Today FERC approved the NERC/ERO CIP cyber security standards for the electric industry. This was the right decision to avoid derailing progress.

What is most impressive are the comments in the press release and final rule.

They directed modifications and improvements. This is the Version 1.0, and it will get better and more stringent. Basically NERC/NRO needs to modify the standard to address a lot of the requests in the NOPR and resubmit. They also dealt with the CIP v. NIST issue realistically to gain the benefits of NIST work while avoiding confusion and delay.

The final rule also directs NERC to monitor the development and implementation of cyber security standards by the National Institute of Standards and Technology (NIST) to “determine if they contain provisions that will protect the Bulk-Power System better than the CIP Reliability Standards,” FERC said. But FERC did not direct NERC to adopt the NIST standards because that could lead to possible delays in putting into place any mandatory and enforceable standards.

This became a political football, and it is comforting that a multi-year effort was not scrapped right when its benefits were being realized.