CIP-003-9 Reliability Standard, NERC

NERC Project 2020-03 Page for all documents related to the drafting and adoption process for CIP-003-09

  • All draft versions

  • Redlines to last posted/approved

  • Technical Rationale

  • VRF/VSL Justifications

  • Reliability Standard Audit Worksheet (RSAW)

  • Ballot results

Supply Chain Risk Assessment Report

Safety Sign Generator

Slides from this webinar/webpanel

Featured Posts

Featured
FERC Proposes New Standards for INSM: Internal Network Security Monitoring (CIP-015-1)
FERC Proposes New Standards for INSM: Internal Network Security Monitoring (CIP-015-1)

The Federal Energy Regulatory Commission (FERC) has issued a new Notice of Proposed Rulemaking (NOPR) under Docket No. RM24-7-000. This proposed rule seeks to approve NERC’s proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-015-1. The new standard focuses on Internal Network Security Monitoring (INSM) to detect and address cyber threats within the electronic security perimeter of the Bulk Electric System (BES).

Read More →
FERC’s New Proposed Rule on Supply Chain Risk Management (SCRM)
FERC’s New Proposed Rule on Supply Chain Risk Management (SCRM)

The Federal Energy Regulatory Commission (FERC) has released a new Notice of Proposed Rulemaking (NOPR) under Docket No. RM24-4-000, focusing on supply chain risk management (SCRM) for the Bulk-Power System (BPS). This proposed directive aims to fill critical gaps in existing NERC Critical Infrastructure Protection (CIP) standards and bolster the defenses of our nation’s critical infrastructure.

Read More →
FERC Staff Report Offers Lessons Learned from 2024 CIP Audits: What You Need to Know
FERC Staff Report Offers Lessons Learned from 2024 CIP Audits: What You Need to Know

In its 2024 CIP audit report, the Federal Energy Regulatory Commission (FERC) shared critical lessons learned from the latest round of reliability audits, revealing key areas where NERC-registered entities can strengthen their security posture. While many organizations successfully met compliance requirements, the report highlighted specific gaps in asset categorization, control center segmentation, and data protection that could pose significant operational risks.

Read More →
Proactive Cyber Defense: Recognizing Cyber Intrusions for Critical Infrastructure System Operators
Proactive Cyber Defense: Recognizing Cyber Intrusions for Critical Infrastructure System Operators

Leveraging Guidance from the Electric & Water Sectors and Broadening for all Critical Infrastructure. In an era marked by rapid digital transformation and increasing cyber threats, whether electric, water and wastewater systems, chemical, or any other of the critical infrastructure sectors, it is imperative for control system operators to be well-versed in recognizing and responding to cyber intrusions.

Read More →
Exploring the Evolving Landscape of ICS/OT Cybersecurity at RSAC 2024
Exploring the Evolving Landscape of ICS/OT Cybersecurity at RSAC 2024

The RSA Conference 2024 spotlighted the critical importance of ICS/OT cybersecurity, reflecting a significant increase in attention compared to previous years. Ampyx Cyber CEO, Patrick Miller noted the strong presence of AI-driven security tools on the vendor floor and highlighted the conference's rich agenda featuring discussions on the convergence of IT and OT. As digital transformation continues, the industry's commitment to enhancing ICS/OT cybersecurity is more evident than ever.

Read More →
NERC CIPPatrick MillerNERC CIP, CIP-003, Low Impact