FERC approves supply chain-related reliability standards

The Federal Energy Regulatory Commission on Oct. 18 approved new mandatory reliability standards aimed at bolstering supply chain risk management protections for the nation’s bulk electric system.

FERC said the new standards will augment current Critical Infrastructure Protection (CIP) standards to mitigate cyber security risks associated with the supply chain for grid-related cyber systems.

The final rule, which was approved at the Commission’s monthly meeting, closely follows what FERC outlined in a Notice of Proposed Rulemaking issued in January 2018, the Commission said.

The North American Electric Reliability Corporation proposed the standards in response to FERC Order No. 829, which directed it to develop standards to address supply chain risk management for industrial control system hardware, software, and computing and networking services.

FERC noted that while the global supply chain provides opportunity for significant benefits to customers, it also presents opportunities to affect management or operations of generation or transmission companies that may result in risks to end-users.

In the final rule, FERC said NERC’s supply chain risk management reliability standards are forward-looking and objective-based, requiring each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software and services associated with bulk electric system operations.

The Commission also approved NERC’s request for an 18-month implementation period, saying it was justified because longer time-horizon capital budgets and planning cycles may be necessary for the technical upgrades to meet the Reliability Standards’ security objectives.

At the same time, FERC noted that a significant cyber security risk remains because the standards exclude Electronic Access Control and Monitoring Systems (EACMS).

EACMS include firewalls, authentication servers, security event monitoring systems, intrusion detection systems and alerting systems. They control electronic access into Electronic Security Perimeters and help protect high and medium impact bulk electric system (BES) cyber systems. Once an EACMS is compromised, an attacker could more easily control the BES cyber system or protected cyber asset.

To address that gap, FERC gave NERC 24 months to develop modifications that will include EACMS associated with medium and high impact BES cyber systems within the scope of the supply chain risk management reliability standards.

The final rule takes effect 60 days after publication in the Federal Register.

Association had urged FERC to OK supply chain reliability standards

The American Public Power Association and several other trade groups in March urged FERC to approve the supply chain risk management reliability standards submitted by NERC, as well as the 18-month implementation period for the standards, as opposed to the alternative 12-month period that had been proposed by FERC.

Responding to the Commission Notice of Proposed Rulemaking, the Association and the trade groups also said the Commission should hold off on directing NERC to include EACMS within the scope of the supply chain risk management reliability standards.

The Association was joined by the Electricity Consumers Resource Council, the Large Public Power Council, the National Rural Electric Cooperative Association and the Transmission Access Policy Study Group in submitting the comments to the Commission on March 26 in response to the FERC NOPR (Docket No. RM17-13).

Association report detailed cyber supply chain risk management best practices

A white paper released earlier this year by the American Public Power Association and NRECA detailed best practices for cyber-related supply chain risk management being used by small registered entity members with low-impact bulk electric system cyber systems.

The Association and NRECA said that supply chain risk management for small registered entities must be understood in the context of the overall risk-based approach of NERC’s CIP standards, which classify bulk electric systems cyber systems as having low, medium, or high impact on the reliable operation of the BES. NERC’s requirements for protecting BES cyber systems are commensurate with those systems’ risk classification.

The trade groups said that consistent with that risk-based approach, and supported by the Association and NRECA, NERC’s supply chain standards “appropriately apply to medium and high impact BES cyber systems, which is intended to focus industry resources on protecting those systems that pose heightened risk, while not being overly burdensome or diverting resources toward protecting low-impact assets that have less risk to BES reliability.”

The standards address cybersecurity supply chain risks in a way that sets goals for registered entities, while allowing flexibility in how to achieve those goals, the white paper said.