NIST releases voluntary standards for reducing cyber risks to critical digital infrastructure

ISO-NE contributes to standards-development process

On February 12, 2014, the National Institute of Standards and Technology (NIST) released the final version of its voluntary cybersecurity standards, the Framework for Improving Critical Infrastructure Cybersecurity. ISO New England, in collaboration with the ISO/RTO Council, was an active participant in the year-long process of standards creation.

The NIST standards

NIST describes the standards as providing “a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs,” and allows owners/operators of critical digital infrastructure (including the electric power grid) “to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.” Visit the NIST Cybersecurity Framework page.

The creation of the standards was prompted by President Obama’s February 2013 executive order directing NIST and the U.S. Department of Homeland Security to work collaboratively with federal agencies and the private sector to recommend ways to secure the nation’s critical digital infrastructure. (See “President Obama touches on energy priorities in annual State of the Union address.”)

Contributions by the ISO and IRC

ISO New England, in collaboration with the ISO/RTO Council (IRC), submitted formal comments to the process in April 2013 and December 2013. In them, the IRC highlighted the Critical Infrastructure Protection (CPI) reliability standards designed by the North American Electric Reliability Corporation (NERC). They make the high-voltage electric system among the few industries subject to mandatory and enforceable cybersecurity standards.

NERC’s CIP reliability standards have been mandatory and enforceable since 2008, when they were accepted by the Federal Energy Regulatory Commission. (Voluntary cybersecurity standards had been in place since 2003.) The CIP standards continue to be refined and enhanced through NERC’s iterative stakeholder process. Along with other industry standards and guidelines, NERC’s CIP reliability standards help form each ISO’s/RTO’s individual cybersecurity program.