The American Public Power Association and several other trade groups are urging the Federal Energy Regulatory Commission to approve supply chain risk management reliability standards submitted by the North American Electric Reliability Corporation (NERC), as well as an 18-month implementation period for the standards, as opposed to an alternative 12-month period proposed by FERC.
Responding to a Commission Notice of Proposed Rulemaking, the Association and the trade groups also said the Commission should hold off on directing NERC to include Electronic Access Control and Monitoring Systems within the scope of the supply chain risk management reliability standards.
The Association was joined by the Electricity Consumers Resource Council, the Large Public Power Council, the National Rural Electric Cooperative Association and the Transmission Access Policy Study Group in submitting the comments to the Commission on March 26 in response to a FERC NOPR issued in January (Docket No. RM17-13).
Details of NOPR
In the NOPR, the Commission proposes to approve supply chain risk management reliability standards submitted by NERC in response to a directive in Commission Order No. 829.
While the Commission found that NERC’s proposed reliability standards “constitute substantial progress in addressing the supply chain cyber security risks identified in Order No. 829,” the NOPR also includes a proposed directive requiring NERC to develop modifications to the Critical Infrastructure Protection (CIP) reliability standards to include Electronic Access Control and Monitoring Systems associated with medium and high impact bulk electric system (BES) cyber systems within the scope of the supply chain risk management reliability standards.
FERC also proposed to direct NERC to evaluate the cyber security supply chain risks presented by physical access control systems and protected cyber assets in the study of cyber security supply chain risks that was requested by the NERC Board of Trustees.
Also, the Commission proposed a 12-month implementation period in lieu of the 18-month period proposed by NERC.
Groups support FERC approval of proposed standards
The Association and the other trade groups noted in their comments that they support Commission approval of NERC’s proposed supply chain risk management Reliability Standards. “The proposed standards fulfill Order No. 829’s directive and would mitigate supply chain cyber security risks to the BES while appropriately focusing on the systems and assets that are most critical to reliable operation of the BES,” the groups told FERC. Therefore, the Association and the other trade groups while not opposing the NERC study of protected cyber assets and physical access control systems, do not believe that Electronic Access Control and Monitoring Systems should be required in the standards at this time.
Longer implementation period sought by groups
The Association and the other trade groups said that FERC should also reconsider its proposal to require a 12-month implementation period instead of the 18-month period proposed by NERC.
The trade groups “respectfully disagree with the Commission’s suggestion that the proposed reliability standards could be implemented in 12 months because they are ‘process based.’”
Implementing the new and revised standards will require new technology as well as process enhancements, the groups pointed out. “Complying with the requirements will also necessarily require a considerable amount of coordination with third-party vendors.”
A reasonable timeline for accomplishing these necessary tasks exceeds 12 months, they said, and therefore 18 months “is an appropriate amount of time for responsible entities to efficiently and effectively implement the new requirements.”
Electronic Access Control and Monitoring Systems
The Association and the other trade associations also argued that the Commission should reconsider its proposal to issue a directive requiring NERC to include Electronic Access Control and Monitoring Systems associated with medium and high impact BES cyber systems within the scope of the reliability standards.
They said the better course would be to adopt the suggestion in NERC’s NOPR comments to await the outcome of the NERC Board of Trustees-requested study that will evaluate whether supply chain risks related to Electronic Access Control and Monitoring Systems require further consideration for inclusion in a mandatory reliability standard.
Allowing the study process to be completed “would be a more efficient and effective way to promote meaningful mitigation of cyber security supply chain risks than an immediate, blanket requirement to include” Electronic Access Control and Monitoring Systems within the standards, the trade associations said.
The groups said that FERC’s concern about Electronic Access Control and Monitoring Systems appears to be based, to a large degree, on its understanding that Electronic Access Control and Monitoring Systems control electronic access, including interactive remote access, into the electronic security perimeter that protects high and medium impact BES cyber systems.
FERC suggests that once an Electronic Access Control and Monitoring System is compromised, the attacker may gain control of the BES cyber system or protected cyber assets, and, thus, Electronic Access Control and Monitoring Systems represent the most likely route an attacker would take to access a BES cyber system or protected cyber asset within an electronic security perimeter.
But the groups pointed out that the Electronic Access Control and Monitoring Systems currently in use by responsible entities comprise a variety of assets that perform diverse control or monitoring functions. Due to the diversity of Electronic Access Control and Monitoring Systems and their functions, their potential BES reliability risk may vary greatly, the groups said.
Study likely to offer more specific information and analysis
The groups said that the NERC Board of Trustees-requested study is likely to provide more specific information and analysis concerning whether any category of Electronic Access Control and Monitoring Systems might be appropriately included within the scope of the supply chain reliability standards.
To the extent that it may be reasonable to include certain Electronic Access Control and Monitoring Systems – or physical access control systems or protected cyber assets -- within the scope of the supply chain reliability standards to address the concerns cited by the Commission, the results of the study will provide a more fully-informed basis for that decision, the groups said.
“This approach, moreover, would be consistent with NERC’s risk-based approach to CIP standards. In contrast, a potentially unnecessary or overbroad blanket direction to include all EACMS [Electronic Access Control and Monitoring Systems], regardless of function or risk, within the scope of the reliability standards could have an adverse impact on cyber security by requiring responsible entities to devote compliance resources to assets that present no significant BES reliability threat,” the groups said in their comments.
