The American Public Power Association and the Large Public Power Council recently filed comments at the Federal Energy Regulatory Commission on FERC’s proposed rule that preliminarily finds that existing North American Electric Reliability Corporation supply chain risk management reliability standards have gaps and may be insufficient to protect against the myriad of cyber supply chain threats.
NERC’s existing supply chain risk management reliability standard require registered entities to implement a cyber risk management plan to identify and assess cyber security risks when planning for the procurement of medium- and high-impact cyber systems.
The risk management plan must include certain elements specified in the standard. Based on audits of the existing standard, FERC believes there are inconsistencies and gaps in the way utilities are implementing the existing standard.
FERC has therefore proposed to direct NERC to revise the standard to make four specific improvements to the existing supply chain standard:
- A requirement to establish steps in its supply chain risk management plan to validate the completeness and accuracy of information received from vendors during the procurement process. FERC proposes two potential methods for validating the information: (i) a self-attestation from the vendor addressing all of the risk questions posed by the responsible entity accompanied by any relevant documentation to support the vendors’ claims; or (ii) a certification of an assessment from a qualified auditor, assessor, or other reputable third party addressing all risk questions posed by the responsible entity.
- A requirement to use reasonably recent risk assessments and to periodically reassess risk;
- A requirement to document, track, and respond to identified risks; and
- A requirement to protect protected cyber assets from supply chain risk at the same level as other assets inside an electronic security perimeter.
FERC is not proposing at this time to expand the applicability of the standards to low-impact Bulk Electric System cyber systems.
If finalized, this rule would give NERC one year to develop and submit the modified standards.
APPA and LPPC urged FERC not to adopt the requirement that utilities validate the responses to security questionnaires from potential vendors.
They said that it would make more sense for NERC or the Department of Energy to develop supplier security protocols for vendors of equipment and software in certain circumstances, which would be more effective than a decentralized, utility-specific compliance requirement.
APPA and LPPC did not oppose the other aspects of FERC’s proposed improvements.